Before examining the implications for DPAs, the Opinion first goes into some detail on the relationship between the GDPR and the ePD, which have different, but overlapping, material scopes. Where both laws apply to one set of processing operations, they sometimes apply in a complementary manner. In other cases, the ePD provides for a more specific rule in relation to a particular type of processing which is regulated at a more specific level than the GDPR. The Opinion confirms that the more specialised rule will take precedence in such cases. A widespread example of this is where cookies are used to collect information which constitutes personal data. While Article 6 GDPR provides for various lawful grounds for this processing, Article 5(3) ePD also applies and requires consent to be obtained from individuals before cookies are placed on their devices. In this and similar situations, Article 5(3) as the more specific rule will prevail and requires that consent be obtained, instead of relying on one of the other lawful grounds for that specific set of processing activities.
In relation to the tasks and competences of DPAs, and to the cooperation and consistency mechanism, the Opinion follows the same general approach. The GDPR sets out the legal mandate of DPAs, including their tasks and competences and the mechanisms for cooperation. DPAs do not necessarily enforce the provisions of the ePD, however, as Member States are merely required to ensure that one or more national regulatory authorities perform the regulatory tasks under that Directive. This means that different regulatory authorities may enforce the provisions of the GDPR and the ePD (though in the UK, for example, the Information Commissioner’s Office performs both roles). National law should provide for the tasks and powers of whichever regulatory authority is charged with enforcing the ePD, and powers conferred under the GDPR should not be used to enforce provisions of the ePD.
Where there is a specialised rule under the ePD, the rule should take precedence over the GDPR in enforcement as well as interpretation, but the GDPR should continue to apply to processing operations which may be part of the same process but to which no specific ePD rule applies. For example, if processing of personal data involves access to information stored on the end-user’s device, data protection rules such as data subject rights and principles of processing are subject to GDPR provisions. DPAs may also take the factual finding of an infringement of ePD rules into account when applying the GDPR, for example to assess the fairness or lawfulness of processing. Where several authorities are competent for the different legal instruments, they should ensure the enforcement of both is consistent.
The final section of the Opinion is devoted to the consistency and cooperation mechanisms, which are set out in Chapter VII of the GDPR and therefore apply to data protection matters, not to the enforcement of ePD rules as such. Where specialised rules of the ePD apply to a particular type of processing, cross-border cooperation between authorities may take place to the extent that they have adopted measures to allow it. In practice, DPAs need to select carefully which “line of communication” to use.
All in all, as the digital economy progresses, European data protection law is likely to lead to a more harmonised approach to its interpretation and enforcement, and this Opinion reflects that trajectory.
Authored by Eduardo Ustaran and Elizabeth Campion (Knowledge Paralegal)