March 25, 2019

On 3 December 2018 the Belgian DPA requested the EDPB to examine and issue an opinion on the interplay between the ePrivacy Directive and the GDPR.

First, the Belgian DPA asked whether the mere fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, does that limit the competences, tasks and powers of data protection authorities under the GDPR? In other words, is there a subset of data processing operations they should set aside, and if so when?

The EDPB said that when the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinise the data processing operations that are governed by national ePrivacy rules only if national law confers such competence on them, and such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive.

Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive does not limit the competence of data protection authorities under the GDPR.

Secondly, the Belgian DPA asked whether, when exercising their competences, tasks and powers under the GDPR, should data protection authorities take into account the provisions of the ePrivacy Directive, and if so to what extent? In other words, should infringements of national ePrivacy rules be set aside when in assessing compliance with the GDPR, and if so when?

The EDPB said that the authority appointed as competent in the meaning of the ePrivacy Directive by Member States is exclusively responsible for enforcing the national provisions transposing the ePrivacy Directive that are applicable to that specific processing operation, including in cases where the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive. Nevertheless, data protection authorities remain fully competent as regards any processing operations performed upon personal data that are not subject to one or more specifics rules contained in the ePrivacy Directive.

Further, the EDPB said, an infringement of the GDPR might also constitute an infringement of national ePrivacy rules. In that case, the data protection authority may take this into consideration when applying the GDPR (e.g., when assessing compliance with the lawfulness or fairness principle under article 5(1)(a) of the GDPR). However, any enforcement decision must be justified on the basis of the GDPR, unless the data protection authority has been granted additional competences by Member State law.

The EDPB also said that if national law designates the data protection authority as the competent authority under the ePrivacy Directive, this data protection authority has the competence to directly enforce national ePrivacy rules in addition to the GDPR (otherwise, it does not).

Thirdly, the Belgian DPA asked, to what extent are the cooperation and consistency mechanisms applicable in relation to processing that triggers, at least in relation to certain processing operations, the material scope of both the GDPR and the ePrivacy Directive?

The EDPB answered this question by saying that the cooperation and consistency mechanisms available to data protection authorities under Chapter VII of the GDPR concern the monitoring of the application of GDPR provisions. The GDPR mechanisms do not apply to the enforcement of the national implementation of the ePrivacy Directive. The cooperation and consistency mechanisms remain fully applicable to such processing. However, that is true only insofar as the processing is subject to the general provisions of the GDPR (and not to a “special rule” contained in the ePrivacy Directive).

Finally, the EDPB acknowledged that its interpretation of the questions is without prejudice to the outcome of the current negotiations of the ePrivacy Regulation. The proposed Regulation addresses many important elements, including the competences of data protection authorities, but also a range of other very “important issues”. To read the EDPB’s Opinion in full, click here.