Photo of Sheila MillarPhoto of Tracy Marshall

The European Data Protection Board (EDPB) has weighed in on the interplay between the General Data Protection Regulation (GDPR) and the ePrivacy Directive in response to questions from the Belgian Data Protection Authority (DPA). Addressing how and when each set of rules applies to processing data, the EDPB stated that “these questions concern a matter of general application of the GDPR, as there is a clear need for a consistent interpretation among data protection authorities on the boundaries of their competences, tasks and powers.”

The ePrivacy Directive, also known as the “cookie directive,” governs electronic communications whether or not they contain personal data. The GDPR, which took effect nearly a year ago, regulates the collection and protection of personal data of EU residents.

The EDPB’s Opinion on the interplay between the ePrivacy Directive and the General Data Protection Regulation, adopted on March 12, examines three circumstances:

  1. Where there is no interplay between the GDPR and the ePrivacy Directive because the matter falls outside of the scope of the GDPR;
  2. Where there is no interplay between the GDPR and the ePrivacy Directive because the matter falls outside of the scope of the ePrivacy Directive; and
  3. Where there is an interplay between the GDPR and the ePrivacy Directive because the processing triggers the material scope of both the GDPR and the ePrivacy Directive.

The opinion states that “although an overlap in material scope exists between the ePrivacy Directive and the GDPR, this does not necessarily lead to a conflict between the rules.” However, it does identify the circumstances in which one set of rules will prevail over the other and the competence and task of DPAs in relation to those circumstances:

  • Where “special rules” of the ePrivacy Directive apply (e.g., the requirement for processors to get consent before using cookies under article 5(3)), the ePrivacy Directive trumps GDPR;
  • In all other cases, where the processing of personal data is not specifically governed by the ePrivacy Directive (or where the ePrivacy Directive does not contain a “special rule”), GDPR takes precedence;
  • The powers of DPAs to oversee data processing under the GDPR are not affected by the ePrivacy Directive “special rules”; and
  • When processing personal data falls under both the GDPR and ePrivacy Directive, DPAs may take into account the provisions of the ePrivacy Directive if the violation also breaches national law implementing the ePrivacy Directive.

On a related note, the EDPB also called on the European legislators to finalize the ePrivacy Regulation to replace the ePrivacy Directive. If enacted, the ePrivacy Regulation would take direct effect without necessitating new implementing legislation in Member States. The EDPB’s statement urges that a new ePrivacy Regulation build on existing protections and complement the GDPR.