“Cookie law” vs. GDPR – EDPB regulatory views
Source: EDPB Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, March 2019
Main takeaways
Both laws could apply to the same situation where personal data is involved – so organisations should usually comply with the tougher one (which is not a surprising view on the part of data protection regulators!). Particularly “cookie law consent”. And subsequent processing of personal data obtained via information on end user devices must comply with the GDPR.
However, it looks like tougher GDPR-level fines can’t be applied under the current ePrivacy Directive. And GDPR compensation claims probably can’t be made either – but that could be clearer.
Summary
When consent is required under the ePrivacy Directive to store or access information on an end user device (“terminal equipment”, formally), an organisation can’t store/access info without getting prior consent (now to GDPR’s higher “unambiguous” consent standard) – it can’t simply rely on another GDPR legal basis like legitimate interests to store/access the info. This is commonly termed the “cookie law” provision but in fact it applies to any information, not just personal data, and any storage/access of information on terminal equipment, not just Web cookies.
Note that “Subsequent processing of personal data including personal data obtained by cookies must also have a legal basis under article 6 of the GDPR in order to be lawful”. Any such collected personal data is subject to GDPR rules e.g. data subject rights, and data protection authorities “remain fully competent to assess the lawfulness of all other processing operations that follow the storing of or access to information in the terminal device of the end-user” under GDPR. Furthermore, any breach of the ePrivacy Directive could be taken into account by regulators when assessing compliance with the GDPR, particularly the lawfulness and fairness principle.
When the ePrivacy Directive doesn’t say anything about a situation, but the GDPR applies – then comply with the GDPR. E.g. telcos subcontracting the processing of personal data necessary for providing their comms services would need to put in place the usual Art.28GDPR contract terms etc.
It does seem at least…