On March 12, 2019, the European Data Protection Board (“EDPB”) issued an opinion in response to a series of questions about the competences, tasks and powers of European supervisory authorities for data protection (“SAs”), when the processing of personal data triggers the material scope of both the ePrivacy Directive and the General Data Protection Regulation (“GDPR”).

The EDPB highlights that the ePrivacy Directive specifies and complements the GDPR:

  • Specifies: The ePrivacy Directive is the lex specialis to the GDPR, meaning that wherever it provides a “special rule” for the processing of personal data that is more specific than general rules of the GDPR, it takes precedence over the GDPR.
  • Complements: Some provisions of the ePrivacy Directive may supplement the GDPR so as to protect not only natural persons, but also legal persons.

Enforcement Authority for the GDPR and ePrivacy Directive

The GDPR is enforced by the independent SAs in each of the Member States. By contrast, the ePrivacy Directive allows Member States to assign a competent body for its enforcement. Where enforcement of these two regimes intersects, the EDPB makes a few points clear:

  • The ePrivacy Directive gives Member States flexibility as to which national body to entrust with its enforcement – some have entrusted this to an SA, but others not. If a Member State enacts a law authorizing its SA to enforce the ePrivacy Directive, that law should also determine the tasks and powers of the SA in that context. The SA cannot simply exercise its GDPR powers when enforcing the ePrivacy Directive, because these powers are tied to GDPR enforcement.
  • The ePrivacy Directive also gives Member States discretion with respect to penalties.
  • If a Member State empowers a body other than an SA to enforce the ePrivacy Directive, then national procedural law will determine what an SA should do if/when it receives complaints that deal with provisions of the ePrivacy Directive.

Enforcement Considerations

The EDPB notes that while personal data processing may trigger the material scope of the ePrivacy Directive, it will likely involve additional aspects that do not fall under the ePrivacy Directive, in which case the GDPR still applies.

For example, while the ePrivacy Directive does contain a special rule for the collection of personal data by accessing information on a user’s terminal equipment (e.g., via website cookies), it does not contain a special rule for any prior or subsequent processing of that personal data. Therefore, data protection authorities are competent to assess the lawfulness of all other processing that would occur before or after the activities governed by the ePrivacy Directive’s special rules. More specifically, such processing must have a separate legal basis in the GDPR.  So while the collection of any personal data by means of cookies would have to be based on an ePrivacy consent, the subsequent use of this personal data could be based on the GDPR’s legitimate interest legal basis.  This has been a contentious point for some time.

Cooperation and Consistency Mechanisms

Finally, with regards to the cooperation and consistency mechanisms under Chapter VII of the GDPR, the EPDB plainly states that these concern the monitoring and application of GDPR. These mechanisms do not apply to the enforcement of national ePrivacy rules.

In closing, the EPDB again reiterates its plea to the European Commission, Parliament and Council to finalize the adoption of the ePrivacy Regulation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.