On 10 January 2017, the EU Commission issued a proposal for a Regulation on the respect for private life and the protection of personal data in electronic communications ("e-Privacy Regulation") which aims to replace the current legal framework established under Directive 2002/58/EC ("e-Privacy Directive").
The e-Privacy Directive, as implemented into the national legislations of the EU Member States, provides special privacy rules for electronic communications services and therefore regulates activities such as the use of cookies and unsolicited electronic communications.
The proposal for the e-Privacy Regulation intends to further harmonize the rules on electronic communications across all Member States by defining better and clearer rules on tracking technologies, in particular by taking into account the principles and requirements deriving from the General Data Protection Regulation 2016/679 ("GDPR").
In terms of timing, the EU institutions were initially aiming to adopt the e-Privacy Regulation by 25 May 2018, i.e. the date of entry into application of the GDPR. This was then post-poned until the end of 2018. This timing would have established a comprehensive framework on the matter at hand. However, the adoption of the e-Privacy Regulations has taken longer than expected due to the huge economic and financial stakes at hand. Indeed, discussions are still ongoing within the Council and the proposal has not made it yet to the first reading at the Parliament.
Meanwhile, following a request from the Belgian data protection authority, the European Data Protection Board ("EDPB") adopted on 12 March 2019 Opinion 5/2019 on the interplay between the e-Privacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities ("Opinion").
The Opinion recalls that certain processing activities may fall within the material scope of application of both the e-Privacy Directive and the GDPR. The EDPB nevertheless emphasises that, in accordance with the adage lex specialis derogat legi generali, the general rules set out in the GDPR shall apply in the absence of specific provisions governing a particular processing operation or set of operations, in particular in relation to the rights granted to data subjects.
Furthermore, the Opinion recalls that the GDPR itself recognizes the complementary role of the e-Privacy Directive in its Article 95 which states that the GDPR should not impose additional obligations on electronic communications service providers which are subject to specific obligations with the same objective set out in e-Privacy Directive. A concrete example of such potentially duplicated obligations would be in case of personal data breach notification obligations as prescribed under both legal instruments. The result of applying Article 95 of the GDPR is that once a breach notification is made under the e-Privacy Directive (as implemented into national law), there is no need for a separate data breach notification under the GDPR.
The EDPB finally states that where a subset of a processing falls within the scope of the e-Privacy Directive, this does not necessary limit the competence of data protection authorities as set out under the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
