On March 12, 2019, the European Data Protection Board (“EDPB”) issued an opinion in response to a series of questions about the competences, tasks and powers of European supervisory authorities for data protection (“SAs”), when the processing of personal data triggers the material scope of both the ePrivacy Directive and the General Data Protection Regulation (“GDPR”).
The EDPB highlights that the ePrivacy Directive specifies and complements the GDPR:
- Specifies: The ePrivacy Directive is the lex specialis to the GDPR, meaning that wherever it provides a “special rule” for the processing of personal data that is more specific than general rules of the GDPR, it takes precedence over the GDPR.
- Complements: Some provisions of the ePrivacy Directive may supplement the GDPR so as to protect not only natural persons, but also legal persons.
Enforcement Authority for the GDPR and ePrivacy Directive
The GDPR is enforced by the independent SAs in each of the Member States. By contrast, the ePrivacy Directive allows Member States to assign a competent body for its enforcement. Where enforcement of these two regimes intersects, the EDPB makes a few points clear:
- The ePrivacy Directive gives Member States flexibility as to which national body to entrust with its enforcement – some have entrusted this to an SA, but others not. If a Member State enacts a law authorizing its SA to enforce the ePrivacy Directive, that law should also determine the tasks and powers of the SA in that context. The SA cannot simply exercise its GDPR powers when enforcing the ePrivacy Directive, because these powers are tied to GDPR enforcement.
- The ePrivacy Directive also gives Member States discretion with respect to penalties.
- If a Member State empowers a body other than an SA to enforce the ePrivacy Directive, then national procedural law will determine what an SA should do if/when it receives complaints that deal with provisions of the ePrivacy Directive.
Enforcement Considerations
The EDPB notes that while personal data processing may trigger the material scope of the ePrivacy Directive, it will likely involve additional aspects that do not fall under the ePrivacy Directive, in which case the GDPR still applies.
For example, while the ePrivacy Directive does contain a special rule for the collection of personal data by accessing information on a user’s terminal equipment (e.g., via website cookies), it does not contain a special rule for any prior or subsequent processing of that personal data. Therefore, data protection authorities are competent to assess the lawfulness of all other processing that would occur before or after the activities governed by the ePrivacy Directive’s special rules. More specifically, such processing must have a separate legal basis in the GDPR. So while the collection of any personal data by means of cookies would have to be based on an ePrivacy consent, the subsequent use of this personal data could be based on the GDPR’s legitimate interest legal basis. This has been a contentious point for some time.
Cooperation and Consistency Mechanisms
Finally, with regards to the cooperation and consistency mechanisms under Chapter VII of the GDPR, the EPDB plainly states that these concern the monitoring and application of GDPR. These mechanisms do not apply to the enforcement of national ePrivacy rules.
In closing, the EPDB again reiterates its plea to the European Commission, Parliament and Council to finalize the adoption of the ePrivacy Regulation.