With the General Data Protection Regulation (the “GDPR”) putting all stakeholders processing personal data on guard, the proposal of the e-Privacy Regulation (the “e-PR”) sparks a new wave of ambivalence in the European digital market. Although many components of this draft piece of EU law still remain in a state of flux, it is important to keep in mind that the e-PR is set to complement the GDPR and particularize its aspects related to electronic communication. All other facets of personal data protection will remain in the domain of the GDPR. Therefore, despite certain distinctions, the relationship between these two is the one of alliance and not friction.
Which aspects are different?
Although both the GDPR and e-Privacy Regulation are a part of the reform of the EU data protection agenda they stem from different legal precedents.
The GDPR advances values promulgated by Article 8(1) of the Charter of Fundamental Rights of the European Union (the “Charter”) related to the right for protection of one’s personal data, while e-Privacy Regulation reflects Article 7 of the Charter on respect for family and private life.
This immediate distinction highlights the scoping differences between these two EU legal instruments: while the GDPR shapes the legislative framework for personal data protection, the ambition of the e-Privacy Regulation is limited to ensuring privacy of electronic communication which may also include non-personal data. T
he e-Privacy Regulation will explicitly apply to metadata of e-communication and will procure the protection of terminal equipment of end users located in the EU.
To this end, the GDPR is only concerned with rights of natural persons whistle the e-Privacy Regulation will also cover the rights of legal entities which means that companies will be able to enjoy privacy rights, too. As a result, the e-PR entirely omits the concept of “data subject” and substitutes it with the “end-user”.
And which are the same?
One of the main similarities between the GDPR and e-PR is that both of them are Regulations. It means that once in force, they will become immediately effective within the whole territory of EU, leaving members states with little to no space for law-making in this aspect.
It was initially intended that both Regulations would enter into force at the same time, on 25 May 2018. Nevertheless, while the GDPR was ready for adoption, the final text of the e-PR (in particular, its provisions concerning cookies settings and direct marketing) was still being heatedly debated.
Although it is evident now that the e-Privacy Regulation may be as long as one year overdue, the intended legislative symbiosis between it and the GDPR remains impregnable: once effective the e-PR will be lex specialis to the GDPR focused on the e-communication sector.
With the aim to strengthen this symbiosis, the task to supervise enforcement of the e-PR was entrusted to the European Data Protection Board (the “EDPB”) that is already monitoring enforcement of the GDPR compliance. This way all relevant historic knowledge and expertise will be utilized under one roof.
Fines and sanctions for infringement of either Regulation are similarly aligned and may reach up to EUR 20 million or up to 4 % of annual turnover for the preceding financial year, whichever is larger.
Despite certain differences (mainly scope-related) the GDPR and e-PR are still intended to go hand in hand and form a single regulatory web ensuring an uninhibited yet secure data flow across the EU.
As a result, all data in the light of the GDPR and e-Privacy Regulation may be divided into 3 main categories:
Data only governed by the GDPR (personal data in the context other than e-communication, e.g. processing of medical records or biometric data),
Data only governed by the e-PR (non-personal yet highly sensitive information belonging to legal entities such as trade secrets),
Data which the e-PR addresses explicitly, thereby, prevailing over more generic provision of the GDPR to that effect (e.g. consent requirements for the first party analytics cookies).