Article 95 GDPR

From GDPRhub
Article 95 - Relationship with Directive 2002/58/EC
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 95 - Relationship with Directive 2002/58/EC

This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.

Relevant Recitals

Recital 173: Relationship to Directive 2002/58/EC
This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.

Commentary

Article 95 GDPR regulates the relationship between the GDPR and Directive 2002/58/EC (the ‘e-Privacy Directive’ or ‘EPD’), which contains rules on the privacy and confidentiality of electronic communications. According to this provision, the GDPR should not impose additional obligations on natural or legal persons - in connection with the provision of publicly available electronic communication services in public communication networks - who are already subject to specific obligations with the same objective under the EPD.

There was no equivalent to Article 95 GDPR in its predecessor, Directive 95/46/EC (the Data Protection Directive, 'DPD'). Nonetheless, the regulation of the relationship between the GDPR and the EPD is to be found in Recital 10 and Article 1(2) EPD.[1] Article 1(2) EPD provides that the EPD's provisions serve to "particularise and complement Directive 95/46/EC." This provision must be read in-line with Recital 10, which establishes that Directive 95/46/EC applies to matters not covered by the provisions of the EPD. Given that Article 94 GDPR repeals Directive 95/46/EC and replaces it with the Regulation, the aforementioned provisions of the EPD are to be relied upon in addition to Article 95 GDPR, when determing questions concerning the relationship between the GDPR and the EPD.

Lex Specialis

Article 95 follows the lex specialis rule of interpretation, whereby a specific law overrides a more general law when regulating the same set of facts. On one hand, the application of this principle to both laws is simple: the EPD specifically governs electronic communications, and therefore supersedes the GDPR, which contains more general provisions on data processing.[2] On the other hand, it should be noted that in some ways the EPD is not more specific than the GDPR. For example, whilst the GDPR only protects natural persons in relation to the processing of their personal data, the EPD also protects the legitimate interests of legal persons.[3] Moreover, whilst the GDPR specifically protects personal data in accordance with Article 8 of the Charter, the EPD more broadly protects the privacy and confidentiality of electronic communications in line with Article 7 of the Charter. In this way, as Kühling and Raab note, “the challenge in each case is to check whether the special provisions of [the] Directive [if any, n.e.] actually supersede the general rules of the GDPR.”[4]

Natural or Legal Persons

Article 95 GDPR specifies that additional obligations must not be placed on natural or legal persons. This reflects the scope of the EPD, which in turn stems from Article 7 of the Charter. In particular, the case law of the Court of Justice of the European Union ("CJEU") has established that professional persons’ legal activities should not be excluded from the protection afforded by Article 7 of the Charter.[5]

Publicly Available Electronic Communication Service

The processing subject to Article 95 GDPR must be connected to the provision of a ‘publicly available electronic communications service.’ The CJEU had previously ruled that a service may only be classified as an electronic communication service where it is responsible for the transmission of the signal over the communication network to the user.[6] Whilst this will be the case for classic telecommunications services, it will not for those which operate on the open internet. However, under the the European Electronic Communications Code ("EECC"), this is no longer a requirement. The EECC creates a distinct category of electronic communication services known as ‘interpersonal communication services.’ According to Kuhling and Raab, this category is “clearly tailored to internet communication services” such as Whatsapp and Skype. Notably, under Article 2(5) EECC, a service will not qualify as an electronic communication service where the communication function is merely ancillary.[7]

Public Communications Networks

The electronic communication service must also be provided through a ‘public communications network’. Neither the EPD nor the GDPR provide for a definition of a ‘public communications network.’ The EECC outlines that an electronic communications network is public, where it is “wholly or mainly used to provide publicly accessible electronic communication services that enable the transmission of information between network termination points.” Therefore, a public communications network would not cover a closed company communications network, whereby employees only interact with each other.[8] In such a situation, Article 95 GDPR will not be relevant, and the GDPR applies as normal.

Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference to ‘publicly accessible electronic communication services in public communication networks’, stating that the GDPR should only apply to matters which are not subject to specific obligations with the same objectives under the EPD. Article 95 GDPR’s explicit reference to ‘publicly accessible electronic communication services in public communication networks’ in this context can cause problems of interpretation. Namely, the question arises as to what data protection obligations  do not involve the provision of publicly accessible electronic services in public communications networks.[9] A key example is Article 5(3) EPD, which regulates the placement of cookies and other similar tracking technologies. Rather than applying only to publicly accessible electronic communications services, Article 5(3) EPD applies to any entity that places cookies or other code on a user’s device. Services may therefore be subject to additional obligations under the GDPR in this instance.[10]

Specific Obligations with the Same Objectives

In order not to be subject to additional obligations under the GDPR, processing must be related to matters which are subject to specific obligations with the same objective set out in the EPD. For example, Article 4(1)(a) EPD requires service providers to put in place measures to ensure the protection of personal data, and Article 4(3) GDPR requires service providers to notify the relevant authority where a data breach occurs. In line with Article 95 GDPR, since these objectives are mirrored in the GDPR, it will therefore not impose additional obligations on service providers.[11] In contrast, where the EPD does not contain comparative provisions, additional obligations under the GDPR will apply. For example, the EPD contains no provisions with regard to data subject rights (Chapter III GDPR), nor consent (Article 7 GDPR).[12]

The e-Privacy Regulation Proposal

Under Recital 173 GDPR, once the GDPR is adopted, the EPD should be reviewed in order to ensure consistency with it. The Commission adopted such a proposal for the EPD on 19 January 2017.[13]

Decisions

→ You can find all related decisions in Category:Article 95 GDPR

References

  1. Costa de Oliveira in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 95 GDPR, p. 1296 (Oxford University Press 2020).
  2. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3rd edition).
  3. Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 2,5 (C. H. Beck 2018, 2nd edition).
  4. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3rd edition).
  5. Olive, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1297 (Oxford University Press 2020).
  6. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 2 (C. H. Beck 2020, 3rd edition) citing CJEU, C-193/18, Google LLC v Bundesrepublik Deutschland, 13 June 2019 (available here), and CJEU, C-142/18, Skype Communications SRL, 5 June 2019 (available here).
  7. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3rd edition).
  8. Karg in Wolff, Brink, BeckOK DatenschutzR, Article 95 GDPR, margin number 6 (C. H. Beck 2021, 36th edition); Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 3b (C. H. Beck 2020, 3rd edition); Holländer, in BeckOK DatenschutzR, Article 95 GDPR, margin number 4 (C. H. Beck 2020, 36th edition).
  9. Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2nd edition).
  10. Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2nd edition).
  11. Olive, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1298 (Oxford University Press 2020).
  12. Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2nd edition); Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 6 (C. H. Beck 2018, 2nd edition).
  13. European Commission, Proposal for a Regulation on Privacy and Electronic Communications (available here).