Privacy - March 19, 2019

“Cookie law” vs. GDPR – EDPB regulatory views

Derek Lackey March 19, 2019

0 870 4 min read

Source: EDPB Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, March 2019

Main takeaways

Both laws could apply to the same situation where personal data is involved – so organisations should usually comply with the tougher one (which is not a surprising view on the part of data protection regulators!). Particularly “cookie law consent”. And subsequent processing of personal data obtained via information on end user devices must comply with the GDPR.

However, it looks like tougher GDPR-level fines can’t be applied under the current ePrivacy Directive. And GDPR compensation claims probably can’t be made either – but that could be clearer.

Summary

When consent is required under the ePrivacy Directive to store or access information on an end user device (“terminal equipment”, formally), an organisation can’t store/access info without getting prior consent (now to GDPR’s higher “unambiguous” consent standard) – it can’t simply rely on another GDPR legal basis like legitimate interests to store/access the info. This is commonly termed the “cookie law” provision but in fact it applies to any information, not just personal data, and any storage/access of information on terminal equipment, not just Web cookies.

Note that “Subsequent processing of personal data including personal data obtained by cookies must also have a legal basis under article 6 of the GDPR in order to be lawful”. Any such collected personal data is subject to GDPR rules e.g. data subject rights, and data protection authorities “remain fully competent to assess the lawfulness of all other processing operations that follow the storing of or access to information in the terminal device of the end-user” under GDPR. Furthermore, any breach of the ePrivacy Directive could be taken into account by regulators when assessing compliance with the GDPR, particularly the lawfulness and fairness principle.

When the ePrivacy Directive doesn’t say anything about a situation, but the GDPR applies – then comply with the GDPR. E.g. telcos subcontracting the processing of personal data necessary for providing their comms services would need to put in place the usual Art.28GDPR contract terms etc.

It does seem at least…

Read The Full Article

Leave a Reply Cancel reply

DON'T MISS

Leading with a security-first mentality

Danish DPA set to fine furniture company

Why Few Marketers Are Invited To Join Boards Of Directors

How to Completely DELETE Your Facebook Account in 2020

How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read

Blazon Online

Latest News

Email Subscription

We are Blazon.Online a strategic partnership between RMA and 2410365 Ontario, Inc located at 37 Hwy 8, Dundas, Ontario L9H 4V1. We send a weekly update and the occasional email regarding response marketing. You can reach us at dl@blazon.online or 416 524 7844. You can unsubscribe at any time.

Industry Leaders Reflect on 2018, Offer Predictions for 2019

Average Cost of Cyberattack Now Exceeds $1 Million

5 Things for a Marketer to Consider for 2019!

30 Must Read Articles On Brand Management

Your Customers May Be the Weakest Link in Your Data Privacy Defenses