Mind the overlap between GDPR and ePD, warns privacy lawyer

Application of specialised rules

The EDPB opinion confirms that the more specialised rule will take precedence in such cases, such as where cookies are used to collect information which constitutes personal data.

“While Article 6 [of the] GDPR provides for various lawful grounds for this processing, Article 5(3) [of the] ePD also applies and requires consent to be obtained from individuals before cookies are placed on their devices.

“In this and similar situations, Article 5(3) as the more specific rule will prevail and requires that consent be obtained, instead of relying on one of the other lawful grounds for that specific set of processing activities,” notes the Ustaran and Campion article.

The EDPB opinion further makes it clear that where there is a specialised rule under the ePD, the rule should take precedence over the GDPR in enforcement as well as interpretation, but the GDPR should continue to apply to processing operations which may be part of the same process, but to which no specific ePD rule applies.

An example of this, according to the article, is if processing of personal data involves access to information stored on the user’s device, data protection rules such as data subject rights and principles of processing are subject to GDPR provisions.

The EDPB opinion further makes it clear that DPAs may also take the factual finding of an infringement of ePD rules into account when applying the GDPR, for example to assess the fairness or lawfulness of processing.

Where several authorities are competent for the different legal instruments, EDPB opinion states that they should ensure the enforcement of both is consistent.

Complex legal conundrum

According to Ustaran and Campion, as the digital economy progresses, European data protection law is likely to lead to a more harmonised approach to its interpretation and enforcement, as reflected by the EDPB’s opinion.

However, the situation going forward it far from clearcut as the ePD was initially intended to be replaced by the proposed European ePrivacy Regulation (ePR) in May 2018, but then was expected to be implemented at some point in 2019 and now looks likely to take a little longer.

“The whole e-Privacy Directive / forthcoming Regulation and GDPR debate is one of the most complex legal conundrums going on at the moment in this space,” Ustaran told Computer Weekly.

“The recent EDPB opinion is very helpful in terms of understanding the regulators’ thinking, but where the e-Privacy Regulation fits in is a big missing piece,” he said.

According to Ustaran, the e-Privacy Regulation is unlikely to be fully effective before 2020, given that the European Council has not decided on a preferred draft, which will then need to be discussed in detail with the European Parliament and the European Commission before being formally adopted.

“However, thinking ahead and given the trajectory of the most recent legislation, such as the GDPR, we should expect heavy reliance on strict consent as a condition for the use of cookies and anything related to behavioural profiling,” he said.