Czasopisma logo

Monitor Prawniczy

no. 20/2017

ePrivacy Regulation as a sectoral regulation vs the General Data Protection Regulation (GDPR)

Xawery Konarski
Autor jest adwokatem, starszym wspólnikiem Kancelarii Prawnej Traple Konarski Podrecki i Wspólnicy, wiceprezesem Polskiej Izby Informatyki i Telekomunikacji, ekspertem prawnym Związku Pracodawców Branży Internetowej IAB Polska.
Abstract

The objective of the Digital Single Market Strategy is to increase trust in digital services and improve their security. The reform of the data protection framework, and in particular the adoption of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) marks a significant step in this direction.

Under that strategy also a review of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) was announced in order to ensure a high level of protection for users of electronic communications services. It was necessary in order to ensure consistency of the privacy and electronic communications provisions with the new principles specified in the GDPR and also because of the need to take into account significant technological and economic changes (inter alia new models of electronic communications services) which occurred since the last review of Directive 2002/58 in 2009. As a result of the review the European Commission worked out the proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (proposal for ePrivacy Regulation) which is now being intensively developed.

The proposal for the ePrivacy Regulation protects not only – unlike the GDPR – electronic communication carried out by natural persons, but also legitimate interests of corporate bodies. On the other hand, insofar as the data originating from electronic communications contain personal data cumulative protection is applied, which is provided for by the provisions of both the GDPR and ePrivacy Regulation. The character of the e-Privacy Regulation as lex specialis vis-a-vis the provisions of GDPR as legi generali should be understood that to the extent in which the ePrivacy Regulation restricts – as compared with the GDPR – the possibility of processing data originating from electronic communications, e-Privacy provisions shall prevail.

The key change in the proposal for the regulations as compared with Regulation 2002/58 is a more extensive objective scope of its application. In step with the definition of interpersonal communication contained in the proposal for a directive establishing the European Electronic Communications Code the regulation covers not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services , which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The basic assumption for making such an extension is acknowledgment that OTT services constitute functional equivalents of “traditional” communications services (such as telephony, SMS/MMS), that is also perform a communication function and therefore should be covered by the proposal for the ePrivacy Regulation and the data confidentiality rules set therein.