Authors: Vagelis Papakonstantinou and Paul De Hert
This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.
I. Introduction
Art. 95 GDPR regulates the linkages between the GDPR and the ePrivacy-Directive and sets out the rule that the former must not impose additional duties with the same goal on controllers, who are subject to concrete obligations under the ePrivacy-Directive. As recital 173 GDPR clarifies, this rule covers both obligations of controllers, as well as rights of natural persons that are subject to the ePrivacy-Directive, as lex specialis; still, the GDPR applies to all other matters as lex generalis. In this way, Art. 95 GDPR ensures legal certainty regarding the provisions applicable to the processing of personal data in the particular context of publicly available electronic communications services in public communication networks.
To better comprehend their connection, it is worth noting that, while the GDPR addresses the right to respect for privacy (CFR, Art. 7) and the protection of personal data (CFR, Art. 8), the ePrivacy-Directive specifically reflects a key aspect of the right to privacy, namely confidentiality of communications (CFR, Art. 7), by setting out the provisions on the processing of traffic, communication and location data, as well as the protection of terminal equipment.
II. Legal background
The DPD contained no specific provisions clarifying the relationship between data protection law and the processing of personal data in the particular context of (tele)communications. The ePrivacy-Directive, replacing Directive 97/66/EC, expressly mentioned that its provisions ‘particularise and complement’ DPD for the purposes of, on the one hand, harmonising the level of protection of the right to privacy concerning the processing of personal data in the electronic communications domain, and, on the other hand, guaranteeing the free flow of personal data and electronic telecommunications equipment and services. Moreover, according to recital 10 of the ePrivacy-Directive, all issues regarding the protection of fundamental rights (including respect for privacy and protection of personal data), not expressly addressed by that Directive, are covered by the DPD.
The CJEU has addressed the ePrivacy-Directive in Digital Rights Ireland and Tele2 Sverige, both relating to data retention.
In Digital Rights Ireland (a case concerning storage by Internet Service Providers of telecommunications data to facilitate the fight against crime), the CJEU found major shortcomings in Directive 2006/24/EC, that amended the ePrivacy Directive, (such as lack of clear and precise rules on limitations to retention or access of authorities) and declared that Directive (2006/24/EC) invalid. The Court stressed that retention could not be justified by the objective pursued, despite importance of this objective. Citing case law on the matter, the CJEU addressed proportionality in the strict sense: after highlighting the need for precise safeguards, it found that the interference was not limited to what was strictly necessary, since the Directive (2006/24/EC), among many others, affected anyone in a generalised manner and did not provide for adequate safeguards against abuse or misuse.
[…]