Who: European Data Protection Board (EDPB)
Where: European Union
When: 12 March 2018
Law stated as at: 15 April 2019
What happened
In response to a request from the Belgian data protection authority, the EDPB has published Opinion 5/2019 on the interplay between the ePrivacy Directive and General Data Protection Regulation (the GDPR). By way of reminder, the ePrivacy Directive was implemented into UK law through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
The Opinion focuses on the competence, tasks and powers of data protection authorities and notes, amongst other things, that:
- a data protection authority responsible for overseeing and enforcing GDPR compliance can also be competent to enforce the ePrivacy Directive, subject to this being provided for under its own national laws;
- processing that may fall within the scope of the ePrivacy Directive does not affect the enforcement abilities of data protection authorities under GDPR; and
- a breach of GDPR may also be a breach of the ePrivacy Directive and the data protection authority can take this into consideration when enforcing the GDPR, provided that enforcement is based on the GDPR, unless otherwise provided for under local laws.
The EDPB noted that the Opinion is without prejudice to the ongoing negotiations in respect of the much-delayed draft ePrivacy Regulation.
Why does this matter
The Opinion provides some clarity to businesses that have been concerned about the interplay between the enforcement of GDPR and the ePrivacy Directive (or PECR). In particular, prior to the GDPR, some businesses chose to take a somewhat relaxed (and, potentially, risky) approach to PECR compliance in respect of marketing. The Opinion strengthens the view that choosing to take a risk in respect of PECR may result in a business infringing both PECR and the GDPR.