Monday, December 02 2019
Opinion 5 / 2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities - Adopted on 12 March 2019
In reality, this document was preceded by a statement that the EDPB deemed it appropriate to publish the 25 May 2018, ie on the same day that the new ePrivacy regulation should have come into force, with the aim of making a further contribution available for the conclusion of the process of publication of the new regulation itself.
This can be summarized with the conclusions:
The European Data Protection Committee believes that:
Then, in March, 2019 arrives for the publication of the Opinion 5 / 2019 with the aim of answering the various questions on the interactions between the ePrivacy Directive and GDPR. It is inspired by a request from the Belgian supervisory authority to request clarification from the board on the interaction between GDPR and the ePrivacy Directive.
The explanation highlights the three topics covered:
We dwell, for the particular interest that it has, on this last condition. Example:
"If, in publishing or retrieving information through a cookie or similar device, the information collected can be considered personal data, then, in addition to Article 5 (3) of the ePrivacy Directive, the 95 / 46 / CE Directive will also apply" (example formulated before the promulgation of the GDPR)
The GDPR adds in this regard the recital 30:
Individuals can be associated with online identifiers produced by the devices, applications, tools and protocols used, such as IP addresses, temporary markers (cookies) or other types of identifiers, such as radiofrequency identification tags. These identifiers can leave traces that, in particular if combined with unique identifiers and other information received from the servers, can be used to create profiles of individuals and identify them.
Obviously we want to avoid a conflict between the different measures. In this regard, the EDPB suggests applying the principle lex specialis derogat general, ie the special provisions prevail over the general rules. In other words, in situations where the ePrivacy directive "particularizes" (ie makes more specific) the GDPR rules, the "specific" provisions of the ePrivacy directive, as lex specialis, prevail over the "more general" provisions of the GDPR. Vice versa, any processing of personal data that is not specifically regulated by the ePrivacy directive (or for which the ePrivacy directive does not contain a "special rule"), remains subject to the provisions of the GDPR.
An example that shows how the ePrivacy directive "particularizes" the provisions of the GDPR can be the processing of so-called "traffic data", as per art. 6 of the directive. Ordinarily, the processing of personal data can be justified on the basis of each of the legitimate reasons referred to in the article 6 of the GDPR and from the recital 49. However the full range of possible legitimate reasons provided by the GDPR 6 article cannot be applied by the provider of an electronic communication service to the processing of traffic data, since the 6 article of the ePrivacy directive explicitly limits the conditions in which traffic data, including personal data, can be processed. In this case, the more specific provisions of the ePrivacy directive must prevail over the more general provisions of the GDPR. However, the 6 article of the ePrivacy directive does not reduce the requests for other provisions of the GDPR, such as the rights of the data subject or deny the requirement that the processing of personal data must be lawful, correct and transparent (art. 5 par.1 of the GDPR ).
The 2002 / 58 / CE directive - ePrivacy
The 2006 / 24 / CE directive
Judgment of the Court (Grand Chamber) of 8 April 2014
The 2009 / 136 / CE directive
The draft of the new regulation
Statement on the revision of the ePrivacy regulation and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications
Opinion 5 / 2019 of the appb