Article 95 GDPR
Legal Text
This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.
Relevant Recitals
Commentary
Article 95 GDPR regulates the relationship between the GDPR and Directive 2002/58/EC (the ‘e-Privacy Directive’ or ‘EPD’) which contains rules on the privacy and confidentiality of electronic communications.
According to Article 95, the GDPR should not impose additional obligations on natural or legal persons - in connection with the provision of publicly available electronic communication services in public communication networks - who are already subject to specific obligations with the same objective under the EPC.
Lex Specialis
Article 95 appears to follow the lex specialis rule of interpretation, whereby a specific law is taken to override a more general law on the same set of facts.
On the one hand, the application of this principle to the two laws is simple: the EPD specifically governs electronic communications, and can therefore be seen to supersede the GDPR, which contains more general provisions on data processing.[1]
It should be noted, however, that in some ways, the EPD is not more specific than the GDPR. For example, whilst the GDPR only protects natural persons in relation to the processing of their personal data, the EPD also protects the legitimate interests of legal persons.[2] Moreover, whilst the GDPR specifically protects personal data in accordance with Article 8 of the Charter, the EPD more broadly protects the privacy and confidentiality of electronic communications, in line with Article 7 of the Charter.[3] In this way, as Kühling and Raab note, “the challenge in each case is to check whether the special provisions of Directive actually supersede the general rules of the GDPR.”[4]
Natural or Legal Persons
Article 95 specifies that additional obligations must not be placed on natural or legal persons. This reflects the scope of the EPD, which in turn stems from Article 7 of the Charter. In particular, the case law of the CJEU has established that professional persons’ legal activities should not be excluded from the protection afforded by Article 7 of the Charter.[5]
Publicly Available Electronic Communication Service
The processing subject to Article 95 GDPR must be connected to the provision of a ‘publicly available electronic communications service.’
The CJEU had previously ruled that a service may only be classified as an electronic communication service where it is responsible for the transmission of the signal over the communication network to the user.[6] Whilst this will be the case for classic telecommunications services, it will not for those which operate on the open internet. However, under the European Code of Electronic Communication (‘EKEK’), this is no longer a requirement. The EKEK creates a distinct category of electronic communication service known as ‘interpersonal communication services.’ According to Kuhling and Raab, this category is “clearly tailored to internet communication services” such as Whatsapp and Skype. Notably, under Article icle 2(5)(Hs 2) EKEK, a service will not qualify as an electronic communication service where the communication function is merely ancillary.[7]
Public Communications Networks
The electronic communication service must also be provided in a ‘public communications network’.
Neither the EPD nor the GDPR provide for a definition of a ‘public communications network.’ The EKEK outlilnes that an electronic communications network is public, where is is “wholly or mainly used to provide publicly accessible electronic communication services that enable the transmission of information between network termination points.” A public communications network would not therefore cover a closed company communications network, whereby employees only interact with each other.[8] In such a situation, Article 95 will not be relevant, and the GDPR applies as normal.
Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference to ‘publicly accessible electronic communication services in public communication networks’, stating only that the GDPR should apply to matters which are not subject to specific obligations with the same objective under the EPD.
Article 95’s explicit reference to ‘publicly accessible electronic communication services in public communication networks’ in this context can be seen to “cause problems of interpretation”[9] Namely, the question arises as to what data protection obligations will arise which do not involve the provision of publicly accessible electronic services in public communications networks.[10] A key example is Article 5(3) of the EPD, which regulates the placement of cookies and other similar tracking technologies. Rather than applying only to publicly accessible electronic communications services, Article 5(3) applies to any entity that places cookies or other code on a users’ device. Services may therefore be subject to additional obligations under the GDPR in this instance.[11]
Specific Obligations with the Same Objectives
In order not to be subject to additional obligations under the GDPR, processing must be related to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.
For example, Article 4(1a) of the EPD requires service providers to put in place measures to ensure the protection of personal data, and Article 4(3) GDPR requires service providers to notify the relevant authority wheree a data breach occurs. Since these objectives are mirrored in the GDPR, in line with Article 95 GDPR, the GDPR will not impose additional obligations on service providers. [Olive, p. 1298]
In contrast, where the EPD does not contain comparative provisions, additional obligations under the GDPR will apply. For example, the DPD contains no provisions with regard to data subject rights (Chapter III GDPR), nor consent (Article 7 GDPR).[12]
The e-Privacy Regulation Proposal
Under Recital 173, once the GDPR is adopted, the EPD should be reviewed in order to ensure consistency with the GDPR. The Commission adopted a proposal for the e-Privacy Regulation on 19 January 2017.[13]
Decisions
→ You can find all related decisions in Category:Article 95 GDPR
References
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.) (accessed 6 September 2021).
- ↑ Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 2,5 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.) (accessed 6 September 2021).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.) (accessed 6 September 2021).
- ↑ Olive, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1297 (Oxford University Press 2020).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 2 (Beck 2020, 3rd ed.) citing CJEU, Google LLC v Bundesrepublik Deutschland, C-193/18, 13 June 2019 (available here), and CJEU, Skype Communications SRL, C-142/18, 5 June 2019 (available here).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.)
- ↑ Karg in Wolff, Brink, BeckOK DatenschutzR, Article 95 GDPR, margin number 6 (Beck 2021, 36th ed.) (accessed 6 September 2021); Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 3b (Beck 2020, 3rd ed.) (accessed 6 September 2021); Holländer, in BeckOK DatenschutzR, Article 95 GDPR, margin number 4 (Beck 2020, 36th ed.) (accessed 6 September 2021).
- ↑ Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 5 (Beck 2020, 3rd ed.) (accessed 6 September 2021).
- ↑ Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
- ↑ Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
- ↑ Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2nd ed.) (accessed 6 September 2021); Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
- ↑ European Commission, Proposal for a Regulation on Privacy and Electronic Communications (available here).