Why GDPR mega-sanctions are likely already applying to ePrivacy breaches
Some cross-reference clauses in the ePrivacy Directive create a new type of creature: a regulation-directive with unknown effects on the digital market.
The EU legislator has been struggling for exactly two years now to make progress on the reform of the ePrivacy Directive and convert it into an updated ePrivacy regulation governing confidentiality of telecommunications. There is yet no light at the end of the tunnel, while reaching the finish line is more urgent than originally thought. One of the many reasons for this? The entire chapter on sanctions from the General Data Protection Regulation (GDPR) is likely already applying to breaches of the old ePrivacy Directive due to a “cross-reference clause”, creating an enforcement nightmare of uncertainty for regulators and affected companies alike.
The crux of it
The ePrivacy Directive has a clause that imports for its own purposes provisions on judicial remedies, liability and sanctions from the now defunct Directive 95/46/EC (the “DPD” or the “Data Protection Directive”), with a direct reference to Chapter III of the DPD. The GDPR, which repealed and replaced the DPD, has a clause that makes it clear that any reference to the DPD in any other EU law will be considered as a reference to the GDPR. The legal effect of all this is very likely that the provisions on judicial remedies, liability and sanctions from the GDPR that correspond to former Chapter III of DPD apply to breaches of the ePrivacy Directive. And having GDPR sanctions applying to the ePrivacy Directive makes very little sense, if at all.
A closer look
Article 15 of the ePrivacy Directive is titled “Application of certain provisions of Directive 95/46/EC”. The second paragraph of this article establishes that:
“The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.”
This means that the legal regime created by the DPD with regard to liability and sanctions applied to breaches of the ePrivacy Directive — and, respectively, the national laws transposing this Directive, including the obligation to obtain consent from users before placing cookies on their devices.
The title of Chapter III of the DPD was Judicial remedies, liability and sanctions and it contained only two articles. The first one regulated “liability”, establishing an individual cause of action for any person who has suffered damage as a result of unlawful processing of personal data. The second article regulated “sanctions” and it established an obligation for Member States to “lay down the sanctions to be imposed” in case of infringement of the provisions adopted by transposing the ePrivacy Directive into the national law of EU Member States.
Since the GDPR repealed the DPD, the question arises whether the liability and sanctions regime of the ePrivacy Directive is also repealed. The answer is No and it is revealed by looking at the second paragraph of Article 94 GDPR.
Since references to the DPD in other legal acts of the EU will not simply lose legal effects after the Directive is repealed, but will be considered references to the GDPR, the liability and sanctions chapter of the GDPR is, de jure, applicable to the ePrivacy Directive and the national laws transposing the ePrivacy Directive.
The successor of DPD’s Chapter III is GDPR’s Chapter VIII, which is titled Remedies, liability and penalties and houses no less than eight provisions, from the article establishing an individual cause of action for any damages caused by unlawful processing of personal data, to the article granting the right of data subjects to mandate a not-for-profit organization to lodge complaints and claim compensation for damages on their behalf, and the now-famous Article 83 which establishes mega-fines for unlawful processing, going up to 20 million EUR or 4% of the global annual turnover of the company found to be in breach.
The precedent
This swap between provisions from the DPD and provisions from the GDPR within the ePrivacy framework is not solitary. About a year ago, news that once the GDPR became applicable, the stricter conditions for valid consent from the GDPR will be applicable to the “cookie consent” mandated by the ePrivacy Directive made the rounds across compliance offices in Europe and elsewhere. This was due to another “cross-reference clause” in the ePrivacy Directive, Article 2(f), which defined consent as “the data subject’s consent in Directive 95/46/EC”.
This thesis was then confirmed by the European data protection supervisory authorities in Guidelines they issued on “consent” under the GDPR:
The complications
If replacing a definition in a directive with an enhanced definition of the same concept from a regulation does not raise particularly difficult issues for its legal effects, importing an entire chapter on liability and sanctions from an updated regulation to an almost-obsolete directive creates a whole new level of complexity. This is because in the EU legal system regulations are directly applicable in the jurisdictions of Member States, while directives normally need national laws to implement them in order to become effective. This is why the now replaced article from the DPD regulating sanctions - Article 23, mandated Member States to lay down sanctions.
The ePrivacy Directive is transposed into the national law of Member States with an incredible diversity of the sanctions regime. Not only the maximum amounts of the fines differ, but there are Member States like Finland and Ireland where three supervisory authorities are tasked with enforcing the ePrivacy national laws — the data protection authority, the telecommunications regulator and the consumer protection authority.
There is also the problem of corresponding breaches between the GDPR and the ePrivacy Directive. While most of the breaches sanctioned by Article 83 GDPR do not have direct correspondents in the content of the ePrivacy Directive, there are some that have. For example, obligations in the GDPR for ensuring confidentiality and security of personal data, for obtaining valid consent, for providing notice to individuals in general and also notice specific to data breaches have correspondents in obligations provided by the ePrivacy Directive.
It could be argued that the sanctions provided by the GDPR would be applicable for these obligations in the ePrivacy framework. National laws that continue sanctioning non-compliance with these ePrivacy obligations under the regime adopted pursuant to the DPD could be contrary to the provisions of the GDPR, at least with regard to the maximum amounts that can be imposed as fines.
Theoretically, no one knows how the interplay between the liability and sanctions chapter of the GDPR and the ePrivacy Directive with its national implementing laws plays out. They are different animals. In practice, the status quo of applying the national ePrivacy laws as they are now will probably continue, even if their liability and sanctions provisions are contrary to Chapter VIII of the GDPR. Things could change, though, if the status quo is challenged by activists or individuals whose confidentiality rights are affected. What is certain is that all of this creates an incredible amount of legal uncertainty.
The solution
In October, Giovanni Buttarelli, the European Data Protection Supervisor, published a blog on The urgent case for a new ePrivacy law, bringing many substantial arguments. To his plea, one can certainly add the tremendous legal uncertainty created by the cross-references to DPD provisions in the ePrivacy Directive, replaced now by GDPR provisions. They bring to life an odd creature, a regulation-directive, with blurred consequences for the digital market. The longer this situation continues, the deeper the uncertainty grows. Therefore, the only foreseeable solution is the finalization of the ePrivacy reform as soon as possible, so that the legal environment of personal data flows in the European digital market becomes coherent.
***
You can follow Gabriela’s privacy musings on Twitter and LinkedIn.
