Scarcely a week goes by without my saying to someone or other (clients, colleagues, my children round the dinner table): the GDPR is not an exhaustive regime – where applicable, you need to ensure compliance with ePrivacy laws as well. Especially when it comes to electronic marketing communications, cookies and related ad tech. This inevitably prompts the question: aren’t we supposed to be getting a new ePrivacy law? What’s the delay?
The EDPB is asking the same question about the work-in-(painfully slow)-progress ePrivacy Regulation, which will in time replace the current ePrivacy Directive 2002/58/EC (the one that is supposed to help prevent spam emails and the like). The EDPB issued a statement last week chivvying EU legislators to get on with it, i.e. to finalise their negotiations and issue a final draft of the new Regulation without further delay. Come on, it urges, the new law is both necessary and delightful: “Far from being an obstacle to the development of new technologies and services, the ePrivacy Regulation is necessary to ensure a level playing field and legal certainty for market operators”.
The point about a need for certainty is well made. This brings me to another EDPB release from last week on the same broad subject matter, namely its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, issued in response to some questions referred by the Belgian DPA in December. As the (typically verbose) full title to that opinion makes clear, the focus is on the tasks of data protection authorities across these two regimes. The point I wanted to blog about, however, concerns how ePrivacy law and the GDPR are supposed to fit together. Here are some insights courtesy of the EDPB.
One point concerns duplication of burden. The EDPB’s opinion discusses Article 95 GDPR, which refers to the GDPR not imposing additional administrative burdens beyond the ePrivacy Directive. The example here is breach reporting: if ePrivacy law requires a breach notification, the GDPR does not demand that you do the same thing twice.
The broader issue, however, is how to fit the two regimes together in practice. The starting point is that they both seek to protect privacy rights as enshrined under Articles 7 and 8 of the Charter of Fundamental Rights. ePrivacy law is intended to “particularise and complement” the GDPR as regards certain types of activity. Very nice. What does that mean?
“Complement” is clear enough: e-Privacy gives some further rights not conferred by the GDPR.
“Particularise” refers of course (cue sage nods from my children at the dinner table) to the principle lex specialis derogate legi generali: special provisions prevail over general rules in situations which they specifically seek to regulate. So, where you’re looking at an issue governed specifically by e-Privacy law, focus on complying with that regime first; the GDPR analysis is then second in the queue.
An example here is the use of cookies. This engages both ePrivacy law and the GDPR, since cookies very often entail the processing of personal data. The ePrivacy Directive requires consent for the use of cookies. So, “where these articles require consent for the specific actions they describe, the controller cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPR” (para 40 of the opinion). In other words, the EDPB tells us, you can’t rely on legitimate interests under the GDPR to justify a particular processing activity that, by virtue of e-Privacy law, can only be undertaken on the basis of consent.
I’ve underlined those words because, as ever, the devil is in the detail. Broad sweeping rules don’t dictate every granular detail. You need to identify and isolate the specific and the general in order to figure out how to ensure compliance with both regimes. This is one of the pressing current challenges for those whose work spans both these regimes.
Ad tech – including of course the use of cookies and related technologies – is a hot issue for the ICO just now too. It held an ad tech “fact finding forum” with sector participants on 6 March, and has published it summary report of the key points discussed and perspectives exchanged. We await the ICO’s conclusions and guidance – and whatever action comes thereafter.
Robin Hopkins @hopkinsrobin