Article 95 GDPR: Difference between revisions
(style consistency) |
mNo edit summary |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 185: | Line 185: | ||
==Legal Text== | ==Legal Text== | ||
<center>'''Article 95 - Relationship with Directive 2002/58/EC'''</center> | <br /><center>'''Article 95 - Relationship with Directive 2002/58/EC'''</center> | ||
This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC. | This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC. | ||
==Relevant Recitals== | ==Relevant Recitals== | ||
Line 193: | Line 193: | ||
==Commentary== | ==Commentary== | ||
Article 95 GDPR regulates the relationship between the GDPR and Directive 2002/58/EC (the ‘e-Privacy Directive’ or ‘EPD’) which contains rules on the privacy and confidentiality of electronic communications. | Article 95 GDPR regulates the relationship between the GDPR and Directive 2002/58/EC (the ‘e-Privacy Directive’ or ‘EPD’), which contains rules on the privacy and confidentiality of electronic communications. According to this provision, the GDPR should not impose additional obligations on natural or legal persons - in connection with the provision of publicly available electronic communication services in public communication networks - who are already subject to specific obligations with the same objective under the EPD. | ||
There was no equivalent to Article 95 GDPR in its predecessor, Directive 95/46/EC (the Data Protection Directive, 'DPD'). Nonetheless, the regulation of the relationship between the GDPR and the EPD is to be found in Recital 10 and Article 1(2) EPD.<ref>''Costa de Oliveira'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 95 GDPR, p. 1296 (Oxford University Press 2020). </ref> Article 1(2) EPD provides that the EPD's provisions serve to ''"particularise and complement Directive 95/46/EC."'' This provision must be read in-line with Recital 10, which establishes that Directive 95/46/EC applies to matters not covered by the provisions of the EPD. Given that Article 94 GDPR repeals Directive 95/46/EC and replaces it with the Regulation, the aforementioned provisions of the EPD are to be relied upon in addition to Article 95 GDPR, when determing questions concerning the relationship between the GDPR and the EPD. | |||
==== Lex Specialis ==== | ==== Lex Specialis ==== | ||
Article 95 | Article 95 follows the ''lex specialis'' rule of interpretation, whereby a specific law overrides a more general law when regulating the same set of facts. On one hand, the application of this principle to both laws is simple: the EPD ''specifically'' governs electronic communications, and therefore supersedes the GDPR, which contains more general provisions on data processing.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3<sup>rd</sup> edition).</ref> On the other hand, it should be noted that in some ways the EPD is ''not'' more specific than the GDPR. For example, whilst the GDPR only protects natural persons in relation to the processing of their personal data, the EPD also protects the legitimate interests of legal persons.<ref>''Gernot, Sydow,'' in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 2,5 (C. H. Beck 2018, 2<sup>nd</sup> edition).</ref> Moreover, whilst the GDPR specifically protects personal data in accordance with Article 8 of the Charter, the EPD more broadly protects the privacy and confidentiality of electronic communications in line with Article 7 of the Charter. In this way, as ''Kühling'' and ''Raab'' note, ''“the challenge in each case is to check whether the special provisions of'' [the] ''Directive'' [if any, n.e.] ''actually supersede the general rules of the GDPR.”''<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3<sup>rd</sup> edition).</ref> | ||
On | |||
==== Natural or Legal Persons ==== | ==== Natural or Legal Persons ==== | ||
Article 95 specifies that additional obligations must not be placed on natural or legal persons. This reflects the scope of the EPD, which in turn stems from Article 7 of the Charter. In particular, the case law of the CJEU has established that professional persons’ legal activities should not be excluded from the protection afforded by Article 7 of the Charter.<ref>''Olive'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1297 (Oxford University Press 2020).</ref> | Article 95 GDPR specifies that additional obligations must not be placed on natural or legal persons. This reflects the scope of the EPD, which in turn stems from Article 7 of the Charter. In particular, the case law of the Court of Justice of the European Union ("''CJEU''") has established that professional persons’ legal activities should not be excluded from the protection afforded by Article 7 of the Charter.<ref>''Olive'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1297 (Oxford University Press 2020).</ref> | ||
==== Publicly Available Electronic Communication Service ==== | ==== Publicly Available Electronic Communication Service ==== | ||
The processing subject to Article 95 GDPR must be connected to the provision of a ‘publicly available electronic communications service.’ | The processing subject to Article 95 GDPR must be connected to the provision of a ‘publicly available electronic communications service.’ The CJEU had previously ruled that a service may only be classified as an electronic communication service where it is responsible for the transmission of the signal over the communication network to the user.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 2 (C. H. Beck 2020, 3<sup>rd</sup> edition) citing CJEU, C-193/18, ''Google LLC v Bundesrepublik Deutschland'', 13 June 2019 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-193/18 here]), and CJEU, C-142/18, ''Skype Communications SRL'', 5 June 2019 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=214741&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=5169081 here]).</ref> Whilst this will be the case for classic telecommunications services, it will not for those which operate on the open internet. However, under the the European Electronic Communications Code ("''EECC''"), this is no longer a requirement. The EECC creates a distinct category of electronic communication services known as ‘interpersonal communication services.’ According to ''Kuhling'' and ''Raab'', this category is “''clearly tailored to internet communication services”'' such as Whatsapp and Skype. Notably, under Article 2(5) EECC, a service will not qualify as an electronic communication service where the communication function is merely ancillary.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3<sup>rd</sup> edition).</ref> | ||
The CJEU had previously ruled that a service may only be classified as an electronic communication service where it is responsible for the transmission of the signal over the communication network to the user.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin | |||
</ref> Whilst this will be the case for classic telecommunications services, it will not for those which operate on the open internet. However, under the European Code | |||
==== Public Communications Networks ==== | ==== Public Communications Networks ==== | ||
The electronic communication service must also be provided | The electronic communication service must also be provided through a ‘public communications network’. Neither the EPD nor the GDPR provide for a definition of a ‘public communications network.’ The EECC outlines that an electronic communications network is public, where it is ''“wholly or mainly used to provide publicly accessible electronic communication services that enable the transmission of information between network termination points.”'' Therefore, a public communications network would not cover a closed company communications network, whereby employees only interact with each other.<ref>''Karg'' in Wolff, Brink, BeckOK DatenschutzR, Article 95 GDPR, margin number 6 (C. H. Beck 2021, 36th edition); ''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 3b (C. H. Beck 2020, 3<sup>rd</sup> edition); ''Holländer'', in BeckOK DatenschutzR, Article 95 GDPR, margin number 4 (C. H. Beck 2020, 36th edition).</ref> In such a situation, Article 95 GDPR will not be relevant, and the GDPR applies as normal. | ||
Neither the EPD nor the GDPR provide for a definition of a ‘public communications network.’ The | |||
Article | Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference to ‘publicly accessible electronic communication services in public communication networks’, stating that the GDPR should only apply to matters which are not subject to specific obligations with the same objectives under the EPD. Article 95 GDPR’s explicit reference to ‘publicly accessible electronic communication services in public communication networks’ in this context can cause problems of interpretation. Namely, the question arises as to what data protection obligations ''do not'' involve the provision of publicly accessible electronic services in public communications networks.<ref>''Piltz,'' in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2<sup>nd</sup> edition).</ref> A key example is Article 5(3) EPD, which regulates the placement of cookies and other similar tracking technologies. Rather than applying only to publicly accessible electronic communications services, Article 5(3) EPD applies to any entity that places cookies or other code on a user’s device. Services may therefore be subject to additional obligations under the GDPR in this instance.<ref>''Piltz,'' in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2<sup>nd</sup> edition).</ref> | ||
==== Specific Obligations with the Same Objectives ==== | ==== Specific Obligations with the Same Objectives ==== | ||
In order not to be subject to additional obligations under the GDPR, processing must be related to matters | In order not to be subject to additional obligations under the GDPR, processing must be related to matters which are subject to specific obligations with the same objective set out in the EPD. For example, Article 4(1)(a) EPD requires service providers to put in place measures to ensure the protection of personal data, and Article 4(3) GDPR requires service providers to notify the relevant authority where a data breach occurs. In line with Article 95 GDPR, since these objectives are mirrored in the GDPR, it will therefore not impose additional obligations on service providers.<ref>''Olive'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1298 (Oxford University Press 2020).</ref> In contrast, where the EPD does not contain comparative provisions, additional obligations under the GDPR will apply. For example, the EPD contains no provisions with regard to data subject rights (Chapter III GDPR), nor consent (Article 7 GDPR).<ref>''Gernot, Sydow,'' in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2<sup>nd</sup> edition); ''Piltz,'' in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 6 (C. H. Beck 2018, 2<sup>nd</sup> edition).</ref> | ||
For example, Article 4( | |||
In contrast, where the EPD does not contain comparative provisions, additional obligations under the GDPR will apply. For example, the | |||
==== The e-Privacy Regulation Proposal ==== | ==== The e-Privacy Regulation Proposal ==== | ||
Under Recital 173, once the GDPR is adopted, the EPD should be reviewed in order to ensure consistency with | Under Recital 173 GDPR, once the GDPR is adopted, the EPD should be reviewed in order to ensure consistency with it. The Commission adopted such a proposal for the EPD on 19 January 2017.<ref>European Commission, Proposal for a Regulation on Privacy and Electronic Communications (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010 here]).</ref> | ||
==Decisions== | ==Decisions== |
Latest revision as of 08:21, 19 October 2023
Legal Text
This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.
Relevant Recitals
Commentary
Article 95 GDPR regulates the relationship between the GDPR and Directive 2002/58/EC (the ‘e-Privacy Directive’ or ‘EPD’), which contains rules on the privacy and confidentiality of electronic communications. According to this provision, the GDPR should not impose additional obligations on natural or legal persons - in connection with the provision of publicly available electronic communication services in public communication networks - who are already subject to specific obligations with the same objective under the EPD.
There was no equivalent to Article 95 GDPR in its predecessor, Directive 95/46/EC (the Data Protection Directive, 'DPD'). Nonetheless, the regulation of the relationship between the GDPR and the EPD is to be found in Recital 10 and Article 1(2) EPD.[1] Article 1(2) EPD provides that the EPD's provisions serve to "particularise and complement Directive 95/46/EC." This provision must be read in-line with Recital 10, which establishes that Directive 95/46/EC applies to matters not covered by the provisions of the EPD. Given that Article 94 GDPR repeals Directive 95/46/EC and replaces it with the Regulation, the aforementioned provisions of the EPD are to be relied upon in addition to Article 95 GDPR, when determing questions concerning the relationship between the GDPR and the EPD.
Lex Specialis
Article 95 follows the lex specialis rule of interpretation, whereby a specific law overrides a more general law when regulating the same set of facts. On one hand, the application of this principle to both laws is simple: the EPD specifically governs electronic communications, and therefore supersedes the GDPR, which contains more general provisions on data processing.[2] On the other hand, it should be noted that in some ways the EPD is not more specific than the GDPR. For example, whilst the GDPR only protects natural persons in relation to the processing of their personal data, the EPD also protects the legitimate interests of legal persons.[3] Moreover, whilst the GDPR specifically protects personal data in accordance with Article 8 of the Charter, the EPD more broadly protects the privacy and confidentiality of electronic communications in line with Article 7 of the Charter. In this way, as Kühling and Raab note, “the challenge in each case is to check whether the special provisions of [the] Directive [if any, n.e.] actually supersede the general rules of the GDPR.”[4]
Natural or Legal Persons
Article 95 GDPR specifies that additional obligations must not be placed on natural or legal persons. This reflects the scope of the EPD, which in turn stems from Article 7 of the Charter. In particular, the case law of the Court of Justice of the European Union ("CJEU") has established that professional persons’ legal activities should not be excluded from the protection afforded by Article 7 of the Charter.[5]
Publicly Available Electronic Communication Service
The processing subject to Article 95 GDPR must be connected to the provision of a ‘publicly available electronic communications service.’ The CJEU had previously ruled that a service may only be classified as an electronic communication service where it is responsible for the transmission of the signal over the communication network to the user.[6] Whilst this will be the case for classic telecommunications services, it will not for those which operate on the open internet. However, under the the European Electronic Communications Code ("EECC"), this is no longer a requirement. The EECC creates a distinct category of electronic communication services known as ‘interpersonal communication services.’ According to Kuhling and Raab, this category is “clearly tailored to internet communication services” such as Whatsapp and Skype. Notably, under Article 2(5) EECC, a service will not qualify as an electronic communication service where the communication function is merely ancillary.[7]
Public Communications Networks
The electronic communication service must also be provided through a ‘public communications network’. Neither the EPD nor the GDPR provide for a definition of a ‘public communications network.’ The EECC outlines that an electronic communications network is public, where it is “wholly or mainly used to provide publicly accessible electronic communication services that enable the transmission of information between network termination points.” Therefore, a public communications network would not cover a closed company communications network, whereby employees only interact with each other.[8] In such a situation, Article 95 GDPR will not be relevant, and the GDPR applies as normal.
Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference to ‘publicly accessible electronic communication services in public communication networks’, stating that the GDPR should only apply to matters which are not subject to specific obligations with the same objectives under the EPD. Article 95 GDPR’s explicit reference to ‘publicly accessible electronic communication services in public communication networks’ in this context can cause problems of interpretation. Namely, the question arises as to what data protection obligations do not involve the provision of publicly accessible electronic services in public communications networks.[9] A key example is Article 5(3) EPD, which regulates the placement of cookies and other similar tracking technologies. Rather than applying only to publicly accessible electronic communications services, Article 5(3) EPD applies to any entity that places cookies or other code on a user’s device. Services may therefore be subject to additional obligations under the GDPR in this instance.[10]
Specific Obligations with the Same Objectives
In order not to be subject to additional obligations under the GDPR, processing must be related to matters which are subject to specific obligations with the same objective set out in the EPD. For example, Article 4(1)(a) EPD requires service providers to put in place measures to ensure the protection of personal data, and Article 4(3) GDPR requires service providers to notify the relevant authority where a data breach occurs. In line with Article 95 GDPR, since these objectives are mirrored in the GDPR, it will therefore not impose additional obligations on service providers.[11] In contrast, where the EPD does not contain comparative provisions, additional obligations under the GDPR will apply. For example, the EPD contains no provisions with regard to data subject rights (Chapter III GDPR), nor consent (Article 7 GDPR).[12]
The e-Privacy Regulation Proposal
Under Recital 173 GDPR, once the GDPR is adopted, the EPD should be reviewed in order to ensure consistency with it. The Commission adopted such a proposal for the EPD on 19 January 2017.[13]
Decisions
→ You can find all related decisions in Category:Article 95 GDPR
References
- ↑ Costa de Oliveira in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 95 GDPR, p. 1296 (Oxford University Press 2020).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3rd edition).
- ↑ Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 2,5 (C. H. Beck 2018, 2nd edition).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3rd edition).
- ↑ Olive, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1297 (Oxford University Press 2020).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 2 (C. H. Beck 2020, 3rd edition) citing CJEU, C-193/18, Google LLC v Bundesrepublik Deutschland, 13 June 2019 (available here), and CJEU, C-142/18, Skype Communications SRL, 5 June 2019 (available here).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (C. H. Beck 2020, 3rd edition).
- ↑ Karg in Wolff, Brink, BeckOK DatenschutzR, Article 95 GDPR, margin number 6 (C. H. Beck 2021, 36th edition); Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 3b (C. H. Beck 2020, 3rd edition); Holländer, in BeckOK DatenschutzR, Article 95 GDPR, margin number 4 (C. H. Beck 2020, 36th edition).
- ↑ Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2nd edition).
- ↑ Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2nd edition).
- ↑ Olive, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1298 (Oxford University Press 2020).
- ↑ Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2nd edition); Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 6 (C. H. Beck 2018, 2nd edition).
- ↑ European Commission, Proposal for a Regulation on Privacy and Electronic Communications (available here).