sdecoret -

Mind the overlap between GDPR and ePD, warns privacy lawyer

Organisations need to be aware of the overlaps between European data protection and privacy rules, and which takes precedence, a privacy lawyer warns

Understanding the interplay between the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) is more difficult than most organisations realise, according to Eduardo Ustaran, partner and global co-head of the privacy and cyber security practice at law firm Hogan Lovells.

However, he said the European Data Protection Board (EDPB) of supervisory authorities from each of the member states has published an opinion setting out the relationship between the GDPR and ePD that has “skilfully joined the dots”.

Publication of the EDPB’s opinion was in response to a request by the Belgian Data Protection Authority for greater clarity around the interplay between the two laws, particularly the competence, tasks, and powers of data protection authorities (DPAs).

According to an article summarising the EDPB opinion, by Ustaran and Elizabeth Campion, a knowledge paralegal at Hogan Lovells, the GDPR and the ePD have different, but overlapping, material scopes.

Although both laws apply to one set of processing operations, the EDPB opinion makes clear that they sometimes apply in a complementary manner, while in other cases, the ePD provides for a more specific rule in relation to a particular type of processing, which is regulated at a more specific level than the GDPR.

Application of specialised rules

The EDPB opinion confirms that the more specialised rule will take precedence in such cases, such as where cookies are used to collect information which constitutes personal data.

“While Article 6 [of the] GDPR provides for various lawful grounds for this processing, Article 5(3) [of the] ePD also applies and requires consent to be obtained from individuals before cookies are placed on their devices.

“In this and similar situations, Article 5(3) as the more specific rule will prevail and requires that consent be obtained, instead of relying on one of the other lawful grounds for that specific set of processing activities,” notes the Ustaran and Campion article.

The EDPB opinion further makes it clear that where there is a specialised rule under the ePD, the rule should take precedence over the GDPR in enforcement as well as interpretation, but the GDPR should continue to apply to processing operations which may be part of the same process, but to which no specific ePD rule applies.

An example of this, according to the article, is if processing of personal data involves access to information stored on the user’s device, data protection rules such as data subject rights and principles of processing are subject to GDPR provisions.

The EDPB opinion further makes it clear that DPAs may also take the factual finding of an infringement of ePD rules into account when applying the GDPR, for example to assess the fairness or lawfulness of processing.

Where several authorities are competent for the different legal instruments, EDPB opinion states that they should ensure the enforcement of both is consistent.

Complex legal conundrum

According to Ustaran and Campion, as the digital economy progresses, European data protection law is likely to lead to a more harmonised approach to its interpretation and enforcement, as reflected by the EDPB’s opinion.

However, the situation going forward it far from clearcut as the ePD was initially intended to be replaced by the proposed European ePrivacy Regulation (ePR) in May 2018, but then was expected to be implemented at some point in 2019 and now looks likely to take a little longer.

“The whole e-Privacy Directive / forthcoming Regulation and GDPR debate is one of the most complex legal conundrums going on at the moment in this space,” Ustaran told Computer Weekly.

“The recent EDPB opinion is very helpful in terms of understanding the regulators’ thinking, but where the e-Privacy Regulation fits in is a big missing piece,” he said.

According to Ustaran, the e-Privacy Regulation is unlikely to be fully effective before 2020, given that the European Council has not decided on a preferred draft, which will then need to be discussed in detail with the European Parliament and the European Commission before being formally adopted.

“However, thinking ahead and given the trajectory of the most recent legislation, such as the GDPR, we should expect heavy reliance on strict consent as a condition for the use of cookies and anything related to behavioural profiling,” he said.

Read more about ePrivacy

Read more on Privacy and data protection

Data Center
Data Management