THE EVOLUTION OF THE ePRIVACY DIRECTIVE: 6. Opinion 5 / 2019 on the interplay between the ePrivacy Directive and the GDPR

Opinion 5 / 2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities - Adopted on 12 March 2019

In reality, this document was preceded by a statement that the EDPB deemed it appropriate to publish the 25 May 2018, ie on the same day that the new ePrivacy regulation should have come into force, with the aim of making a further contribution available for the conclusion of the process of publication of the new regulation itself.

This can be summarized with the conclusions:

The European Data Protection Committee believes that:

• the ePrivacy Regulation should not lower the level of protection offered by the current ePrivacy Directive;
• the ePrivacy Regulation should protect all types of electronic communications, including those performed by "Over-the-Top" services, in a technologically neutral way;
• the user's consent should be obtained systematically in a technically feasible and binding manner prior to the processing of data relating to electronic communications or before using the storage or processing capabilities of the user's terminal equipment; there should be no exceptions for processing data based on the "legitimate interest" of the data controller or for the general purpose of executing a contract;
• the 10 article (of the draft - ed) should provide an effective way to ensure that websites and mobile applications can obtain consent; more generally, the settings should protect users' privacy by default and these should be guided in the choice of a setting, following the receipt of relevant and transparent information; in this regard, the regulation should remain technologically neutral in order to ensure that, regardless of the way it is used, its application remains consistent;
• the most careful possible control should be applied to any ad hoc exceptions that legislators may wish to add to those already provided for in the draft texts of the Commission and Parliament. In particular, any exception formulated in general terms for cases in which "a public authority" requires data processing should be examined very carefully, and the proposal should not allow indiscriminate monitoring of the user's location or processing of its metadata;
• for consent to be provided freely, as required by the general data protection regulation, access to services and features must not be subject to the user's consent to the processing of personal data or to the processing of information connected to users' terminal equipment final, or cookie wall must be expressly prohibited;
• the use of electronic communication data actually made anonymous must be encouraged;
• the aforementioned developments will protect the privacy of end users in any relevant context and avoid any distortion of competition.

Then, in March, 2019 arrives for the publication of the Opinion 5 / 2019 with the aim of answering the various questions on the interactions between the ePrivacy Directive and GDPR. It is inspired by a request from the Belgian supervisory authority to request clarification from the board on the interaction between GDPR and the ePrivacy Directive.

The explanation highlights the three topics covered:

• issues of interest to the GDPR and not to the directive
• issues of interest to the directive and not to the GDPR
• issues involving both measures

We dwell, for the particular interest that it has, on this last condition. Example:

"If, in publishing or retrieving information through a cookie or similar device, the information collected can be considered personal data, then, in addition to Article 5 (3) of the ePrivacy Directive, the 95 / 46 / CE Directive will also apply" (example formulated before the promulgation of the GDPR)

The GDPR adds in this regard the recital 30:

Individuals can be associated with online identifiers produced by the devices, applications, tools and protocols used, such as IP addresses, temporary markers (cookies) or other types of identifiers, such as radiofrequency identification tags. These identifiers can leave traces that, in particular if combined with unique identifiers and other information received from the servers, can be used to create profiles of individuals and identify them.

Obviously we want to avoid a conflict between the different measures. In this regard, the EDPB suggests applying the principle lex specialis derogat general, ie the special provisions prevail over the general rules. In other words, in situations where the ePrivacy directive "particularizes" (ie makes more specific) the GDPR rules, the "specific" provisions of the ePrivacy directive, as lex specialis, prevail over the "more general" provisions of the GDPR. Vice versa, any processing of personal data that is not specifically regulated by the ePrivacy directive (or for which the ePrivacy directive does not contain a "special rule"), remains subject to the provisions of the GDPR.

An example that shows how the ePrivacy directive "particularizes" the provisions of the GDPR can be the processing of so-called "traffic data", as per art. 6 of the directive. Ordinarily, the processing of personal data can be justified on the basis of each of the legitimate reasons referred to in the article 6 of the GDPR and from the recital 49. However the full range of possible legitimate reasons provided by the GDPR 6 article cannot be applied by the provider of an electronic communication service to the processing of traffic data, since the 6 article of the ePrivacy directive explicitly limits the conditions in which traffic data, including personal data, can be processed. In this case, the more specific provisions of the ePrivacy directive must prevail over the more general provisions of the GDPR. However, the 6 article of the ePrivacy directive does not reduce the requests for other provisions of the GDPR, such as the rights of the data subject or deny the requirement that the processing of personal data must be lawful, correct and transparent (art. 5 par.1 of the GDPR ).

Lino Castelliti

SITOGRAPHY

The 2002 / 58 / CE directive - ePrivacy

https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/35284

The 2006 / 24 / CE directive

https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1485189

Judgment of the Court (Grand Chamber) of 8 April 2014

https://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:62012CA0293&from=FR

The 2009 / 136 / CE directive

https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1798132

The draft of the new regulation

https://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:52017PC0010&from=EN

Statement on the revision of the ePrivacy regulation and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications

https://edpb.europa.eu/our-work-tools/our-documents/drugi/statement-edpb-revision-eprivacy-regulation-and-its-impact_it

Opinion 5 / 2019 of the appb

https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-52019-interplay-between-eprivacy-directive_it