Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary 

Article 3 ePrivacy Regulation – Territorial scope and representative

Art. 3 ePrivacy Regulation

Article 3 ePrivacy Regulation – Territorial scope and representative

This Regulation applies to:

(a) provision of electronic communications services to end-users who are in the Union,

(aa) the processing of electronic communications content and of electronic communications metadata of end-users who are in the Union;

(c) the protection of terminal equipment information of end-users who are in the Union.

(cb) the offering of publicly available directories of end-users of electronic communications services who are in the Union;

(cc) the sending of direct marketing communications to end-users who are in the Union.

Where the provider of an electronic communications service, the provider of a publicly available directory, or a person using electronic communications services to send direct marketing communications, or a person using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment is not established in the Union it shall designate in writing, within one month from the start of its activities, a representative in the Union and communicate it to the competent Supervisory Authority.

2a. The requirements laid down in paragraph 2 shall not apply if activities listed in paragraph 1 are occasional and are unlikely to result in a risk to the fundamental rights of end-users taking into account the nature, context, scope and purpose of those activities.

The representative shall be established in one of the Member States where the end-users of such electronic communications services are located.

The representative shall be mandated by the provider or person it represents to be addressed in addition to or instead of the provider it represents, in particular, to supervisory authorities, and end-users, on all issues related to processing electronic communications data for the purposes of ensuring compliance with this Regulation.

The designation of a representative pursuant to paragraph 2 shall be without prejudice to legal actions, which could be initiated against the provider or person it represents.

This Regulation applies to the processing of personal data by a provider not established in the Union, but in a place where Member State law applies by virtue of public international law.

Art. 3 ePrivacy Regulation

(8aaa) Furthermore, this Regulation should apply regardless of whether the processing of electronic communications data or personal data of end-users who are in the Union takes place in the Union or not, or of whether the service provider or person processing such data is established or located in the Union or not.

The territorial scope as set out in Art. 3 Sec. 1 ePrivacy Regulation reflects the material scope of application as defined in Art. 2 Sec. 1 ePrivacy Regulation. It addresses all cases of application of the material scope as defined in Art. 2 ePrivacy Regulation and adds the element of location on the territory of the EU. As a general rule, affected end-users must be located in the EU at the time of the relevant activity for the ePrivacy Regulation to apply.[1]


[1]
Cf. Council of the European Union, ST 6771/19, pp. 44 et seq.; European Parliament, LIBE report A8-0324/2017, 20 October 2017, amendment 47.Art. 3 Sec. 6 ePrivacy Regulation provides for the very restricted possibility to apply the law even if there is no geographical connection to the EU (Art. 3 No. III.).

With regard to the end-users that fall within the territorial scope of the ePrivacy Regulation, the only relevant criterion provided in Art. 3 Sec. 1 is that end-users ought to be in the EU (‘who are in the Union’). Given a global economy, characteristics such as nationality or place of residence become less important and the place where the person stays becomes decisive for the protection of personal rights and freedoms.[2] The ePrivacy Regulation adapts to these circumstances. Accordingly, the ePrivacy Regulation benefits end-users without limitation to their nationality, residence or other type of legal status, as long as they or their equipment are located within the EU.[3]

Regarding providers that fall within the territorial scope, the ePrivacy Regulation applies, regardless of the provider’s location or place of establishment, meaning it does not matter whether a service is provided from outside the EU or inside the EU.[4] Instead, the only decisive criterion is the place of location of the end-user interfering with the provided services, which must be within the EU. The location of establishment of the provider is irrelevant for the applicability of the ePrivacy Regulation.[5] Thus, while the ePrivacy Regulation is European legislation, its territorial scope does not stop at European borders, just as is the case with the GDPR.[6] According to Art. 3 Sec. 2 GDPR, the GDPR’s territorial scope of application, too, extends to controllers and processors not established in the EU.[7] This is referred to as the principle of lex loci solutionis or ‘destination principle’.[8] According to this principle, the applicability of the law depends on where the relevant contractual performance is being offered or, with regard to the ePrivacy Regulation, where it is ‘provided’ (see below).

Thus, a provider who wants to avoid being subjected to the provisions of the ePrivacy Regulation, needs to ensure not to serve end-users inside the EU.

Example A: B is a corporation from Bolivia that provides a messenger app. The app can be downloaded and used worldwide. It is also used by end-users inside the EU. Thus, B has to comply with the provisions of the ePrivacy Regulation. If B wants to avoid this, B shall exclude end-users based in the EU from using the service.

[2] Voigt/von dem Bussche, The EU General Data Protection Regulation, p. 28 (2017).

[3] Cf. EPPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), p. 14 et seq., particularly with regard to the location of end-users, Art. 3 Sec. 1 of the ePrivacy Regulation is very similar to Art. 3 Sec. 2: whereas Art. 3 Sec. 1 of the ePrivacy Regulation refers to end-users ‘who are in the Union’, the GDPR refers to data subjects ‘who are in the Union’. With regard to this application requirement, it is therefore possible to refer back to the principles developed for the GDPR.

[4] Recital 8aaa.

[5] However, if the providers concerned do not also have an establishment in the territory of the EU, they are subject to the additional obligation to appoint an EU representative pursuant to Art. 3 Sec. 2 ePrivacy Regulation.

[6] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 22.

[7] Rec. 23 GDPR.

[8] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 26; Voigt, GDPR representatives in EU and UK after Brexit, available at https://iapp.org/news/a/gdpr-representatives-in-the-eu-and-the-uk-after-brexit/ (last access: 31 March 2021); cf. Ernst in Paal/Pauly, DSGVO-BDSG (2021), Art. 3 para. 13.

Art. 3 Sec. 1 ePrivacy Regulation comprises both: firstly, criteria defining the territorial component of application, and, secondly, relevant activities referring more to the material scope of application. Thus, a partial repetition of cases of application of Art. 2 Sec. 1 ePrivacy Regulation takes place. ‘Provision of electronic communications services’ (Art. 3 Sec. 1 lit. a)) is the only activity referred to in Art. 3 ePrivacy Regulation that is not also listed within the material scope of Art. 2 Sec. 1 ePrivacy Regulation.

a)  Provision of electronic communications services, Art. 3 Sec. 1 lit. a)

Art. 3 Sec. 1 lit. a) ePrivacy Regulation sets out the provision of electronic communications services to end-users in the EU as a matter of territorial application. The term ‘electronic communications services’ is defined in Art. 4 Sec. 1 lit. b) ePrivacy Regulation by means of reference to the EECC (see Art. 4 No. I.2.b). However, generally speaking, the term is to be understood in a broad and technology-neutral sense.[9] ‘Provision’, on the other hand, is not defined in the ePrivacy Regulation.

Generally, ‘provision’ means the mere making available of a service based on the ordinary meaning of the term. However, it is questionable whether the sole availability of a service for end-users located in the EU justifies the applicability of the ePrivacy Regulation to providers of such services, or whether it requires a deliberate and targeted orientation by the provider towards the European market. As such, an additional restriction does not necessarily follow from the ordinary meaning of the term ‘provision’ and would therefore have to be determined by way of interpretation. Such interpretation appears appropriate, in particular because the GDPR provides for such limited application within its provision on the territorial scope, Art. 3 Sec. 2 lit. a) GDPR. A closer examination of this question with regard to the ePrivacy Regulation thus appears necessary, as the provisions on the territorial scope of application of both regulations are very similar. Both, the GDPR and the ePrivacy Regulation follow the destination principle. Hence, a similar interpretation of the provision on the territorial scope seems likely.

When referring to the GDPR as a comparative interpretation aid for the territorial scope of the ePrivacy Regulation, the first point to consider is its Art. 3 Sec. 2 lit. a), which refers to the ‘offering … of services’. This notion is interpreted as the intentional direction of activities towards individuals in the EU.[10] According to Recital 23 GDPR, the mere accessibility of goods and services in the EU is not sufficient in order to constitute an offer in terms of Art. 3 Sec. 2 lit. a) GDPR, rather it has to be assessed whether the controller or processer envisages to reach consumers in the EU.[11] This intentional orientation on the EU market justifies the extension of the territorial scope of the GDPR to controllers outside the EU.[12] Indicators for an intentional orientation on the EU market are, for instance, the offering of European languages, the Euro as accepted currency, possibility of delivery to Member States or domain names of websites referring to one or more Member States.[13]

In spite of this, the GDPR also contains a provision on the material scope of application of the GDPR in Art. 3 Sec. 2 lit. b), which applies regardless of an intention to target the EU market. It extends the GDPR’s applicability to the monitoring of behaviour of individuals within the EU by controllers and processors established outside the EU.[14] Targeting of the EU market is therefore not mandatory as long as other conditions for application are met, which is why there is no need for an artificial alignment to Art. 3 Sec. 2 lit. a) GDPR if the wording does not allow for this.

The legislator uses the term ‘provision’ in Art. 3 Sec. 1 lit. a) ePrivacy Regulation, although an alignment to the wording of the GDPR would have been easily possible and ‘offering’ could also have been introduced as the relevant act of the provider. In its literal sense, ‘provision’ does not necessarily require an element of intentional targeting of end-users. Rather, in this regard it is more comprehensive than ‘offering’. It can be assumed that the legislator was aware of these differences in the literal sense of both terms and, therefore, did not unintentionally deviate from the wording of Art. 3 Sec. 2 lit. a) GDPR, but rather introduced an autonomous determination of the scope of application. Such broader understanding of the territorial scope compared to the GDPR is arguably inevitable. Unlike data processing that takes place in connection with the supply of goods or the performance of services, there are relatively few tangible and measurable criteria (such as the area of delivery) that could be used to determine market orientation in the provision of electronic communications services.

Furthermore, the amount of data and information disclosed and collected during the use of an electronic communications service often appears more difficult for the end-user to control or comprehend. For example, while end-users may be aware that they are disclosing their address and name when ordering goods and actively providing contact details for delivery, they may not be aware to the same extent that they are disclosing location, contact details or even the content of communications when using electronic communications services. This increased vulnerability and decreased control also justifies a broader territorial scope of application of Art. 3 Sec. 1 lit. a) ePrivacy Regulation which is not limited to services deliberately targeting the EU market.

Thus, it can be assumed that the mere accessibility or the actual provision of a service inside the EU is sufficient to trigger the applicability of the ePrivacy Regulation, even if the offer is mainly or directly aimed at end-users outside this geographic area. Therefore, the range of Art. 3 Sec. 1 lit. a) ePrivacy Regulation appears closer to Art. 3 Sec. 2 lit. b) GDPR than to Art. 3 Sec. 2 lit. a) GDPR.

b)  Further cases of application, Art. 3 Sec. 1 lit. aa) – lit. cc)

In Art. 3 Sec. 1 lit. aa) – lit. cc), the territorial scope of application of the ePrivacy Regulation is aligned with the material scope of application as set out in Art. 2 Sec. 1. The cases of application set out in in Art. 2 Sec. 1 ePrivacy Regulation are combined with criteria for the territorial application in Art. 3 Sec. 1 ePrivacy Regulation. With regard to the regulated activities, Art. 3 Sec. 1, thus, mirrors Art. 2 Sec. 1 ePrivacy Regulation:

– the processing of electronic communications content and of electronic communications metadata of end-users who are in the Union in Art. 3 Sec. 1 lit. aa) (corresponding to Art. 2 Sec. 1 lit. a ePrivacy Regulation; see Art. 2 No. II.1. ; Art. 4 No. III.1.) ;

– the protection of terminal equipment information of end-users who are in the Union according to Art. 3 Sec. 1 lit. c) (corresponding to Art. 2 Sec. 1 lit. b ePrivacy Regulation; Art. 2 No. II.2. and Art. 4 No. I.3.);

– the offering of publicly available directories of end-users of electronic communications services who are in the Union pursuant to Art. 3 Sec. 1 lit. cb) (corresponding to Art. 2 Sec. 1 lit. c ePrivacy Regulation; Art. 2 No. II.3. and Art. 4 No. III.2.);

– the sending of direct marketing communications to end-users who are in the Union according to Art. 3 Sec. 1 lit. cc) (corresponding to Art. 2 Sec. 1 lit. d ePrivacy Regulation; Art. 2 No. II.3. and Art. 4 No. III.4.).

All these listed cases of application are further specified either by definition in Art. 4, or within Art. 2 ePrivacy Regulation. Therefore, reference is made to the respective sections of this compilation.

[9] See Art. 2 No. II1.b) as well.

[10] EPPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), p. 15.

[11] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 26.

[12] EPPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), p. 15.

[13] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 26.

[14] However, the relevant monitoring activity is also limited. Not all monitoring of data subjects in the EU results in the territorial application of the GDPR, rather the purpose of monitoring must justify such extension of the territorial scope in terms of Art. 3 Sec. 2 GDPR, see EPPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), p. 20; cf. recital 24 GDPR.

Providers involved in ePrivacy-related activities as set out in Art. 3 Sec. 1 ePrivacy Regulation that are available to end-users who are located in the EU, but without an establishment on EU territory, are obliged to appoint an EU ‘representative’ pursuant to Art. 3 Sec. 2 ePrivacy Regulation. A similar obligation also applies to controllers under the GDPR without a European establishment, as set out in Art. 27 Sec. 1 GDPR and specified in Recital 80.

The appointment of an EU representative is a major compliance obligation within the framework of the GDPR.[15] Both provisions, within the GDPR as well as the ePrivacy Regulation, pursue the same purpose and are phrased identically. In principle, it can therefore be assumed that the application of Art. 3 Sec. 2 – 5 ePrivacy Regulation corresponds to the application of Art. 27 GDPR. Thus, the GDPR provides valuable guidance as the ePrivacy Regulation follows the same regulatory concept. Providers of electronic communications services or other parties that are not established in the EU but subject to the obligations of the ePrivacy Regulation who fail to appoint a representative would therefore be in severe breach of the ePrivacy Regulation, in the same way as under the GDPR.[16] Moreover, failure to appoint a representative pursuant to Art. 3 Sec. 2 ePrivacy Regulation may lead to a fine of up to EUR 10,000,000 or 2% of the total worldwide annual turnover of a company, depending on whichever is higher (Art. 23 Sec. 2 lit e) ePrivacy Regulation, see Art. 23).

The ePR Commission Proposal 2017 had limited the obligation to appoint an EU representative to providers of electronic communications services only, excluding electronic communications networks (cf. Art. 6 at footnote 488). This was met with criticism, especially since there was no apparent reason for such a differentiation.[17] However, this omission was probably not deliberately included by the Commission and ultimately, it was rectified in the version adopted by the Council of the EU which now includes all potential addressees of the ePrivacy Regulation, referring to all cases of material application as set out by Art. 2 Sec. 1.

Both Art. 3 Sec. 3 – Sec. 5 ePrivacy Regulation and Art. 27 GDPR arguably serve the same purpose, namely to ensure that the broad territorial scope of application of the regulations, which is based on the destination principle, can also be enforced effectively against providers or operators not established in the EU.

The representative shall ensure that there is a tangible entity to contact, which is located on the territory of the EU, with regard to matters of compliance with the ePrivacy Regulation. Otherwise, there would be a risk that the extraterritorial extension of the scope of application to non-EU actors according to Art. 3 Sec. 1 ePrivacy Regulation proved futile. By virtue of appointment of an EU representative, supervisory authorities are provided with an intermediary. Additionally, end-users are provided with a more easily accessible contact point for complaints and legal enforcement.[18] This purpose results from the functions of the representative as laid down in Art. 3 Sec. 4 ePrivacy Regulation (Art. 3 No. II.3.). However, the appointment of a representative does not affect the remaining responsibility or liability of the providers addressed by the obligations of the ePrivacy Regulation.[19]

[15] Voigt, GDPR representatives in EU and UK after Brexit, available at https://iapp.org/news/a/gdpr-representatives-in-the-eu-and-the-uk-after-brexit/ (last access: 31 March 2021).

[16] Cf. with regard to the corresponding obligation of the GDPR, EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 23.

[17] See Art. 29 WP, WP 247, at para. 23.

[18] Cf. with regard to the corresponding provision of the GDPR Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 133.

[19] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 133; cf. recital 80 GDPR.

The ePrivacy Regulation does not contain a definition or any explicit requirements with respect to qualities and capacities of a representative in terms of Art. 3 Sec. 2 ePrivacy Regulation, neither in Art. 3 nor in the Recitals. Art. 3 Sec. 3 ePrivacy Regulation merely requires that the representative must be established on the territory of one of the EU Member States in which the end-users of the relevant ePrivacy-related services are located. Under the GDPR, it is considered ‘good practice’ to appoint a representative established in a Member State where a significant proportion of the data subjects exists.[20] This should also be favourable in the context of the ePrivacy Regulation in order to provide the best possible access to the representative for the largest possible number of end-users.

Generally, all natural and legal persons able to carry out the designated functions and powers of a representative as set out in Art. 3 Sec. 4 ePrivacy Regulation are eligible (Art. 3 No. II.3.). Ability to carry out the functions of the representatives will generally require the ability to communicate in the language or languages used by the supervisory authorities and the data subjects concerned.[21] This might be particularly relevant with regard to the EDPB-assumption that under the GDPR non-EU entities shall not benefit from the ‘lead authority principle’, which means that the responsible parties may be confronted with diverse competent authorities from several EU Member States.[22] This assumption will probably also be transferable with regard to the ePrivacy Regulation. However, where communication in the languages used by the supervisory authorities would require a disproportionate effort, it will be more appropriate and permissible to use other means and techniques for successful communication.[23]

With regard to representatives under Art. 27 GDPR, it has been recognized in practice that the role of a representative can be exercised on the basis of service contracts, allowing representation by a wide range of commercial and non-commercial entities established in the EU, e.g. law firms, consultancies and private persons.[24] The same can be assumed in the context of the ePrivacy Regulation, as it does not lay out any further restrictions regarding the minimum personal or professional qualifications of the representative and the tasks incumbent on the representative are similar.[25]

As regards formal requirements of the appointment itself, Art. 3 Sec. 2 ePrivacy Regulation requires the appointment of a representative be made in writing, within a month after commencement of the relevant activities set out in Art. 3 Sec. 1 ePrivacy Regulation and, additionally, communicated to the competent supervisory authority. Furthermore, the representative shall act on behalf of the responsible parties and, thus, must be mandated with power of representation.[26]

[20] EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 26; Voigt, GDPR representatives in EU and UK after Brexit, available at https://iapp.org/news/a/gdpr-representatives-in-the-eu-and-the-uk-after-brexit/ (last access: 31 March 2021).

[21] Cf. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 27.

[22] Voigt, GDPR representatives in EU and UK after Brexit, available at https://iapp.org/news/a/gdpr-representatives-in-the-eu-and-the-uk-after-brexit/ (last access: 31 March 2021); on the lead authority principle under the GDPR see Art. 29 WP, Guidelines on the lead Supervisory Authority, WP 244 from 5 April 2017.

[23] This is what the EDPB considers reasonable, at least in relation to the GDPR representative cf. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 27.

[24] EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 24.

[25] Cf. Voigt, GDPR representatives in EU and UK after Brexit, available at https://iapp.org/news/a/gdpr-representatives-in-the-eu-and-the-uk-after-brexit/ (last access: 31 March 2021).

[26] See Art. 3 Sec. 4; cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 133.

Art. 3 Sec. 2a ePrivacy Regulation offers an exemption to the obligation to appoint a representative. Even if the requirements of the obligation in Art. 3 Sec. 2 ePrivacy Regulation are met, there is no necessity to appoint a representative for the EU where the relevant activities listed in Art. 3 Sec. 1 are only occasional and unlikely to result in a risk to the fundamental rights of end-users. These requirements must be met cumulatively for the exception to apply. According to Art. 3 Sec. 2a ePrivacy Regulation nature, content, scope and purpose of such activities shall be taken into account in order to assess whether an ePrivacy-related activity might result in a violation of fundamental rights of end-users.

Within Art. 3 Sec. 2a ePrivacy Regulation it will, thus, be necessary to assess which characteristics of ePrivacy-related activities could qualify as merely ‘occasional’ or ‘low risk’. The Recitals of the ePrivacy Regulation do not offer guidance on this issue. However, it follows from the corresponding Recital 80 of the GDPR that high risk activities include, in particular, large-scale collection and processing of data, or processing of sensitive data relating to information such as the religious affiliation or the state of health of end-users, as well as information relating to criminal convictions and offences.[27] Other than the GDPR, the ePrivacy Regulation does not distinguish between ‘simple data’ and ‘special categories of data’. Rather, the only distinction taking place is between electronic communications metadata (Art. 4 No. III.1.b). and electronic communications content (Art. 4 No. III.1.a).

According to Recital 16a, the ePrivacy Regulation is based on the presumption that electronic communications content is a particularly sensitive category of data and its processing will, generally, result in high risks for fundamental rights and freedoms of the end-users concerned. This valuation further results from the privileged treatment of the processing of electronic communications metadata, which is partly possible under facilitated circumstances compared to electronic communications content. Thus, under the ePrivacy Regulation electronic communications content is considered particularly worthy of protection (Art. 6a 1 et seqq.).[28] This is also supported by Art. 6a Sec. 2 ePrivacy Regulation, which requires a mandatory data protection impact assessment (Art. 4 No. I.1.e), Art. 6a para. 20 et seqq.) prior to the processing of electronic communications content in accordance with Art. 6a Sec. 1 lit. b). This in turn is not explicitly required within the provisions of the ePrivacy Regulation on the processing of electronic communications metadata. Recital 17 provides for the need to exercise a data protection impact assessment only in somewhat exceptional cases where electronic communications metadata might result in high risks for end-users, while Art. 6a Sec. 2 ePrivacy Regulation imposes this obligation.

Thus, if electronic communications content is to be processed, this will indicate that the exemption from the obligation to appoint an EU representative does not apply, because this is an activity likely to result in high risks to fundamental rights of end-users.[29] Additionally, the considerations on the scope of the processing and the number of data subjects – in the context of the ePrivacy Regulation, end-users (Art. 4 No. I.1.e) – can also be applied to Art. 3 Sec. 2a. Accordingly, where a large amount of electronic communications data is processed or a large number of end-users is affected, it cannot be assumed that processing is only occasional.

[27] The special categories of data as defined in Art. 9 GDPR might serve as a guidance here.

[28] As such, this data category of the ePrivacy Regulation is in a sense the pendant to the special categories of data in terms of Art. 9 GDPR.

[29] Cf. recital 16a.

The functions and tasks of the EU representative are set out in Art. 3 Sec. 4 ePrivacy Regulation and largely correspond to the functions set out with regard to the GDPR representative in Art. 27 Sec. 4 GDPR. Many of the considerations and applicable provisions made in the context of the GDPR representative are transferable to the representative in terms of the ePrivacy Regulation. The representative serves mainly as a contact point for supervisory authorities and end-users on all issues related to the processing of electronic communications data and compliance with the ePrivacy Regulation. They shall cooperate with the supervisory authorities on all such matters with regard to any action taken by the entity it represents.[30] In practice, this cooperation will mainly involve facilitating the informational and procedural exchange and communication between the requesting supervisory authority and the represented person.[31]

In order to exercise its functions effectively, the representative shall be authorised by the responsible parties to be addressed instead of or in addition to the latter, Art. 3 Sec. 4 ePrivacy Regulation. As results from Recital 80 GDPR, representatives shall be authorised to act on behalf of the entities they represent when inter-acting with authorities. This will also be indispensable in the context of the ePrivacy Regulation for the performance of tasks and exchanges with supervisory authorities and end users.

Within the framework of the GDPR, representatives can only be subject to legal proceedings and enforcement measures for non-compliance with their own obligations set out in Art. 27 GDPR.[32] A representative cannot be held directly liable for any other obligations arising from the GDPR.[33] However, as part of the simplified communication via the representative, it should be possible for supervisory authorities to initiate administrative measures or legal proceedings through the representative against the represented person.[34]

Based on the proximity of the provisions of both regulations regarding the EU representative, the above is to be applied accordingly to the ePrivacy Regulation. Art. 3 Sec. 5 ePrivacy Regulation sets out that the appointment of a representative shall not affect the responsibility or liability of the main addressees of the regulation.[35] Also in the context of the ePrivacy Regulation, the representative is not intended to serve as a substitute for the represented persons or entities, but rather as a link between them and the EU. In this way, access to remedy shall be facilitated.

[30] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 135.

[31] EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 27.

[32] Recital 80 GDPR.

[33] EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 28; see also Art. 27 Sec. 5 GDPR, albeit recital 80 appears to provide for direct accountability, the wording of the GDPR itself does not allow for such application, Voigt, GDPR representatives in EU and UK after Brexit, available at https://iapp.org/news/a/gdpr-representatives-in-the-eu-and-the-uk-after-brexit/ (last access: 31 March 2021).

[34] EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 28.

[35] Corresponding to Art. 27 Sec. 5 GDPR.

In the version adopted by the Council of the European Union, the provision on the territorial scope of the ePrivacy Regulation was supplemented by Art. 3 Sec. 6, which refers to areas that are geographically outside the EU, but where EU law applies by way of International Law. This was not  included in the ePR Commission Proposal 2017. The clause constitutes the counterpart to Art. 3 Sec. 3 GDPR and is intended to further harmonize the scope of application of both laws.[36] However, Art. 3 Sec. 6 ePrivacy Regulation refers mainly to consular and diplomatic representations of the EU in third countries and is, thus, of limited practical relevance.[37]

When Art. 3 Sec. 6 ePrivacy Regulation applies, the relevant embassies or consulates of an EU Member State are regarded as the obligated parties with respect to the ePrivacy Regulation and must comply with all obligations it imposes.[38] However, in these cases the ePrivacy Regulation arguably only applies without prejudice to International Law provisions on privileges and immunities of consular or diplomatic staff, such as the 1961 Vienna Convention on Diplomatic Relations.[39]

[36] See proposal of the Portuguese Presidency introducing this supplementation, Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, at p. 6.

[37] The same applies to the provision of Art. 3 Sec. 6, which is identical in wording and served as a model for Art. 3 Sec. 3 GDPR; cf. Rec. 25 GDPR.

[38] Cf. with regard to the application of the corresponding provision in Art. 3 Sec. 3 GDPR, EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 22.

[39] Cf. with regard to the application of the corresponding provision in Art. 3 Sec. 3 GDPR, EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 23.

Once adopted, the ePrivacy Regulation will most likely also become applicable in the countries of the European Economic Area (‘EEA’; the group includes Iceland, Liechtenstein and Norway) by reference in the Agreement on the EEA, as has been the case with the GDPR and the ePrivacy Directive.[40] Therefore, where appropriate, references to ‘European Union’ or ‘EU Member State’ are to be taken to include references to the EEA.

[40] EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) from 12 November 2019, p. 28; see with regard to the GDPR Voigt, Anforderungen an Drittlandtransfers – ungeklärte Fragen, CR 2020, 315 et seq.

Comment