GDPR: 'e-Privacy' breaches can be factored into fines

Out-Law News | 18 Mar 2019 | 3:31 pm | 4 min. read

Businesses face higher fines if their processing of personal data is found to breach both the General Data Protection Regulation (GDPR) and EU 'e-Privacy' rules, according to a new opinion issued by the European Data Protection Board (EDPB).

However, the EDPB said that not all data protection regulators in the EU are able to factor e-Privacy rules infringements into the way they enforce the GDPR because the regulators need to have been designated under national law as being responsible for overseeing compliance with the e-Privacy rules to do so. This is not the case in all EU countries.

The EDPB's opinion, issued earlier this month, concerns the interplay between the e-Privacy Directive and the GDPR. The EDPB was asked by Belgium's data protection regulator to clarify questions regarding enforcement where there is a cross-over between both regimes.

The opinion acknowledged that some personal data processing activities can engage both pieces of legislation, and not just the GDPR. Examples include where electronic communication service providers process so-called 'traffic' data and where website operators or advertising networks place 'cookies' on internet users' devices to track their online activity.

The EDPB clarified that where processing activities do engage both the e-Privacy rules and GDPR, the e-Privacy Directive's requirements take precedence.

This means, for example, that businesses engaging in electronic direct marketing must ensure that intended recipients have given their consent, or are relying on a legal exception, such as a soft opt-in available under current UK law, to receiving those communications – they cannot rely on other lawful grounds for processing personal data, such as 'legitimate interests', outlined in the GDPR to justify sending unsolicited marketing communications, the EDPB said.

Data protection law expert Rachel Forbes of Pinsent Masons, the law firm behind, welcomed the clarification on the topic. She said there had been a range of views on the issue given the competing provisions set out in the GDPR, including its recitals, and e-Privacy Directive.

In its opinion, however, the EDPB explained how the GDPR will continue to apply to processing activities that are engaged by the specific e-Privacy rules.

"The mere fact that a subset of the processing falls within the scope of the e-Privacy directive, does not limit the competence of data protection authorities under the GDPR," the EDPB said.

"For example, a provider of a public communications network or publicly available electronic communications service must comply with national rules … concerning traffic data when processing data necessary for the purposes of subscriber billing and interconnection payments," the EDPB said. "Due to the absence of specific e-Privacy provisions on, for example, the right of access, the provisions of the GDPR apply."

"Likewise … where the provider of an electronic communications service or of a value added service subcontracts the processing of personal data necessary for the provision of these services to another entity, such subcontracting and subsequent data processing should be in full compliance with the requirements regarding controllers and processors of personal data as set out in the GDPR," it said.

The EDPB said, though, that data protection regulators can only factor breaches of e-Privacy rules by businesses into their enforcement action against those organisations under the GDPR if they have been designated as responsible for overseeing compliance with the e-Privacy regime in national law.

The distinction is important because there is a significant difference between the maximum fines that can be imposed under the GDPR and the maximum penalties businesses face for non-compliance with the e-Privacy rules. In the UK, for example, the Information Commissioner's Office has the power to issue fines of up to 4% of a company's annual global turnover, of €20 million, whichever is highest, for serious breaches of the GDPR, whereas a £500,000 cap applies to the maximum fine it can impose under the e-Privacy regime.

There is an increased possibility that two businesses operating in different EU countries and which breach both the GDPR and the e-Privacy rules in exactly the same way could face fines that vary in severity as a result of the EDPB's clarification, although the EDPB did call for coordination of enforcement action in countries where different regulators are responsible for enforcing the GDPR from those that enforce the e-Privacy rules.

"In the context of cookies and marketing, and with the expansion of the meaning of 'personal data' over the last few years, even if a data protection regulator does not have a mandate to factor an e-Privacy breach into their enforcement action it is quite likely that the processing activities will engage the GDPR in any case," Forbes said. "The GDPR is principles-based law and the principles are broad and comprehensive and so even if a regulator cannot act on a breach of specific e-Privacy rules, they will likely be able to do so under the GDPR."

"The danger in these cases is therefore of double-fines for the same infringement, since in theory other regulators could wade in along with data protection regulators to penalise non-compliance. However, the EDPB has addressed this point in its opinion by stressing the need for cooperation between competent authorities – in the UK we have seen examples of cross-referrals between regulators, including from the Medicines and Healthcare Products Regulatory Agency (MHRA) to the ICO in respect of a data privacy issue – and similar arrangements are likely for e-Privacy/GDPR cases in EU countries where supervisory duties are performed by more than one regulator to ensure the most adequate recourse and protection for data subjects," she said.

"In the UK, while the biggest fines the ICO has issued to-date have been for systemic failures, the majority of its general enforcement action relates to marketing and breaches of the e-Privacy rules more generally. It will be interesting to see whether the ICO alters its approach to enforcement in these cases from now on to make more use of the stronger powers it has to enforce the GDPR," Forbes said.

The EDPB's opinion does not concern the proposed new e-Privacy Regulation, which would replace the existing e-Privacy rules but which has still to be finalised by EU law makers.

It also remains to be seen whether any new EU e-Privacy rules will be adopted in the UK, or a similar framework introduced, after Brexit and how those new rules interplay with the GDPR.