The EDPB has adopted an opinion on the interplay between the ePrivacy Directive and the GDPR. The opinion was issued upon a request of the Belgian data protection authority to examine the interplay between the GDPR and the ePrivacy Directive, in particular regarding the competence, tasks and powers of data protection authorities.
In light of the applicable provisions (i.e. Article 1 para 2 of the ePrivacy Directive and Article 95 of the GDPR), the EDPB clarifies that, although in cases where an overlap in material scope exists between the ePrivacy Directive and the GDPR, this does not necessarily lead to a conflict between the rules. In the eyes of the EDPB, the applicable provisions confirm a "lex generalis – lex specialis" relationship: In situations where the ePrivacy Directive renders more specific rules than the rules of the GDPR, the (specific) provisions of the ePrivacy Directive shall, as "lex specialis", take precedence over the (more general) provisions of the GDPR. However, any processing of personal data which is not specifically governed by the ePrivacy Directive (or for which the ePrivacy Directive does not contain a "special rule"), remains subject to the provisions of the GDPR.
To provide an example: The full range of possible lawful grounds provided by Article 6 of the GDPR cannot be applied by the provider of an electronic communications service to the processing of traffic data, because Article 6 of the ePrivacy Directive explicitly limits the conditions in which traffic data, including personal data, may be processed. In this case, the more specific provisions of the ePrivacy Directive take precedence over the more general provisions of the GDPR. Article 6 of the ePrivacy Directive does, however, not curtail the applications of other provisions of the GDPR, such as the rights of the data subject.
The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR. Pursuant to the EDPB, a corollary of the "lex specialis" principle is that there shall only be a derogation from the general rule insofar as the law governing a specific subject matter contains a special rule. The facts of the case must be carefully analysed to find how far the derogation extends, especially in cases where data undergoes many different kinds of processing – either in parallel or sequentially.
Interestingly, the EDPB also takes the view that electronic communications service providers who have notified a personal data breach in compliance with applicable national ePrivacy legislation are not required to separately notify data protection authorities of the same breach pursuant to Article 33 of the GDPR. As the EDPB does not distinguish, this would even apply if the competent national authority under the ePrivacy Directive and the national data protection authority as per the GDPR are not identical.
An infringement of the GDPR might also constitute an infringement of national ePrivacy rules. As the GDPR mechanisms do not apply to the enforcement of the provisions contained in the ePrivacy Directive as such, the data protection authority may take this factual finding as to an infringement of ePrivacy rules into consideration when applying the GDPR. However, any enforcement decision must be justified on the basis of the GDPR, unless the data protection authority has been granted additional competences by Member State law. Only if Member State law designates the data protection authority as competent national authority under the ePrivacy Directive, this data protection authority has the competence to directly enforce national ePrivacy rules in addition to the GDPR.
In any event, according to the EDPB, the cooperation and consistency mechanism available to data protection authorities under Chapter VII of the GDPR concern the monitoring of the application of GDPR provisions. The GDPR mechanisms do not apply to the enforcement of the national implementation of the ePrivacy Directive. The cooperation and consistency mechanism remains fully applicable, however, insofar as the processing is subject to the general provisions of the GDPR (and not to a "special rule" contained in the ePrivacy Directive).
