On 13 March 2019 European Data Protection Board (EDPB) published an important opinion on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities. EDPB also published a statement on the ePrivacy Directive.
In Chapter 7 EDPB draws interesting conclusions:
* Does the mere fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limit the competences, tasks and powers of data protection authorities under the GDPR? In other words, is there a subset of data processing operations they should set aside, and if so when?
86. When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinize the data processing operations which are governed by national ePrivacy rules only if national law confers this competence on them, and such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive.
87. Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.
* When exercising their competences, tasks and powers under the GDPR, should data protection authorities take into account the provisions of the ePrivacy Directive, and if so to what extent? In other words, should infringements of national ePrivacy rules be set aside when in assessing compliance with the GDPR, and if so when?
88. The authority or authorities that are appointed as competent in the meaning of the ePrivacy Directive by Member States is exclusively responsible for enforcing the national provisions transposing the ePrivacy Directive that are applicable to that specific processing operation, including in cases where the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive. Nevertheless, data protection authorities remain fully competent as regards any processing operations performed upon personal data which are not subject to one or more specifics rules contained in the ePrivacy Directive.
89. An infringement of the GDPR might also constitute an infringement of national ePrivacy rules. The data protection authority may take this factual finding as to an infringement of ePrivacy rules into consideration when applying the GDPR (e.g., when assessing compliance with the lawfulness or fairness principle under article 5(1)a GDPR). However, any enforcement decision must be justified on the basis of the GDPR, unless the data protection authority has been granted additional competences by Member State law.
90. If national law designates the data protection authority as competent authority under the ePrivacy Directive, this data protection authority has the competence to directly enforce national ePrivacy rules in addition to the GDPR (otherwise it does not).
* To what extent is the cooperation and consistency mechanisms applicable in relation to processing that triggers, at least in relation to certain processing operations, the material scope of both the GDPR and the ePrivacy Directive?
91. The cooperation and consistency mechanisms available to data protection authorities under Chapter VII of the GDPR, concern the monitoring of the application of GDPR provisions. The GDPR mechanisms do not apply to the enforcement of the national implementation of the ePrivacy Directive. The cooperation and consistency mechanism remains fully applicable, however, insofar as the processing is subject to the general provisions of the GDPR (and not to a “special rule” contained in the ePrivacy Directive).
Some reactions on twitter
This is potentially huge. The European Data Protection Board (EDPB) adopted a statement relevant to GDPR enforcement that could effectively outlaw much of how political targeting based on extensive profiling (e.g. on FB) is being done today in the EU: https://t.co/n8ugwnvwdj
— Wolfie Christl (@WolfieChristl) 15 maart 2019
— EDPB (@EU_EDPB) 15 maart 2019
Kommt die #ePrivacy #Verordnung 2019? Der Europäische Datenschutzausschuss (#EDSA) hat den europäischen Gesetzgeber aufgefordert, die bereits seit langem diskutierte E-Privacy #Verordnung schnellstmöglich zu verabschieden! 🇪🇺 #Datenschutz #Europa https://t.co/O0r4l3UJ9Y
— Fabian Burgey (@FabianBurgey) 15 maart 2019
— Matthias Fluhr (@MatthiasFluhr) 15 maart 2019
- Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, 13 March 2019.
- Statement 3/2019 on an ePrivacy regulation, 13 March 2019
- Europäischer Datenschutzausschuss fordert ambitionierte E-Privacy Verordnung, Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, 14 March 2019