Beyond Reasonable Doubt

GDPR and e-Privacy Directive (ePD)

Sometimes questions arise about the relationship between the EU GDPR and the emerging updated e-Privacy Directive (ePD), originally published in 2002 with revisions originally expected to be implemented in 2019 though now delayed, and whether there is any overlap between the regulations. The European Data Protection Board (EDPB) adopted its Opinion (2019) which the reader will find useful and the full detail is available at: Opinion 5/2019

In general, where both laws apply to the same set of personal data processing operations, they sometimes apply in a complementary way and in other cases, the ePD is more specific than GDPR where a more specific rule applies. The Opinion has confirmed that the more granular, specialised rule of ePD will take precedence over a GDPR rule, in such cases.

A well-known example that illustrates this is the use of cookies to collect information which constitutes personal data. Article 6 of GDPR provides for various lawful bases for this processing (including consent), however Article 5(3) of ePD also applies and requires consent to be obtained from individuals before cookies are placed on their devices. Article 5(3) of ePD, as the more specific rule, applies and requires that consent be obtained, rather than relying on one of the other lawful bases (GDPR Article 6) for that specific set of processing activities.

In the UK, the ICO will enforce the provisions of both the GDPR and the ePD and it is not inconceivable that a Data Protection Authority (DPA) could discover an infringement of ePD rules and take this into account when applying the GDPR.

e-ntitle.® and x.Context® are registered trademarks of Objectsoft, Limited.  

 ©1998 – “forever Objectsoft Limited. All Rights Reserved.