The European Data Protection Board has addressed a question near and dear to the hearts of privacy pros everywhere: What happens when both the ePrivacy Directive (which most of us expected to be repealed and replaced by now) and the General Data Protection Regulation both apply to your data processing? The opinion was written to aid in enforcement decisions by data protection authorities, but also serves to inform data controllers on how to manage those areas of legislative overlap and seemingly conflicting provisions.
Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities came about in response to the Belgian Data Protection Authority’s request for guidance on the matter. The DPA basically asked the following: Can DPAs exercise their authority in matters covered by both the ePD and the GDPR? And if so, should they pay attention to the ePD when enforcing the GDPR? And, basically, how is that all supposed to work?
Prior to addressing enforcement directly, the EDPB in its response clarifies when each law applies, calling out specific provisions and using examples. It goes over the use of the term “particularise” in the ePD in detail, noting the “ePrivacy Directive expressly provides that ‘the provisions of this Directive particularise and complement [the GDPR] (…)’”
In this context, the EDPB says organizations should rely on the principle lex specialis derogate legi generali, “special provisions prevail over general rules in situations which they specifically seek to regulate.” In other words, “In situations where the ePrivacy Directive ‘particularises’ (i.e. renders more specific) the rules of the GDPR, the (specific) provisions of the ePrivacy Directive shall, as ‘lex specialis’, take precedence over the (more general) provisions of the GDPR.”
The EDPB also offers insight on the “complementary” aspect of the ePD, noting that while the GDPR applies only to protect natural persons, the ePD also protects legal persons.
The ePD leaves it to member states to determine the competent authority or authorities to enforce the directive. The GDPR gives local data protection authorities enforcement powers over the provisions in the GDPR. Therefore, it’s not necessarily true that enforcement of these rules falls under the same entity in any given member state. What happens when an enforcement action is covered by both rules, and a member state has designated an enforcement body other than the DPA for the ePD? Is the DPA limited in its ability to enforce?
No, says the EPDB: “Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.” The EDPB goes further to note that in these cases, the DPA must justify its enforcement on the specific provisions of the GDPR unless national law has designated it as the ePD enforcer.
Which leads to the next question: Can a DPA enforce the ePD? Unless the DPA is the designated enforcement body of the ePD, it may not enforce provisions that fall only within the confines of the ePD. In that case, the authoritative body (or bodies) designated by the national law implementing the ePD would be solely responsible for enforcement.
Lastly, the GPDR contains cooperation and consistency mechanisms to facilitate enforcement by DPAs throughout the EU. Consistent with the rest of the EDPB opinion, the board is clear in stating that these mechanisms exist only when enforcement is justified by the GPDR, and not when enforcing the ePD — unless, of course, member state laws implementing the ePD include similar mechanisms. The warning offered to DPAs — particularly those that are tasked with enforcing both the GDPR and the ePD — is watch your “line[s] of communication.”
When enforcing based on GDPR, use the communication methods outlined in Chapter 7 of the GDPR; when enforcing ePD, “The discretionary ‘line of communication’ may be used by data protection authorities in the context of their distinct enforcement powers granted by the national transposition of the ePrivacy Directive and only insofar as the procedure aims to respond to infringements of national ePrivacy rules governing the specific behaviours regulated by the ePrivacy Directive.”