The European Data Protection Board ("EDPB") was recently asked by the Belgian Data Protection Authority to shed light on the interplay between the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the e-Privacy Directive 2002/58/EC ("ePD").
Clarification was also sought on the powers of the relevant regulators in enforcing the ePD and the GDPR, and whether cooperation and consistency mechanisms can or should be applied where an issue falls within the scope of both the GDPR and the ePD.
The EDPB opinion sought to clarify these questions by explaining the general scope of both the GDPR and the ePD.
GDPR V EPRIVACY
The EDPB reiterated that the material scope of the GDPR "covers any form of personal data, regardless of the technology used".
On the other hand, the ePD will only apply when each of the following conditions have been satisfied:
- there is an electronic communication service;
- the service is offered over an electronic communications network;
- the services and network are publicly available; and
- the services and network are offered in the EU.
The EDPB confirmed that the ePD will take precedence over general provisions of the GDPR in cases where it particularises the rules set out in those provisions. This is important, given the nature of the GDPR, which, as a regulation, is broadly and directly applicable, with Member States only having discretion to introduce further specifications by way of national law in limited circumstances. On the other hand, the ePD, as a directive, allows Member States broader discretion to interpret and transpose its provisions.
For businesses this means that direct marketing practices must be entirely GDPR-compliant while also complying with the ePD, keeping in mind that the applicable ePD rules may vary by Member State depending on which country your customer is located in.
The EDPB further confirmed that there was a need for consistent interpretation among data protection supervisory authorities as to the boundaries of their competences, tasks and powers. Although the ePD gives Member States discretion to establish one or more authorities to enforce the ePD, the GDPR requires Member States to establish a single data protection supervisory authority to oversee the enforcement of the GDPR. In Ireland, the Data Protection Commission is tasked with the enforcement of the GDPR while also holding other specific functions and enforcement powers under the Irish ePrivacy Regulation (SI 336/2011), with ComReg holding other regulatory functions.
The EDPB opinion also touched on the interface between consent under the GDPR and the ePD. Under the GDPR, the standard of consent is now much higher than the level of consent that was envisaged by the ePD, such that it must be freely given, specific, informed and as easy to withdraw as it is to give.
The recent opinion of Advocate General Szpunar in the Planet49 case before the Court of Justice of the European Union ("CJEU") (Case C-673/17) raised similar issues in relation the intersection of the GDPR and the ePD.
The case involved an online lottery organised by Planet49. In order to participate in the lottery an internet user had to complete two checkboxes. The first unchecked box required the user to accept being contacted by a range of firms for promotional offers (i.e., direct marketing) and the second pre-checked box required the user to consent to cookies placed on the user's computer to track surfing and user behaviour.
The opinion of Advocate General Szpunar confirmed that a pre-ticked box would not qualify as opt-in consent for cookies or direct marketing as it was not freely given. Unsurprisingly, he also confirmed that it would not satisfy consent under the GDPR, pursuant to which consent must not only be freely given, but must also be specific and informed.
Advocate General Szpunar's opinion is not binding on the CJEU, but it will be interesting to see if the CJEU adopts the same approach in its forthcoming decision. If the CJEU affirm this approach, this may result in users being provided with information required by the GDPR for each cookie and each use of data, rendering our future browsing experience quite different.