General Data Protection Regulation and e-Privacy Regulation: Privacy sister legislations
The passing of EU General Data Protection Regulation was a landmark for privacy dimension. The regulation emerged as the first privacy and data protection law with a global impact that pushed privacy discourses through media. However, GDPR will not remain the sole privacy regulation over a long term. In fact, European data privacy will be also covered by e-Privacy regulation.
The e-Privacy Regulation will replace EU’s existing Privacy and Electronic Communications Directive 2002/58/EC. GDPR governs the protection of personal data encouraging data flow between Member States. Differently, the e-Privacy Regulation is focused more on the protection of individuals’ privacy when data is being communicated electronically. In particular, GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of personal data protection. Contrarily, the e-Privacy regulation was projected to safeguard Article 7 of the European Charter with respect to and individual private life.
Future of European privacy framework will depend on the relation between these two massive pieces of legislation. GDPR’s Article 95 and Recital 173 provide us with some clarification about future relation between GDPR and e-Privacy regulation. Then, it is stated that GDPR shall not impose any additional obligations regarding data processing “for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC”. Thus, in the event both legislations will apply to the same set of data processing operations, e-Privacy may provide a more specific rule; which will take precedence according to “lex speciali derogate lex generali” principle.
GDPR and e-Privacy regulation share several common areas. For instance, Article 4 of e-Privacy regulation includes the same GDPR definition placing consent at its centre. Moreover, both GDPR and e-Privacy directive include the same restrictions members state are authorised to implement. However, a key difference concerns the application of legislation: GDPR only applies to personal data processing while e-Privacy regulation regulates electronic communication even concerning non-personal data.
In conclusion, both legislations work to ensure users have control over their personal data while undertakings have the onus to guarantee the safety and security of information. In such context, information definition is extended including metadata and creating ownership over an IP address and other online identifiers.