Article 1 ePrivacy Regulation - Subject matter
Article 1 ePrivacy Regulation
1. This Regulation lays down rules regarding the protection of fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services, and in particular, the rights to respect for private life and communications and the protection of natural persons with regard to the processing of personal data.
1a. This Regulation lays down rules regarding the protection of the fundamental rights and freedoms of legal persons in the provision and use of the electronic communications services, and in particular their rights to respect of communications.
2. The
free movement of electronic communications data and electronic
communications services within the Union shall be neither
restricted nor
prohibited for reasons related to the respect for the private
life and
communications of natural persons and the protection of natural
persons
with regard to the processing of personal data, and for
protection of
communications of legal persons
3. The provisions of this Regulation particularise and complement Regulation (EU) 2016/679 by laying down specific rules for the purposes mentioned in paragraphs 1 to 2.
Corresponding Recitals
(1) Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”) protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the confidentiality of one’s communications is an essential dimension of this right, applying both to natural and legal persons. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.
(2) The content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.
(2a) Regulation (EU) 2016/679 regulates the protection of personal data. This Regulation protects in addition the respect for private life and communications. The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. The provisions particularise Regulation (EU) 2016/679 as regards personal data by translating its principles into specific rules. If no specific rules are established in this Regulation, Regulation (EU) 2016/679 should apply to any processing of data that qualify as personal data. The provisions complement Regulation (EU) 2016/679 by setting forth rules regarding subject matters that are not within the scope of Regulation (EU) 2016/679, such as the protection of the rights of end-users who are legal persons. Processing of electronic communications data by providers of electronic communications services and networks should only be permitted in accordance with this Regulation. This Regulation does not impose any obligations on the end-user. End-users who are legal persons may have rights conferred by Regulation (EU) 2016/679 to the extent specifically required by this Regulation.
(3) Electronic communications data may also reveal information concerning legal entities, such as business secrets or other sensitive information that has economic value and the protection of which allows legal persons to conduct their business, supporting among other innovation. Therefore, the provisions of this Regulation should in principle apply to both natural and legal persons. Furthermore, this Regulation should ensure that, where necessary, provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council4, also apply mutatis mutandis to end-users who are legal persons. This includes the provisions on consent under Regulation (EU) 2016/679.
(3a) This Regulation should not affect national law regulating for instance the conclusion or the validity of a contract. Similarly, this Regulation should not affect national law in relation to determining who has the legal power to represent legal persons in any dealings with third parties or in legal proceedings.
(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may include personal data as defined in Regulation (EU) 2016/679.
– Recital 5 has been removed in the adopted text of the ePrivacy Regulation –
(6) While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation.
I. Subject matter of the ePrivacy Regulation, Art. 1 Sec. 1, Sec. 2
Art. 1 of the ePrivacy Regulation identifies two regulatory objectives, which correspond with two main general regulatory mandates of the EU, namely strong protection of human and fundamental rights within the EU as well as the promotion and maintenance of the EU Internal Market.[1] The ePrivacy Regulation contributes to these regulatory objectives by pursuing to create a high level of protection for privacy and confidentiality of communications as part of EU fundamental rights on the one hand (Art. 1 Sec. 1, 1a) and by opening and adapting the Internal Market for electronic communications as well as ensuring its functioning on the other (Art. 1 Sec. 2).[2] Consequently, the preamble of the ePrivacy Regulation mentions Art. 114 of the TFEU as the foundation for its adoption, which contains the harmonisation mandate for the creation of the Internal Market, alongside Art. 16 of the TFEU, which deals with the protection of the right to privacy and personal data.[3]
[1] See in particular in Art. 2 and 3 of the Treaty on the European Union (‘TEU’).
[2] Cf. ePR Commission Proposal 2017, Explanatory Memorandum ePrivacy Regulation at 2.1.
[3] These are also referred to by the Commission as legal bases for the adoption of the ePrivacy Regulation, see ibid.
1. Protection of fundamental rights and freedoms in electronic communications
Art. 1 Sec. 1 ePrivacy Regulation proclaims its first regulatory goal as the protection of ‘the fundamental rights and freedoms of natural persons in the provision and use of electronic communications services’. This provision refers to the right of respect for private life and communications, commonly referred to as the right to privacy.[4] A particular focus is placed on the protection of confidentiality of communications, as set out by Recital 1. The right to confidentiality of communications constitutes the modern equivalent to the traditional postal secrecy of correspondence.[5] It is protected when only those parties involved in the communication process gain access to information concerning a communication process, which includes its content, but also metadata, i.e. the time and location of the communicating parties.[6]
The confidentiality of communications is a fundamental right protected under Art. 7 of the Charter of Fundamental Rights of the European Union (‘EU Charter’) as a part of the general right to privacy and explicitly recognized in Art. 8 Sec. 1 of the European Convention on Human Rights (‘ECHR’).[7] Protection of confidentiality of communications is a necessary precondition for the exercise of various other fundamental rights, such as freedom of thought, conscience, expression, religion, information, assembly or association.[8]
Confidentiality of communications is closely linked to the protection of personal data (see, however, below) and sensitive information in general as such information might be contained in the content or metadata of communications and interfered with in the context of communication processes.[9] The protection of confidentiality of communications and the protection of personal data are inextricably interdependent. Thus, it was necessary and sensible to include explicitly the protection of personal data in accordance with Art. 8 EU Charter and Art. 16(1) TFEU into the scope of the ePrivacy Regulation, as per Recital 4 to the ePrivacy Regulation.
a) Protection of electronic communications of legal persons
Despite its connection to the protection of personal data and other fundamental rights, the confidentiality of communications is, in principle, a protected interest in its own right and does not necessarily depend on personal data or private life being affected.[10] Consequently, legal persons may also have a right to confidentiality of communications in which they are involved, even if the information exchanged has no personal reference and the right to protection of private life is not concerned like it is with natural persons.
Whether or not an entity has legal personality is, generally, determined by the law of the Member State in which it is established. Legal persons like the UK Limited (Ltd.) or the German Gesellschaft mit beschränkter Haftung (GmbH) are entities with legal personality, which are granted legal rights and may have obligations towards other actors.[11] In addition, there is also the legally recognised company under European law, the European Cooperative Society (SCE), within the meaning of Art. 1 of Regulation (EC) 1435/2003.[12] The term natural person, in turn, refers to individuals.
Electronic communications of legal persons may contain sensitive data or information of economic value, the protection of which is crucial in order to conduct a business.[13] These interests are not necessarily less worthy of protection than corresponding interests of natural persons.
The value of these interests and the resulting need for protection is reflected in Art. 1 Sec. 1a ePrivacy Regulation, which explicitly attempts to grant protection of the confidentiality of communications to legal persons, thus to some extent detaching the right from privacy interests which primarily concern interference with the private lives of those affected. In the Commission’s draft, such a clear emphasis on the autonomous interests of legal persons worthy of protection did not exist.[14] Rather, the interests of individuals and legal persons were generally referred to jointly, which caused some confusion.[15] Confidentiality of communications and protection of privacy in a narrower sense must therefore be regarded as two separate objects of protection within the framework of the ePrivacy Regulation, even though they are closely related to each other.
b) Level playing field for lawful data exchange and processing in the European Single Market
The revision of the European ePrivacy legislation and in particular its adaptation to the GDPR is an explicit goal of the ‘Digital Single Market Strategy of the EU’ (‘DMS Strategy’),[16] which shall be realised by means of the ePrivacy Regulation as referenced in its Explanatory Memorandum.[17] However, the relevance of the ePrivacy Regulation for the DMS Strategy and the Internal Market also results from its Art. 1 Sec. 2, which guarantees ‘free movement of electronic communications data and electronic communications services within the Union’.
In the modern digitised economy and society, ensuring secure and common standards for free data flows is essential for the functioning of the Internal Market. It is arguably just as important as the free movement of goods, persons, capital or services, and, alongside with the protection of fundamental rights, must be considered one of the EU’s most fundamental tasks in accordance with Art. 26 TFEU.[18] Free movement within the Internal Market requires the creation of an area without internal frontiers according to Art. 26 Sec. 2 TFEU, i.e. the abolition of barriers to transnational movements. This refers to actual State borders as well as other regulatory obstacles, which could impede movement between different Member States.[19]
Harmonization of ePrivacy and data protection rules as envisaged by Art. 1 Sec. 2 ePrivacy Regulation does not only contribute to the digitization of the Internal Market, it also provides legal certainty for service providers operating in it. Those should be provided with transparent legislation to enable them to determine which envisaged business models and projects can be implemented or expanded in a lawful manner. By means of the ePrivacy Regulation, a comparable environment for all service providers and end-users in the EU is established.[20] For service providers who carry out cross-border processing, it is advantageous if access to and transfer of electronic communications data is regulated in a harmonized way across Europe. In addition, customers may be confident that their data is handled responsibly throughout such the EU Internal Market. [21]
Thus, the regulatory objective of the ePrivacy Regulation is somehow ambivalent. It aims to increase the level of data protection in electronic communications so to create restrictions for providers, while at the same time granting further opportunities to fully exploit business models based on electronic communications data by enabling new services in compliance with a comprehensive set of applicable digital laws. This is emphasised by Art. 1 Sec. 2 ePrivacy Regulation which provides that services within the EU ‘shall be neither restricted nor prohibited for reasons related to the respect for the private life and communications of natural and legal persons and the protection of natural persons with regard to the processing of personal data, and for protection of communications of legal persons’.[22] There is an obvious necessity to strike a balance between the supposedly contradictory regulatory objectives to protect privacy rights and confidential data on the one hand, and promote the free movement of electronic communications data on the other. Recital 7 explicitly calls on the Member States to take this balance into account, especially when creating national ePrivacy legislation in the limited scope left by the Regulation.
[4] Recital 8a clarifies that the ePrivacy Regulation does not provide protection for electronic communications data of deceased persons.
[5] EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications from 25 May 2018, p. 1.
[6] Cf. recital 1.
[7] For a detailed illustration on the right to confidentiality of communications in European Union Law see Zuiderveen Borgesius/Steenbruggen, Theoretical Inquiries in Law Vol. 19.2 2019, 291, 300 et seq.
[8] EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications from 25 May 2018, p. 1.
[9] Recital 2.
[10] In this context, see also Art. 1 No. I.1.
[11] CJEU, judgement of 23 April 2018, T-561/14, at para. 59.
[12] Council Regulation (EC) No. 1435/2003 of 22 July 2003, on the Statute of the European Cooperative Society.
[13] Recital 3; trade secrets are additionally protected by Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, as stipulated by recital 15aaa.
[14] The German Council Presidency also tried to express this differentiation more precisely in its proposal for the ePrivacy Regulation, see Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 4 November 2020, Doc. No. 9931/20, p. 54 at Art. 1 Sec. 1a.
[15] See ePR Commission Proposal 2017, Art. 1 Sec. 1.
[16] See European Commission, A Digital Single Market Strategy for Europe, Communication, COM (2015) 192 final, 6 May 2015; for a brief but comprehensive overview of the background and legal implications of the European Digital Single Market strategy see also Nyman-Metcalf/Papageorgiou, Baltic Journal of European Studies Vol. 8 2018, 7, 8 et seq.; Zech, Journal of Intellectual Property Law & Practice Vol. 11 2016, 460 et seq.
[17] ePR Commission Proposal 2017, Explanatory Memorandum ePrivacy Regulation at 1.1.
[18] See in particular Art. 26 Sec. 2 TFEU; cf. also Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, which also contributes to this aim, but, however, relates to the movement of non-personal data within the European Internal Market.
[19] Cf. European Commission, the European Single Market, available at https://ec.europa.eu/growth/single-market_en (last access 18 March 2021).
[20] Establishing a level playing field for digital networks and innovative services is one of the pillars of the European Digital Market Strategy, see European Commission, Shaping the Digital Single Market available at https://ec.europa.eu/digital-single-market/en/shaping-digital-single-market#:~:text=A%20Digital%20Single%20Market%20(DSM,personal%20data%20protection%2C%20irrespective%20of (last access 20 January 2021).
[21] Cf. European Commission, Stronger Privacy Rules for Electronic Communications, https://ec.europa.eu/digital-single-market/en/news/stronger-privacy-rules-electronic-communications (last access 20 January 2021).
[22] Cf. also ePR Commission Proposal 2017, Explanatory Memorandum at 1.1
2. Relation and interaction with the GDPR, Art. 1 Sec. 3 ePrivacy Regulation
The ePrivacy Regulation cannot be considered a standalone legislation. It is part of a larger European regulatory system concerning digital society, communication and data protection. As such, it connects and often overlaps with several other acts of European law. With regard to the GDPR, this is expressly codified in Art. 1 Sec. 3 ePrivacy Regulation. Because of the aforementioned interdependence of the protection of personal data and confidentiality of communications, as well as the need for free flows of all types of data for the functioning of the Internal Market, the objectives of the ePrivacy Regulation necessarily correspond and are closely linked to those of the GDPR. However, they are not always congruent with the latter (Art. 1 No. I.2.a).
In addition to the GDPR, there are also other acts of European law influencing the ePrivacy Regulation and requiring due consideration in its application, particularly the EECC which is repeatedly referenced throughout the ePrivacy Regulation (Art. 1 No. II.1.).
Art. 1 Sec. 3 of the ePrivacy Regulation does not only determine its relationship with the GDPR, it also qualifies the interplay between both legal acts as a subject matter of the ePrivacy Regulation. ‘To particularise and complement the GDPR’ is a designated objective of the ePrivacy Regulation, equivalent to the objectives of Art. 1 Sec. 1, Sec. 1a and Sec. 2. It is therefore not solely a rule on hierarchy and collision of laws. This intention must be taken into account in the interpretation of the provisions of the ePrivacy Regulation, even if an overlap with the GDPR is not necessarily obvious in a particular case. Furthermore, the ePrivacy Regulation is arguably intended to respond to Recital 173 of the GDPR, which explicitly states that the current European ePrivacy legislation framework is in need for review and revision in order to achieve coherence with the GDPR.
a) Complementing the scope of protection of the GDPR
The GDPR is a European act of law governing the protection of personal data of natural persons.[23] Personal data is defined in Art. 4 No. 1 GDPR, as ‘any information relating to an identified or identifiable natural person (‘data subject’)’. An identifiable natural person is a natural person ‘who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ according to Art. 4 No. 1 GDPR.[24] The definitions of personal data and data subject are of fundamental importance in the context of the GDPR, as the regulation only unfolds its protective effect in connection with these regulatory subjects. The core of the GDPR is the protection of the privacy of the individual. The aforementioned definitions, meanwhile, clearly exclude legal persons from the scope of protection of the GDPR.[25]
The GDPR has a very broad scope, as it applies to almost any processing of personal data, regardless in which context or field of business.[26] Processing of personal data in this context can be any operation performed on data, such as the collection, organisation, storage, adaptation or alteration, use or disclosure by transmission (Art. 4 No. 2 GDPR).[27] Thereby, the legislator intends to prevent any risks of circumvention and make the scope of applications independent from technological challenge.[28]
Examples: the screening of online job applications in the HR department of a company, the analysis of visitors via cookies on a website or the digital recordkeeping of grades at a school are processing operations that are, generally, subject to the GDPR.
One basic principle of the GDPR is to ‘prohibit all processing of personal data unless there is a specific legal permission’ (Art. 6 Sec. 1 GDPR). These permissions can be found in the GDPR itself, in other EU legislation or in national EU Member State law.
Example: Individual A buys a T-shirt from online shop B. To fulfil the purchase, B collects, retains and uses A’s address in the process. Because this retention of data constitutes processing of personal data, the related processing activities have to be given permission in law. Such a permission is, for example, Art. 6 Sec. 1 Sent. 1 lit. b GDPR, which allows the processing of personal data where it is necessary for the performance of a contract.
In addition, the GDPR contains rules on technical and organizational measures that ensure data protection and security, as well as rules on data transfers to countries outside the territorial scope of the GDPR. The GDPR also establishes a system of national supervisory authorities and allows for severe fines in case of infringements.[29]
In comparison with the GDPR, the ePrivacy Regulation has both a narrower and a wider scope of application.
Narrower scope: in contrast to the GDPR, the ePrivacy Regulation deals with rather selected and specific aspects of privacy, which all have a connection to communication processes:
-the processing, storage and deletion of electronic communications data,[30]
-the protection of the end-user’s terminal equipment and information stored on such equipment,[31]
-the blocking of calling line identification and malicious, nuisant or unwanted calls,[32]
-publicly available directories (e.g. telephone directories),[33] and
-unsolicited and direct marketing communications.[34]
The ePrivacy Regulation only applies in contexts where one of these subject matters is concerned and not in all data processing scenarios.[35] In that respect, it has a narrower scope compared to the GDPR, which is context-independent, i.e. applies to processing of personal data regardless of the specific means and circumstances of the processing. In particular, the GDPR applies regardless of whether the processing it is carried out in digital or analogue form[36] or whether or not the processing is related to communication. Because of its broad scope with regard to means of processing, the GDPR applies to all scenarios concerning personal data, i.e. not necessarily in the limited scope of electronic communications of the ePrivacy Regulation.[37]
Example: An interviewer in a shopping centre records the birth date and postal code of each passer-by for statistical reasons. He enters the respective data into a standalone tablet computer. As there is no electronic communication involved, the ePrivacy Regulation is not applicable. However, the GDPR applies as personal data is collected.
Wider scope: At the same time, the ePrivacy Regulation – while limited to communications-related matters only – potentially applies to all kinds of data, including data related to legal persons as per Art. 1 Sec. 1a ePrivacy Regulation. In that regard, its scope is wider than that of the GDPR, which is restricted to identifiable, personal data.[38] The ePrivacy Regulation primarily protects the communication process itself and only indirectly the persons or institutions behind it. Thus, the ePrivacy Regulation complements the GDPR in this regard, as the protective effect under the ePrivacy Regulation is provided even if no interest of a specific individual is concerned.[39] The ePrivacy Regulation is, thus, capable to cover issues that would fall outside the scope of the GDPR.
Hence, the two key demarcation criteria of the applicability of the ePrivacy Regulation in contrast to the scope of the GDPR are
(1) it applies to data processing and access only in the communication context, and
(2) it applies, however, to all types of information and data, including non-personal data.
Consequently, there is no room for clashes between both laws in those cases where there is either (i) no communication context (GDPR only) or (ii) no personal data of natural persons are involved (ePrivacy Regulation only).[40]
b) Overlapping scope of protection – particularising the GDPR
In addition to those situations that either (i) clearly fall outside the scope of the ePrivacy Regulation because they are not communication-related or (ii) that are clearly not covered by the scope of protection of the GDPR because they do not concern personal data, there are also (iii) scenarios in which both regulations are engaged concurrently. Precisely these cases are resolved by the function ‘to particularise’ determined in Art. 1 Sec. 3 of the ePrivacy Regulation. Art. 1 Sec. 3 constitutes a collision clause, which clarifies the hierarchy between both laws.
Example: Individual P uses his mobile phone to search the web. The generated data (e.g. websites visited, IP addresses) is personal data because it relates to P. Thus, the GDPR’s scope is concerned. At the same time P is using means of electronic communications, the ePrivacy Regulation is thus also equally engaged.
Where both regulations apply simultaneously in a communications-related context, the ePrivacy Regulation will generally prevail, particularising the GDPR in terms of Art. 1 Sec. 3 ePrivacy Regulation.[41] The ePrivacy Regulation is lex specialis compared to the GDPR, but only when personal communications data is involved.[42] In these cases, GDPR rules are subordinate to those of the ePrivacy Regulation if the parallel application of both regulations would lead to a contradictory result, contrary to the objective of the more specific ePrivacy Regulation. It is also conceivable that situations arise where both regulations are engaged, but the relevant provisions of both regulations can be applied in parallel without leading to contradictory results or undermining the purpose of one of the laws. In the latter cases, neither of the two is subordinate as this is not a genuine situation of conflict of laws, which would have to be resolved by way of the lex specialis derogat legi generali rule.[43]
Example (part 1): Company G wants to obtain personal data from individual P’s computer to deliver targeted advertisements. While Art. 6 GDPR provides abstract rules on how data may be collected in all kinds of situations, Art. 8 ePrivacy Regulation provides specific rules on how data may be obtained from an end-user’s device.[44] The more specific rule provided by the ePrivacy Regulation for the specific case of interference with end-user devices prevails. G is therefore required to ensure that the envisaged data processing adheres to Art. 8 of the ePrivacy Regulation, which usually requires consent of the end-user for any interference with terminal equipment. It is not sufficient for G to adhere merely to the more permissive laws of the GDPR, with Art. 6 GDPR providing legal bases for the collection of data from end-user devices such as the performance of a contract (Art. 6 Sec. 1 lit. b) or legitimate interest (Art. 6 Sec. 1 lit. f). The stricter requirement set out by the more specific ePrivacy Regulation (here: consent) must not be circumvented. Therefore, G cannot apply the broader regulation of the GDPR.
However, when there is no specific provision in the ePrivacy Regulation for a particular electronic communication process and personal communications data is concerned, the general rules of the GDPR apply entirely, as clarified in Recital 2a.[45] Finally, none of the two regulations apply where neither a specific provision of the ePrivacy Regulation is triggered, nor personal data is processed.
Example (part 2): While the ePrivacy Regulation regulates the requirements for lawful extraction of data from an end user’s device, it does not contain any rules on further usage of such data. Since the data concerned identifies an individual, it is personal data. Therefore, any further processing of this data has to comply with the rules of the GDPR, e.g. concerning retention periods and data subject rights. Hence, while the GDPR was initially superseded by the ePrivacy Regulation in this example, it revives with respect to further processing of the concerned data.
In conclusion, the function ’to complement’ referred to in Art. 1 Sec. 3 is more of a determination of purpose, which is to fill gaps in the scope of protection of the GDPR relating to natural persons only. ‘To complement’ is, thus, not so much of a collision rule. ‘To particularise’, on the other hand, mainly serves to resolve situations that affect the scope of application of both regulations and, thus, might lead to a conflict between both regulations.
c) Overview: comparison of use cases – GDPR and ePrivacy Regulation
Following sceanrios will be subject only to the scope of application of the GDPR:[46]
– Processing of personal data outside of the electronic communications context and not related to access of information on end-users terminal equipment;
– Processing of personal data in the context of electronic communications or access to end-user terminal equipment for which there is no specific rule in the ePrivacy Regulation;
– Processing of data in the context of electronic communications where the ePrivacy Regulation explicitly refers to the GDPR.
Following scenarios will be subject only to the scope of the ePrivacy Regulation:
– Processing of electronic communications data or data stored on end-user’s terminal equipment (see Art. 4 No.I.3.) that is unrelated/not traceable to a natural person (e.g. phone number of the automated customer service of a legal entity; IP address of a machine within an electronic communications network)
– Processing of non-personal data related to machine-to-machine communications (see Art. 2 para. 25 ).
Cases with overlapping scope of application, to be resolved by means of the lex specialis derogat legi generali rule (Art. 1 Sec. 3 ePrivacy Regulation):
– Processing of personal electronic communications data, allowing to draw conclusions regarding an identifiable natural person (e.g. direct marketing calls[47]);
– Interference with/processing of personal data stored on end-user terminal equipment.
Cases falling outside the scope of both the GDPR and the ePrivacy Regulation:
– Processing of non-personal or anonymized data in situations outside a communications context (neither covered by classic privacy rights nor by the confidentiality of communications).
[23] Art. 1 Sec. 1 GDPR.
[24] See also Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 11.
[25] Cf. recital 26 GDPR.
[26] Cf. Art. 2 Sec. 1 GDPR.
[27] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 9.
[28] Recital 15 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 9 et seq.
[29] For details on the GDPR see Voigt/von dem Bussche, GDPR – A Practical Guide (2017).
[30] Including electronic communications content and electronic communications metadata, see Art. 4 No. III.1., Arts. 6, 6a, 6b ePrivacy Regulation.
[32] Art. 12; see Arts. 12-14 ePrivacy Regulation.
[35] For details regarding the material scope of the ePrivacy Regulation see the commentary on Art. 2.
[36] The applicability of the GDPR to non-automated processing is, however, limited to processing activities that form part of a filing system or are intended to form part of a filing system, see. Art. 2 Sec. 1 GDPR.
[37] Cf. recital 2a, 4 ePrivacy Regulation; Art. 95 GDPR.
[38] As stipulated by Art. 2 Sec. 1, 4 No. 1 of the GDPR; cf. above at Art. 1 No. I.1.a).
[39] See recital 2a ePrivacy Regulation.
[40] Whether the regulations actually apply is of course not solely dependent on the competitive relationship between the ePrivacy Regulation and the GDPR, but is also under the prerequisite that the other general conditions for application of the respective regulation are fulfilled.
[41] See ePR Commission Proposal 2017, Explanatory Memorandum ePrivacy Regulation 1.2 and EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR from 12 March 2019, p. 13, regarding the similar wording in the predecessor legislation, the ePrivacy Directive. Counterpart to Art. 1 Sec. 3 ePrivacy Regulation is Art. 95 GDPR, which mandates the precedence of the ePrivacy Directive where the latter sets specific obligations. Art. 95 GDPR will point to the ePrivacy Regulation after its adoption (Art. 27 Sec. 2 ePrivacy Regulation).
[42] ePR Commission Proposal 2017, Explanatory Memorandum ePrivacy Regulation at 1.2; recital 2a ePrivacy Regulation.
[43] See EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR from 12 March 2019, p. 13.
[44] For details on this provision, see the commentary on Art. 8 ePrivacy Regulation.
[45] See the ePR Commission Proposal 2017, Explanatory Memorandum, at p. 2 (1.2); there are also specific cases where the ePrivacy Regulation explicitly refers to the application of the GDPR, e.g. in Art. 23 Sec. 1 ePrivacy Regulation or recital 3, see Art. 23 and Art. 4a No. I. respectively. The inconsiderate way the ePrivacy Regulation references some parts of the GDPR has led to doubt about the extent to which the GDPR is applicable on ePrivacy matters, see Engeler/Felber, ZD 2017, 251, 253-254. However, recital 2a ePrivacy Regulation explicitly stipulated that the level of protection granted by the GDPR should not be lowered by means of the ePrivacy Regulation. Limiting the parallel application of the GDPR could contradict this intention. With regard to the preceding ePrivacy Directive, the European Data Protection Board has stated that the GDPR is generally applicable in addition the the Directive, as lex generalis, and has pointed out that the overlapping material scope of both laws must not necessarily result in a conflict of rules, see EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR from 12 March 2019, pp. 13-14. The origin of the apparently complicated distinction between the scope of application of the GDPR and the ePrivacy Regulation is that the latter is both, broader and more specific. This is a logical and compelling, but admittedly confusing consequence of the two-fold objective of the ePrivacy Regulation ‘to particularise’ and ‘to complement’ the GDPR, cf. Council of the European Union, Proposal, ST 11001/19, p. 4.
[46] Cf. EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR from 12 March 2019, p. 8 f.; the following illustration only serves to distinguish the areas of application of the GDPR and the ePrivacy Regulation. Of course, the regulations are only applicable to the extent that all other requirements for their application are fulfilled in the particular case. With regard to the GDPR, these are, for example, Art. 2(2) GDPR regarding its material scope and Art. 3 regarding its territorial scope.
II. Ties between the ePrivacy Regulation and the EECC
Although not explicitly mentioned in Art. 1, the ePrivacy
Regulation also has close ties to the EECC of
2018.
The EECC sets up general rules on how to establish and how
to run
electronic communications networks and services and
supersedes several
acts of EU legislation, most notably the so-called
EU Framework Directive.[48]
It deals, in particular, with concession processes in the
communications sector, consumer protection requirements like
transparency and the possibility to switch providers. It
also defines
technical requirements, e.g. necessary security measures for
communications processes.[49] The EECC
is a European Directive and had to be transposed into
national law by the Member States by 21 December 2020.
[48] Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive). [49] For a more detailed overview see Kiparski, CR 2019, 179.
1. Regulation of OTT services
An important novelty introduced by the EECC is the regulation of so-called OTT services, which had not yet been explicitly governed by EU law, neither through the GDPR, nor the ePrivacy Directive or any other European act of law, despite their rapidly growing relevance for society and markets.[50]
OTT services are services that, unlike ‘traditional’ telecommunications services, do not operate on their own communications networks. Instead, they go ‘over-the-top’ and use the network infrastructure of others, especially the internet infrastructure.[51] OTT services are generally considered functionally equivalent to traditional means of electronic communication.[52] From an end-users’ (see Art. 4 No. I.2.e) perspective they are arguably also perceived as equally important means of communication that require comparable legal protection. It is, therefore, necessary to subject these services to regulation that corresponds to their significance.
The filling of the existing regulatory gaps with regard to OTT services was a major aim of the ePrivacy Regulation, which includes such services in its scope of application.[53] However, this regulatory purpose of the ePrivacy Regulation was superseded to a certain extent by the EECC. The EECC requires Member States to expand the definition of ‘electronic communications services’ (Art. 4 No. I.2.b) of their telecommunication laws to OTT services. When the ePrivacy Regulation enters into force, its scope of application extended to OTT services will not be novelty.[54] Rather, OTT services are already subject to ePrivacy legislation, regardless of the ePrivacy Regulation coming into force.
The EECC closes the regulatory gap by modifying the definition of ‘electronic communications services’ from its preceding legislation, the aforementioned Framework Directive.[55] The necessity to regulate OTT services was recognized as digitization progressed and new electronic communication technologies developed, which increasingly replaced traditional means of electronic communication. Accordingly, the definition of electronic communications services in the Framework Directive did not yet envisage OTT services when it was first introduced. Rather, it relied on the term ‘conveyance of signals over a network’, i.e. a physical manifestation of a service that OTT services do not have.[56] This ‘old’ definition was adopted by the ePrivacy Directive by means of its Art. 2. Consequently, the ePrivacy Directive did not cover OTT services either. However, the EECC has repealed the Framework Directive and all references to the Framework Directive are now construed as referring to the EECC instead (Art. 125 EECC).[57] This also applies to the ePrivacy Directive, which is now no longer referring to the outdated definition of the Framework Directive but instead to Art. 2 Sec. 4 EECC, which does not rely on a physical connection to a network, thus encompassing OTT services in the definition of electronic communications services.[58]
[50] Cf. recital 15, 17, 95 of the EECC.Thus, in order to remain compliant with the ePrivacy Directive, Member States must ensure that their national ePrivacy laws are in line with the new definition from the EECC. With this, the legislator has filled the regulatory gap regarding OTT services, regardless of the outcome of the negotiations on the ePrivacy Regulation.[51] For details see Art. 2 No. II1.f).
[52] Recital 11; Art. 2 No. II1.f).
[53] See the ePR Commission Proposal 2017, Explanatory Memorandum, at p. 3 f.
[54] For further details on the regulation of OTT services under the ePrivacy Regulation see the commentary regarding Art. 2 No. II1.f).
[55] Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive).
[56] The CJEU ruled that the Webmail service Gmail ‘does not consist wholly or mainly in the conveyance of signals on electronic communications networks’ and therefore is no is not a electronic communications services under the Framework Directive, CJEU, judgement of 13 June 2019, Google./.Federal Republic of Germany, C-193/18, para. 35. On the other hand, those parts of the Voice-over-IP service Skype that allow connections to ‘classic’, number-based telephone networks (specific: Skype Out), have been classified as an electronic communications service even under the Framework Directive, CJEU, judgement of 5 June 2019, Skype Communications./.IBPT, C-193/18.
[57] Cf. See Annex XIII EECC for a table of corrections.
[58] See the commentary on Art. 4 No. I.2.b) Art. 2 No. II1.f) for detailed comments on the term ‘electronic communications service’.
2. Interplay of provisions
While the EECC itself will set up obligations for many of the addressees of the ePrivacy Regulation, namely providers of communications networks and services, there should be no actual conflicts regarding the scope of application with the ePrivacy Regulation. Both legislative acts have to be observed in parallel.
Due to the rather abstract character of the EECC, it serves as a framework instrument to which it is convenient to refer to in order to determine general definitions and standards. The legislator has made use of this in particular in Art. 4 ePrivacy Regulation. In fact, in many cases, the ePrivacy Regulation does not itself define the legal terms that it relies on. Instead, it ‘borrows’ legal terms, not only from the EECC but also from Directive 2008/63/EC[59] and the GDPR.[60] This extensive practice of reference seeks to facilitate consistency of terms across the different laws in the wider European communications, privacy and data protection framework and, thus, contributes to the uniformity of the law. However, at the same time, it creates difficulties for the independent comprehension and application of the ePrivacy Regulation.[61]
Furthermore, in many cases said definitions do not perfectly fit in the context of the ePrivacy Regulation. Rather, the referenced provisions often need to be applied accordingly, or mutatis mutandis. Therefore, sometimes it appears unclear which provisions apply to what extent.[62] This issue was addressed partly during the legislative process[63] and mitigated in part. While the ePR Commission Proposal 2017 still unconditionally referred to the GDPR with regard to the definition of the term ‘processing’ in its Art. 4 Sec. 1 lit. a), it now explicitly clarifies in Art. 4 Sec. 2a ePrivacy Regulation that, for the purposes of the ePrivacy Regulation, the referenced definition from the GDPR should not be limited to processing situations concerning personal data (see Art. 4 No. I.1.a)).
[59] Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment.
[60] Art. 4 Sec. 1 ePrivacy Regulation.
[61] Cf. Voss, Journal of Internet Law Vol. 21 2017, 3, 9.
[62] Schmitz, ZRP 2017, 172, 173.
[63] See for instance the amending proposals of the European Parliament, LIBE report A8-0324/2017, 20 October 2017, amendments 52 et seq.; see also Schmitz, ZRP 2017, 172, 173.