` EDPB Issues Opinion on Intersection of GDPR and ePrivacy - Clarip Privacy Blog

EDPB Issues Opinion on Intersection of GDPR and ePrivacy

The European Data Protection Board has published a 24 page Opinion of the Board under Article 64 on the interplay between the ePrivacy Directive and the GDPR. The opinion was adopted in order to ensure a consistent interpretation of GDPR throughout the European Economic Area. It was adopted during the Eighth Plenary session.

During the session, the EDPB also adopted a statement according to its press release “calling upon EU legislators to intensify efforts towards the adoption of the ePrivacy Regulation ….” It also said that the ePrivacy Regulation “should under no circumstance lower the level of protection offered by the current ePrivacy Directive and should complement the GDPR by providing additional strong guarantees for all types of electronic communications.”

Interplay Between GDPR and the ePrivacy Directive

The Belgian Data Protection Authority requested the Opinion “in particular regarding the competence, tasks and powers of data protection authorities” in early December of last year. The Belgian DPA also asked whether processing can be governed by both the ePrivacy Directive and the GDPR.


EDPB cited to case law of the Court of Justice of the European Union (CJEU) to confirm that processing can fall within both the ePrivacy Directive and GDPR at the same time. Although the decision mentioned dealt with the predecessor, the Opinion walks through several references in GDPR to materials covered in the ePrivacy Directive. At the same time, it notes that Article 95 and Recital 173 limit the impact of GDPR on the provision of publicly available electronic communications services in public communication networks in the EU on matters where there are specific obligations with the same objective in the ePrivacy Directive.

On the interplay between the two laws, EDPB describes the ePrivacy Directive function as “to particularise” and “to complement” GDPR. Where ePrivacy particularizes GDPR by rendering it more specific, it takes precedence over the more general provisions of GDPR. However, any processing not specifically governed by the ePrivacy Directive remains covered by the provisions of GDPR. Examples of ePrivacy particularizing GDPR included Article 6 on processing of “traffic data”, and Article 5(3) on information stored in the end-user’s device.

EDPB provided an example relevant to the interplay with regard to cookies:

“A data broker engages in profiling on the basis of information concerning the internet browsing behaviour of individuals, collected by the use of cookies, but which may also include personal data obtained via other sources (e.g. “commercial partners”). In such a case, a subset of the processing in question, namely the placing or reading of cookies must comply with the national provision transposing article 5(3) of the ePrivacy Directive. Subsequent processing of personal data including personal data obtained by cookies must also have a legal basis under article 6 of the GDPR in order to be lawful.”

In the areas off ePrivacy that “complement” GDPR, EDPB described the additional protections as “supplementing the GDPR”.

On the question of the data protection authorities competence to enforce GDPR where it intersects with ePrivacy, EDPB said that “[t]he mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.” Member States have flexibility on which authority to entrust with enforcement, but where it is the same body, the EDPB made clear that it “cannot automatically rely on the tasks and powers foreseen in the GDPR to enforce national ePrivacy rules”.

The conclusion highlights a few of the data protection principles specified above:

– DPAs can enforce the ePrivacy Directive only if they are given authority by national law.

– DPA enforcement on actions that violate GDPR and ePrivacy, where the nation has not granted additional powers, should be justified only on GDPR.

– DPAs can enforce GDPR even where a subset of the processing falls within the ePrivacy.

Link to the PDF of the Opinion: https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf

Other Relevant Posts:

Dutch DPA Issues Privacy Policy Recommendations Following Review of Organizations Processing Special Data
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
Dutch DPA Says No Cookie Walls Because of GDPR Consent
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent

More Resources:

Check out the materials Clarip has gathered on the CCPA and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.

Show Buttons
Hide Buttons