Insurance & Reinsurance - ePD, EECC and GDPR: The EU Road to Privacy, Security and Data Protection

This article was first published in ICLG - Insurance & Reinsurance.

1. Introduction

Privacy is a fundamental human right, recognised in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights, and many other international and regional agreements. 

Article 1(2), GDPR states: “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” 

Telecommunications are at the heart of business development.  And so is technology.  Both tools allow businesses to access key knowledge about their customers, enabling them to understand their market better than ever before.  They are also critical to the analysis and decision-making process behind product development, as they know better what their users/customers want and can tailor products that effectively respond to those wants.  Pricing and marketing strategies are measured with millimetric accuracy against the information that businesses can obtain from their customers’ profiles.  None of this is possible without data.  Hence the relentless pursuit from businesses to obtain as much personal information from users as possible.  However, in light of this, data became a commodity which rendered a risk to citizens if they were no longer in control of their personal information.  The European Commission has worked over the last four decades to try to regulate data processes and harmonise the approach across Member States, whilst trying to catch up with the telecommunication-technology partnership. 

Our starting point will be the historical development of privacy and telecommunications legislation in Europe at a glimpse.  That should help us to understand the differences between the ePD, GDPR and EECC as well as those aspects where they converge to create one, consistent, complementary regulatory system.  The aim of that system is to enable users to retain control or knowledge of where their data is and how it is being used, without – hopefully – causing any major hindrance to the free market.  We will consider these three main pieces of legislation in current times, with an eye to how well they achieve those aims, and close with a view of how the future looks for data protection, privacy and security at the forefront of the technology and telecommunications industries. 

2. Background – Historic Development of Privacy and Telecommunications Legislation

Following the start of data processing on a large scale in the 1970s and the increased demand in the 1980s when companies started gathering customers’ data, the 1990s saw the first big attempt to regulate and harmonise data protection in Europe with the implementation of the EU Data Protection Directive 95/46/EC. 

The ePrivacy Directive (“ePD”, also known as the “Cookie Law”) followed suit on 12 July 2002 (2002/58/EC), laying out specific rules on privacy (data protection) for the electronic communications sector.  Beyond the regulation of cookies, the ePD was the first attempt at regulating other aspects of data management such as consent, confidentiality, spam, and traffic data. 

A revised version was implemented in 2009 (e-Privacy Directive 2009/136/EC), which provided tighter regulation, compelling providers of publicly available electronic communications services to notify personal data breaches to regulators and affected users (the latter only if the breach was likely to adversely affect the personal data or privacy of the subscriber) without undue delay. 

This was further consolidated in Commission Regulation (EU) 611/2013, which unified the rules for notification of personal data breaches by providers of publicly available electronic communications services.

On 25 May 2018, European privacy legislation changed fundamentally as the European Data Protection Regulation (EU) 2016/679 (“GDPR”) came into force, harmonising data protection laws across the EU.  This applied to all processors of personal data for commercial purposes, and not just electronic communications services.

The European Electronic Communications Code (“EECC”), which had already started to make its way through the EC, was formally adopted on 4 December 2018 and published on 17 December 2018.  This was concerned with the security of communications, albeit the wider aim was to drive investment in new high-capacity networks (e.g. 5G and new fibre works) and to create a level playing field between telecommunications companies and over-the-top telecommunications providers (“OTTPs”).

The EECC continues to oblige national regulatory authorities to analyse telecommunications markets and determine whether any operators dominate the market.  Amongst other significant changes, the duty for Operators with Significant Power Market arose.  This imposed additional obligations on those Operators in the relevant territory unless they reached an agreement with the national regulator to relax obligations in compensation for investment in high-capacity networks. 

For over-the-top telecommunications services, the EECC redefined electronic communications services, by encompassing internet access services and interpersonal communications services, distinguishing the latter between number-dependent and number-independent services (e.g. Skype and WhatsApp). 

Member States were supposed to have transposed the EECC by 21 December 2020.  Once transposed, not just the EECC rules would be enforceable in the Member States but also the rules on privacy (ePD) and notification procedures (Commission Regulation (EU) 611/2013) would extend to OTTPs such as instant messaging applications, email platforms, internet phone call platforms and personal messaging providers through social media.  

3. How Are They Different?

Given the proximity between the rights and values protected, the ePD and GDPR follow similar paths and it is not uncommon to experience a crossover between them.  However, they do not share completely the same purpose, and this becomes increasingly evident in practice, as illustrated below.   

Data protection v privacy

When comparing the GDPR and ePD, at first sight the lines between the rights protected by each would appear to overlap considerably.  However, in reality they are concerned with two different aspects: the GDPR is directed at the protection of the data, how it is collected, processed and used; whereas the ePD is concerned with privacy of data in the context of electronic telecommunications, including email marketing and cookie usage.

In fact, the ePD enhances the GDPR by incorporating the definitions in the latter, clarifying and applying them to the world of electronic communications and digital marketing. 

The first key difference between these pieces of legislation therefore is that the GDPR applies to the processing of data, whereas the ePD goes further to regulate electronic communication whether it contains personal data or not. 

As such, if a website uses cookies, the provider will need to have in place a policy for implementation of cookies, a cookie banner and a request for consent from users to retain data, any data. 

A key concept underpinning GDPR is “control”.  The ePD is primarily interested in “consent”.  The GDPR contains a set of rights, in relation to information, access, rectification and deletion.  These are intended to enable the individual data subject to retain control of their data even long after the relevant transaction has taken place.  The ePD is focused on ensuring that information a provider holds on a user is backed up with a clear and free consent. 

The GDPR is concerned with the owner of the data.  It grants the data subject powers to manage the way in which companies handle their personal data.  The ePD focuses on the providers of publicly available electronic communications services, by enlisting the steps which they are expected to take should they wish to retain information and manage data. 

Turning to more practical aspects of the comparative analysis, there are rules in each piece of legislation which apply in the event of a personal data breach.  These involve distinct processes and timescales.  Under the GDPR, a personal data breach must be reported to the local supervisory authority within 72 hours from when the data controller had been made aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individual data subjects (Article 33(1), GDPR).  This allows organisations a reasonable period to investigate the breach, concentrate on the crucial aspects of information required to understand the extent of the breach and the related risk assessment, and decide on the containment plan and next steps whilst preparing to fulfil their notification obligations.  In contrast, a provider of publicly available electronic communications services must notify a privacy breach within 24 hours from detection.  Should they need to provide any further information, a further report ought to be presented no later than 72 hours from notification of the breach.

In terms of the information required to be provided in the notification, the GDPR legislation contains greater flexibility, providing guidelines as to the minimum content expected to be included in the notification (Article 33(3), GDPR).  These include a description of the nature of the personal data breach, including, where possible, the categories of personal data and approximate number of individuals and records concerned, the contact details of the data protection officer, an explanation as to the likely consequences of the breach, and adopted and/or proposed corrective measures.

In contrast, Commission Regulation (EU) 611/2013 includes at annex 2 a detailed list of the content required in an ePD privacy breach notification.  ePD notifications will be concerned with the service provider’s details, date and time of the incident, circumstances of the breach, type of data affected, technical measures to be applied by the provider, a summary of the incident and information as to possible cross-border issues. 

Last but not least is the distinction between the parties to the rules.  The GDPR distinguishes between the data controller and the data processor to determine who is responsible for compliance with many of the key obligations to data subjects, including notification of data breaches.  The ePD is primarily focused on telecommunications service providers.  There is no distinction between data controller and processor; instead, service providers are responsible for the protection of the subscriber’s data.

Privacy v security

There are two aspects of electronic telecommunications which regulators are primarily concerned with: privacy; and security. 

This is the main difference between the ePD and the EECC, the former (as seen above) is concerned with the manner in which providers obtain information from users and how they manage it, by way of limiting the use of traffic and location data or prohibiting the unauthorised access of communications.  The key concern here is privacy.  The EECC is an EC framework aimed at harmonising the existing legal framework for electronic communications across the EU, with a focus on security. 

The Commission Regulation will apply uniformly to all countries, i.e. the same procedure for notification of privacy breaches shall be implemented in all Member States where the EECC has been transposed. 

In contrast, the EECC is a Directive, meaning that in transposing EECC requirements into local legislation, each jurisdiction has some degree of latitude in interpreting, and potentially adding to, those requirements. The process, timescales and competent authorities dealing with the rules arising from the principles of the Directive are created by each State through internal legislation. 

As a result, for instance, the process for notification of data breaches is reasonably uniform for privacy breaches.  The provider of publicly available electronic communications services must notify a privacy breach within 24 hours from detection of the breach where feasible (Article 2(2), Commission Regulation 611/2013).  In contrast, a security breach does not have a specific deadline for notification.  Instead, the wording across transposed jurisdictions varies from immediately (see Article 345 b, Bulgarian Electronic Communications Act) to without delay (see s 7(3), Danish Executive Order on Information and Notification Obligations Regarding Security In Net and Services) to a 24-hour mandatory deadline (see Finnish Traficom Regulation 66A) or as soon as possible (see, for instance, Article D.98-5, French Code of Post and Electronic Communication).  This is an example of the effect of applying rules arising from a regulation (namely an identical process across the region) to those arising from a Directive.   

Unlike GDPR/ePD breaches, which are often monitored by the same regulator in each Member State, EECC authorities are predominantly separate from data protection authorities, as illustrated in the below table (Table 1). 

Table 1: List of competent authorities for ePD and EECC notifications in transposed EU jurisdictions as at November 2021

An incident taking place in an organisation which is a provider of a publicly available telecommunication services which involves breaches of privacy (ePD) and security (EECC) could render a double notification process necessary, often to different authorities.  This will also involve subsequent follow-up and closing reports. 

Both pieces of legislation aim to uphold values which sit at the heart of the EU: the unequivocal right of individuals to effectively protect their privacy; and the security of data.  Ultimately, the intention is to try to ensure that publicly available telecommunications service providers take all possible measures to ensure that using their services is a safe and reliable experience.

4. How Are They Connected?

We have focused above on the various differences between the GDPR, ePD and EECC.  However, the scope of the GDPR and the ePD overlap quite significantly.

The confusion around GDPR and ePD overlap

When the GDPR came into force in 2018 it was unclear how it would interact with other existing legislation that had a similar scope, such as the ePD.  This is an issue that was recognised by the Belgian DPA and, on 3 December 2018, they requested that the European Data Protection Board (“the Board”) examine and issue an opinion on the interplay between the ePD and the GDPR (“the Opinion”).

In the Opinion, the Board agreed there was a clear need for “a consistent interpretation among data protection authorities on the boundaries of their competences, tasks and powers” and went on to clarify the objective of each of the GDPR and the ePD, and what to do when the similar objectives resulted in both pieces of legislation covering one situation.

Objectives of the GDPR and the ePD

The objective of the GDPR is to protect the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data, whilst ensuring the free movement of personal data within the Union.  To achieve this objective, the GDPR lays down common rules on data processing, so as to ensure consistent and effective protection of personal data throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market.  The rules are intended to achieve a balance between the (potential) benefits of data processing and the (potential) drawbacks.

The objective of the ePD is to harmonise the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communications sector.  It is also intended to ensure the free movement of such data and of electronic communications equipment and services in the Community.  In this regard, the ePD aims to “particularise and complement” the provisions of the GDPR, with respect to the processing of personal data in the electronic communications sector.

Which legislation takes precedence?

The Opinion by the Board states: “[I]n situations where the ePrivacy Directive “particularises” (i.e. renders more specific) the rules of the GDPR, the more specific provisions of the ePrivacy Directive shall, as “lex specialis”, take precedence over the more general provisions of the GDPR.”  So, the more specialised rule takes precedence.  This would usually be the ePD, as part of the objective of the ePD is to particularise the GDPR. 

One example of where the ePD “particularises” the provisions of the GDPR can be found in Article 6, ePD, which concerns the processing of “traffic data”.  Traffic data is data processed for the conveyance of a communication on an electronic communications network or for the billing in respect of that communication.  It includes information relating to the routing or timing of a phone call, text or email.  Article 6, GDPR lists possible lawful grounds that can be used to justify the processing of personal data.  However, the full range of possible lawful grounds provided by Article 6, GDPR cannot be applied to the processing of traffic data, because Article 6, ePD limits the conditions in which traffic data may be processed.  In this case, Article 6, ePD will take precedence over Article 6, GDPR because the GDPR has only general carve-outs for personal data more widely, whereas Article 6 particularises the conditions in which traffic data specifically can be processed.  

A similar situation arises in relation to Article 5(3), ePD, insofar as the information stored in the end-user’s device constitutes personal data.  Article 5(3), ePD states “the storing of information or the gaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent having been provided with clear and comprehensive information about the purposes of the processing”.  If the information in a situation covered by Article 5, ePD constituted personal data, then Article 6, GDPR would also apply.  Again, however, Article 5(3), ePD would take precedence.  A real-life example is where cookies are used to collect information which constitutes personal data.  While Article 6, GDPR provides for various lawful grounds for this processing, Article 5(3), ePD also applies and requires consent to be obtained from individuals before cookies are placed on their devices.  In this and similar situations, Article 5(3), ePD, as the more specific rule, will prevail and requires that consent be obtained, instead of relying on one of the other lawful grounds for that specific set of processing activities.

In this way, if there is a specialised rule under the ePD, the rule should take precedence over the GDPR in enforcement as well as interpretation, but the GDPR should continue to apply to processing operations which may be part of the same process but to which no specific ePD rule applies.  So, both pieces of legislation apply.  The GDPR applies to the extent that there are not more specific requirements in the ePD and then the ePD applies where it sets out more specific rules that go above and beyond those set out in the GDPR.

Reporting obligations

Despite both pieces of legislation being applicable to one incident, there may be no need to report under both where similar administrative burdens are imposed.

The Opinion by the Board indicates that if the GDPR and ePD impose similar but not quite identical administrative burdens, there is no need to report under both pieces of legislation; reporting under just one is sufficient.

Article 95, GDPR stipulates that the GDPR “should not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC”.

The Opinion of the Board confirmed that the aim of Article 95, GDPR is to avoid the imposition of unnecessary administrative burdens upon controllers.  This can be applied to personal data breach notification obligations, which are imposed by both the ePD and the GDPR.  They both provide for an obligation to notify personal data breaches to the competent national authority and the data protection authority, respectively.  These obligations are applicable in parallel under the two different pieces of legislation, according to their respective scopes of application.  An obligation to notify under both acts, once in compliance with the GDPR and once in compliance with national ePrivacy legislation, would constitute an added burden without immediate apparent benefits for data protection.  Following Article 95, GDPR, electronic communications service providers who have notified a personal data breach in compliance with applicable national ePrivacy legislation should not be required to separately notify data protection authorities of the same breach pursuant to Article 33, GDPR.

5. Where Are We Now?  Transposition, Implementation, Enforceability

From 21 December 2020, the EECC was set to transpose to all jurisdictions across the EU.  As this framework extends the definition of “electronic communications services” to include instant messaging applications, internet phone calls, email and personal messaging provided through social media, collectively known as over-the-top-services, once transposed into each Member State, the scope of the ePD will expand as well as the EECC.  Therefore, in the event of a breach by any of the aforementioned providers, be it of a privacy or security nature (or both), such breach ought to be notified by providers in transposed jurisdictions.  Furthermore, follow-up reports and closing reports, pursuant to Commission Regulation 611/13, will also be required. 

As of November 2021, almost a year after the transposition deadline, only Austria, Bulgaria, Czech Republic, Denmark, Finland, France, Greece, Hungary and Malta have transposed the EECC.  Germany and Lithuania are the next expected transposing jurisdictions.  The European Commission has sent a reasoned opinion (a formal request to comply with EU law) to the remaining Member States, asking them to transpose the EECC as soon as possible.  These States have been granted two months to notify the Commission about the transposition of the EECC into national law.  Should they fail to do so, the Commission may refer their cases to the Court of Justice of the European Union.  We anticipate that this will encourage the remaining Member States to further progress transposition of the EECC.

6. Conclusion

The clear differences between the process arising from rules in the (ePD) Regulation to those State-tailored, diverse processes emanating from the (EECC) Directive have a significant impact in businesses across Europe.  Add to this the additional set of powers granted to individuals through the GDPR and there is a comprehensive set of rules which are intended to work together to attempt to keep pace up with technology and its marriage with electronic communications. 

However, in having numerous sources of rules, some of which have direct effect and others which are subject to the vagaries of local transposition, there is a risk of a lack of clarity and an unnecessary administrative burden.  The lack of consistency arising from the EECC and its implementation in each jurisdiction, far from harmonising, could make for a cumbersome package of rules which raise the compliance bar to a level which is needlessly complex.   

The solution (at least in part) could be closer than expected, with the arrival of the ePrivacy Regulation or Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communication (“ePR”).  The ePR seeks to strengthen the online privacy of citizens and intensely regulate data protection.  It sits between the GDPR and the EECC to provide a comprehensive set of legislation which aims to cater for as many potential scenarios, users and providers as possible.  If passed, the ePR will seek to modernise and harmonise the existing law on electronic communications by way of creating a single data protection standard of rules for electronic communications in the EU.  This could well be an approach welcomed by businesses, even if it means a tighter set of rules.  Tighter control could be a price worth paying in exchange for consistency across the board.