Article 95 GDPR: Difference between revisions

From GDPRhub
Line 200: Line 200:
Article 95 appears to follow the ''lex specialis'' rule of interpretation, whereby a specific law is taken to override a more general law on the same set of facts.
Article 95 appears to follow the ''lex specialis'' rule of interpretation, whereby a specific law is taken to override a more general law on the same set of facts.


On the one hand, the application of this principle to the two laws is simple: the EPD ''specifically'' governs electronic communications, and can therefore be seen to supersede the GDPR, which contains more general provisions on data processing.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3<sup>rd</sup> ed.).</ref>
On the one hand, the application of this principle to the two laws is simple: the EPD ''specifically'' governs electronic communications, and can therefore be seen to supersede the GDPR, which contains more general provisions on data processing.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3<sup>rd</sup> ed.) (accessed 6 September 2021).</ref>


It should be noted, however, that in some ways, the EPD is ''not'' more specific than the GDPR. For example, whilst the GDPR only protects natural persons in relation to the processing of their personal data, the EPD also protects the legitimate interests of legal persons.<ref>''Gernot, Sydow,'' in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 2,5 (Beck 2018, 2<sup>nd</sup> ed.)</ref> Moreover, whilst the GDPR specifically protects personal data in accordance with Article 8 of the Charter, the EPD more broadly protects the privacy and confidentiality of electronic communications, in line with Article 7 of the Charter.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3<sup>rd</sup> ed.).</ref> In this way, as ''Kühling'' and ''Raab'' note, ''“the challenge in each case is to check whether the special provisions of Directive actually supersede the general rules of the GDPR.”''<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3<sup>rd</sup> ed.).</ref>
It should be noted, however, that in some ways, the EPD is ''not'' more specific than the GDPR. For example, whilst the GDPR only protects natural persons in relation to the processing of their personal data, the EPD also protects the legitimate interests of legal persons.<ref>''Gernot, Sydow,'' in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 2,5 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 6 September 2021).</ref> Moreover, whilst the GDPR specifically protects personal data in accordance with Article 8 of the Charter, the EPD more broadly protects the privacy and confidentiality of electronic communications, in line with Article 7 of the Charter.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3<sup>rd</sup> ed.) (accessed 6 September 2021).</ref> In this way, as ''Kühling'' and ''Raab'' note, ''“the challenge in each case is to check whether the special provisions of Directive actually supersede the general rules of the GDPR.”''<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3<sup>rd</sup> ed.) (accessed 6 September 2021).</ref>


==== Natural or Legal Persons ====
==== Natural or Legal Persons ====
Article 95 specifies that additional obligations must not be placed on natural or legal persons. This reflects the scope of the EPD, which in turn stems from Article 7 of the Charter. In particular, the case law of the CJEU has established that professional persons’ legal activities should not be excluded from the protection afforded by Article 7 of the Charter.<ref>''Olive'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1297 (Oxford University Press 2020).</ref>


==== Publicly Available Electronic Communication Service ====
==== Publicly Available Electronic Communication Service ====
The processing subject to Article 95 GDPR must be connected to the provision of a ‘publicly available electronic communications service.’
The CJEU had previously ruled that a service may only be classified as an electronic communication service where it is responsible for the transmission of the signal over the communication network to the user.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 2 (Beck 2020, 3<sup>rd</sup> ed.) citing CJEU, Google LLC v Bundesrepublik Deutschland, C-193/18, 13 June 2019 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-193/18 here]), and CJEU, Skype Communications SRL, C-142/18, 5 June 2019 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=214741&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=5169081 here]).
</ref> Whilst this will be the case for classic telecommunications services, it will not for those which operate on the open internet. However, under the European Code of Electronic Communication (‘EKEK’), this is no longer a requirement. The EKEK creates a distinct category of electronic communication service known as ‘interpersonal communication services.’ According to ''Kuhling'' and ''Raab'', this category is “''clearly tailored to internet communication services”'' such as Whatsapp and Skype. Notably, under Article icle 2(5)(Hs 2) EKEK, a service will not qualify as an electronic communication service where the communication function is merely ancillary.<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3<sup>rd</sup> ed.)</ref>


==== Public Communications Networks ====
==== Public Communications Networks ====
The electronic communication service must also be provided in a ‘public communications network’.
Neither the EPD nor the GDPR provide for a definition of a ‘public communications network.’ The EKEK outlilnes that an electronic communications network is public, where is is ''“wholly or mainly used to provide publicly accessible electronic communication services that enable the transmission of information between network termination points.”'' A public communications network would not therefore cover a closed company communications network, whereby employees only interact with each other.<ref>''Karg'' in Wolff, Brink, BeckOK DatenschutzR, Article 95 GDPR, margin number 6 (Beck 2021, 36th ed.) (accessed 6 September 2021); ''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 3b (Beck 2020, 3<sup>rd</sup> ed.) (accessed 6 September 2021); ''Holländer'', in BeckOK DatenschutzR, Article 95 GDPR, margin number 4 (Beck 2020, 36th ed.) (accessed  6 September 2021).</ref> In such a situation, Article 95 will not be relevant, and the GDPR applies as normal.
Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference to ‘publicly accessible electronic communication services in public communication networks’, stating only that the GDPR should apply to matters which are not subject to specific obligations with the same objective under the EPD.
Article 95’s explicit reference to ‘publicly accessible electronic communication services in public communication networks’ in this context can be seen to ''“cause problems of interpretation''”<ref>''Kühling, Raab'', in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 5 (Beck 2020, 3<sup>rd</sup> ed.) (accessed  6 September 2021).</ref> Namely, the question arises as to what data protection obligations will arise which ''do not'' involve the provision of publicly accessible electronic services in public communications networks.<ref>''Piltz,'' in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2<sup>nd</sup> ed.) (accessed  6 September 2021). </ref> A key example is Article 5(3) of the EPD, which regulates the placement of cookies and other similar tracking technologies. Rather than applying only to publicly accessible electronic communications services, Article 5(3) applies to any entity that places cookies or other code on a users’ device. Services may therefore be subject to additional obligations under the GDPR in this instance.<ref>''Piltz,'' in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 6 September 2021).</ref>


==== Specific Obligations with the Same Objectives ====
==== Specific Obligations with the Same Objectives ====
In order not to be subject to additional obligations under the GDPR, processing must be related to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.


===== Cookies and Similar Tracking Technologies =====
For example, Article 4(1a) of the EPD requires service providers to put in place measures to ensure the protection of personal data, and Article 4(3) GDPR requires service providers to notify the relevant authority wheree a data breach occurs. Since these objectives are mirrored in the GDPR, in line with Article 95 GDPR, the GDPR will not impose additional obligations on service providers. [Olive, p. 1298]


===== Consent & the Rights of the Data Subject =====
In contrast, where the EPD does not contain comparative provisions, additional obligations under the GDPR will apply. For example, the DPD contains no provisions with regard to data subject rights (Chapter III GDPR), nor consent (Article 7 GDPR).<ref>''Gernot, Sydow,'' in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 6 September 2021); ''Piltz,'' in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 6 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 6 September 2021).</ref>


==== The e-Privacy Regulation Proposal ====
==== The e-Privacy Regulation Proposal ====
Under Recital 173, once the GDPR is adopted, the EPD should be reviewed in order to ensure consistency with the GDPR. The Commission adopted a proposal for the e-Privacy Regulation on 19 January 2017.<ref>European Commission, Proposal for a Regulation on Privacy and Electronic Communications (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010 here]). </ref>


==Decisions==
==Decisions==

Revision as of 11:15, 9 September 2021

Article 95 - Relationship with Directive 2002/58/EC
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 95 - Relationship with Directive 2002/58/EC


This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.

Relevant Recitals

Recital 173: Relationship to Directive 2002/58/EC
This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.

Commentary

Article 95 GDPR regulates the relationship between the GDPR and Directive 2002/58/EC (the ‘e-Privacy Directive’ or ‘EPD’) which contains rules on the privacy and confidentiality of electronic communications.

According to Article 95, the GDPR should not impose additional obligations on natural or legal persons - in connection with the provision of publicly available electronic communication services in public communication networks - who are already subject to specific obligations with the same objective under the EPC.

Lex Specialis

Article 95 appears to follow the lex specialis rule of interpretation, whereby a specific law is taken to override a more general law on the same set of facts.

On the one hand, the application of this principle to the two laws is simple: the EPD specifically governs electronic communications, and can therefore be seen to supersede the GDPR, which contains more general provisions on data processing.[1]

It should be noted, however, that in some ways, the EPD is not more specific than the GDPR. For example, whilst the GDPR only protects natural persons in relation to the processing of their personal data, the EPD also protects the legitimate interests of legal persons.[2] Moreover, whilst the GDPR specifically protects personal data in accordance with Article 8 of the Charter, the EPD more broadly protects the privacy and confidentiality of electronic communications, in line with Article 7 of the Charter.[3] In this way, as Kühling and Raab note, “the challenge in each case is to check whether the special provisions of Directive actually supersede the general rules of the GDPR.”[4]

Natural or Legal Persons

Article 95 specifies that additional obligations must not be placed on natural or legal persons. This reflects the scope of the EPD, which in turn stems from Article 7 of the Charter. In particular, the case law of the CJEU has established that professional persons’ legal activities should not be excluded from the protection afforded by Article 7 of the Charter.[5]

Publicly Available Electronic Communication Service

The processing subject to Article 95 GDPR must be connected to the provision of a ‘publicly available electronic communications service.’

The CJEU had previously ruled that a service may only be classified as an electronic communication service where it is responsible for the transmission of the signal over the communication network to the user.[6] Whilst this will be the case for classic telecommunications services, it will not for those which operate on the open internet. However, under the European Code of Electronic Communication (‘EKEK’), this is no longer a requirement. The EKEK creates a distinct category of electronic communication service known as ‘interpersonal communication services.’ According to Kuhling and Raab, this category is “clearly tailored to internet communication services” such as Whatsapp and Skype. Notably, under Article icle 2(5)(Hs 2) EKEK, a service will not qualify as an electronic communication service where the communication function is merely ancillary.[7]

Public Communications Networks

The electronic communication service must also be provided in a ‘public communications network’.

Neither the EPD nor the GDPR provide for a definition of a ‘public communications network.’ The EKEK outlilnes that an electronic communications network is public, where is is “wholly or mainly used to provide publicly accessible electronic communication services that enable the transmission of information between network termination points.” A public communications network would not therefore cover a closed company communications network, whereby employees only interact with each other.[8] In such a situation, Article 95 will not be relevant, and the GDPR applies as normal.

Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference to ‘publicly accessible electronic communication services in public communication networks’, stating only that the GDPR should apply to matters which are not subject to specific obligations with the same objective under the EPD.

Article 95’s explicit reference to ‘publicly accessible electronic communication services in public communication networks’ in this context can be seen to “cause problems of interpretation[9] Namely, the question arises as to what data protection obligations will arise which do not involve the provision of publicly accessible electronic services in public communications networks.[10] A key example is Article 5(3) of the EPD, which regulates the placement of cookies and other similar tracking technologies. Rather than applying only to publicly accessible electronic communications services, Article 5(3) applies to any entity that places cookies or other code on a users’ device. Services may therefore be subject to additional obligations under the GDPR in this instance.[11]

Specific Obligations with the Same Objectives

In order not to be subject to additional obligations under the GDPR, processing must be related to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.

For example, Article 4(1a) of the EPD requires service providers to put in place measures to ensure the protection of personal data, and Article 4(3) GDPR requires service providers to notify the relevant authority wheree a data breach occurs. Since these objectives are mirrored in the GDPR, in line with Article 95 GDPR, the GDPR will not impose additional obligations on service providers. [Olive, p. 1298]

In contrast, where the EPD does not contain comparative provisions, additional obligations under the GDPR will apply. For example, the DPD contains no provisions with regard to data subject rights (Chapter III GDPR), nor consent (Article 7 GDPR).[12]

The e-Privacy Regulation Proposal

Under Recital 173, once the GDPR is adopted, the EPD should be reviewed in order to ensure consistency with the GDPR. The Commission adopted a proposal for the e-Privacy Regulation on 19 January 2017.[13]

Decisions

→ You can find all related decisions in Category:Article 95 GDPR

References

  1. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.) (accessed 6 September 2021).
  2. Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 2,5 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
  3. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.) (accessed 6 September 2021).
  4. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.) (accessed 6 September 2021).
  5. Olive, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1297 (Oxford University Press 2020).
  6. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 2 (Beck 2020, 3rd ed.) citing CJEU, Google LLC v Bundesrepublik Deutschland, C-193/18, 13 June 2019 (available here), and CJEU, Skype Communications SRL, C-142/18, 5 June 2019 (available here).
  7. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin numbers 1-3b (Beck 2020, 3rd ed.)
  8. Karg in Wolff, Brink, BeckOK DatenschutzR, Article 95 GDPR, margin number 6 (Beck 2021, 36th ed.) (accessed 6 September 2021); Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 3b (Beck 2020, 3rd ed.) (accessed 6 September 2021); Holländer, in BeckOK DatenschutzR, Article 95 GDPR, margin number 4 (Beck 2020, 36th ed.) (accessed 6 September 2021).
  9. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 95 GDPR, margin number 5 (Beck 2020, 3rd ed.) (accessed 6 September 2021).
  10. Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
  11. Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
  12. Gernot, Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 95 GDPR, margin number 5 (Beck 2018, 2nd ed.) (accessed 6 September 2021); Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 6 September 2021).
  13. European Commission, Proposal for a Regulation on Privacy and Electronic Communications (available here).