Sunday, November 03 2019

In the 2016 sees the light, after several years of work, the final version of the new regulation for the protection of personal data, the GDPR, which comes into force since May 25. One of the most important innovations that it brings with it, in addition to an innovative content in different aspects, is the fact of being a regulation rather than a directive. This has the advantage of not having to be implemented in the various countries because it prevails over internal legislation but the disadvantage of requiring long preparation times to harmonize the needs of different countries.

Well a provision of such importance could not fail to take into account the ePrivacy directive, with which the GDPR must necessarily be harmonized.

In fact the directive is mentioned several times:

  • the recital 173 states: It is appropriate that this regulation applies to all aspects relating to the protection of fundamental rights and freedoms with regard to the processing of personal data that do not fall under specific obligations, having the same objective, referred to in the 2002 directive / 58 / CE of the European Parliament and of the Council (18), including the obligations of the data controller and the rights of individuals. To clarify the relationship between this regulation and the 2002 / 58 / CE directive, it is appropriate to modify the latter accordingly. Once this regulation is adopted, the 2002 / 58 / CE directive should be reviewed in particular to ensure consistency with this regulation
  • the 21 article (Right of opposition) states in the paragraph 5: In the context of the use of information society services and without prejudice to the 2002 / 58 / CE directive, the interested party can exercise his right of opposition by automated means using specific techniques
  • Article 95 (Relationship with Directive 2002 / 58 / CE) states: This regulation does not impose additional obligations on natural or legal persons in relation to the processing in the context of the provision of publicly available electronic communication services on public communication networks in the Union, with regard to matters for which they are subject to specific obligations with the same objective set by the 2002 / 58 / CE directive.

As can be seen from the previous points, and as often happens with regard to other topics, the regulation does not give precise explanations on how to understand the relationship between the GDPR itself and the ePrivacy directive, delegating this task to further explanations and in-depth analyzes.

In the meantime, following what was suggested by the recital 173, the European parliament is working to create an update of the ePrivacy directive and also in this case, new, it is oriented towards a regulation rather than recreating a directive. In this regard, the 10 January 2017 is presented by the Commission a “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning respect for private life and the protection of personal data in electronic communications and repealing the 2002 / 58 / CE directive (regulation on private life and electronic communications) ".

The diligence with which this draft is presented, with respect to the entry into force of the GDPR, and the points of the draft mentioned below:

  • Article 27 (Repeal) Paragraph 1: The 2002 / 58 / CE directive is repealed with effect from 25 May 2018
  • Article 29 (Entry into force and application) Paragraph 2: It (note: the regulation in question) applies from the 25 May 2018

they suggest a quick re-proposal of the new regulation, such that it can enter into force on the same date as the GDPR becomes fully operational, the 25 May 2018.

Unfortunately this does not happen and, more than a year after the hypothesized entry into force, there is no trace of the new regulation or the release of new drafts. It is assumed that, due to the structure of the regulation itself, which does not allow for local adjustments, and the need for a correct balance in appropriately balancing the rights of data subjects with the interests of important market players including OTTs, the path of this regulation is undergoing a profound slowdown and probably also a profound change from the January 2017 proposal.

It is probably due to this delay, the disappointment that follows, the lack of clarity that electronic communication operators have following the entry into force of the GDPR, that the EDPB publishes an in-depth document on the interpretation of the relationship between the ePrivacy directive and the GDPR: Opinion 5 / 2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities - Adopted on 12 March 2019.

In the next publications we will deepen our knowledge of the draft of the new regulation and of the Opinion 5 / 2019 of the EDPB.

Lino Castelliti

Find us

Sinergetica Consulting srl
Via Prati, 29 - 65124 Pescara

Privacy Information Site
Cookie Policy
Legal notices
Ethical code (italian)