Relationship to E-Privacy

When processing personal data, two major EU legislative instruments are of potential relevance to your operations: the GDPR and the e-Privacy Directive As it is important to know which instrument to turn to under which circumstances, you need to be able to distinguish them and their scopes of application.

The goal of the GDPR is to protect fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and to ensure the free movement of personal data within the Union. The goal of the e-Privacy Directive is also to protect fundamental rights and freedoms of the public, but in particular the right to privacy and confidentiality specifically with respect to processing personal data in light of the use of electronic communication networks. Finally, the e-Privacy Directive also aims to ensure the free movement of such data and of electronic communication equipment and services in the Union.

In other words, the e-Privacy Directive particularises and complements the GDPR regarding the processing of personal data in the electronic communication sector!

In the event of processing personal data, there are three possible scenarios regarding the (lack of) interplay between both instruments:

When the data that is being processed is not personal data (e.g. company emails that do not hold the name of natural persons or phone numbers of automated customer services of legal persons etc.)
When it concerns processing, activities mentioned in the list of article 2(2) and (3) of the GDPR
When the processing activities do not fall under the territorial scope of the GDPR

In general, the e-Privacy directive does not apply, unless:
- it concerns an electronic communications service
- which is offered over an electronic communications network
- the service and network are publicly available (so not corporate networks that are only accessible to employees for professional purposes)
- and are offered in the EU
Website operators or other businesses do not fall under the scope of the Directive (except when it concerns articles 5(3) (cookie rules) and 13 (direct marketing rules))

It is possible for processing activities to fall within the material scope of both legal instruments:

In case of the use of cookies which collect personal data
In case of direct marketing practices
In case providers of electronic communications services process personal data of natural persons using their services and additionally specific rules – e.g. on subscriber directories, itemised billing, calling line identification – apply
In case traffic or location data are generated by electronic communications services in case personal data is involved

For situations in which both legal instruments apply, the GDPR acknowledges that the e-Privacy Directive should prevail and that it does not impose additional obligations on natural or legal persons in relation to processing in light of the provision of publicly available electronic communications services in public communication networks in the EU.

This is only for situations in which specific obligations exist within the e-Privacy Directive. In other cases, where it does not specify anything, the more general rules of the GDPR will govern the situation.

What about enforcement?

National data protection authorities are competent to enforce the GDPR. The sole fact that part of a processing operation falls within the scope of the e-Privacy directive, does not affect the competence of data protection authorities under the GDPR. However, data protection authorities are not automatically competent considering e-Privacy.

The latter depends on whether the national law of your country designates the data protection authority as competent authority under the e-Privacy Directive. It is only then that the data protection authority has the competence to directly enforce national e-Privacy rules in addition to the GDPR.

Time for action!

In case you are processing data within the context of providing publicly available electronic communications services in EU public communication networks, do not forget to check first whether you, and how to, comply with the e-Privacy Directive.