Data Privacy and Cybresecurity

Chapter 18: Relationships with other laws – Unlocking the EU General Data Protection Regulation

Article
|
7 min read

Previous Chapter | Next Chapter | Index of Chapters

Why does this topic matter to organisations?

The GDPR is now the main instrument governing EU data protection law across all Member States. The Directive, which was almost 20 years old, has been repealed. However, the relationship between the GDPR and a number of other laws remains unclear, and is subject to guidance from the EDPB.

What types of organisations are most affected?

All types of organisations are affected by the adoption of the GDPR; however, the potential uncertainty regarding the relationship between the GDPR and other laws is likely to be an issue for telecoms providers in particular.

What should organisations do to comply?

Organisations (and in particular, telecoms providers) should identify whether there are any rules to which they are subject, that appear to conflict with the GDPR.

Where relevant, industry associations should prepare submissions to the EDPB, requesting or proposing clarifications on key areas.

   

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

   

Issue The Directive The GDPR Impact

Repeal of the Directive

From the GDPR Effective Date, the Directive will no longer apply in the EU.

N/A

The Directive clearly did not address this point.

 Rec.171; Art.94

The GDPR repeals the Directive, with effect from the GDPR Effective Date. Since that point, any references to the Directive are construed as references to the GDPR, and any references to the WP29 are construed as references to the EDPB.

 The purpose of the GDPR was essentially to replace the Directive. It follows that the Directive was necessarily repealed from the GDPR Effective Date (i.e., 25 May 2018).

Relationship with the ePrivacy Directive

The ePrivacy Directive provides a specific set of privacy rules to harmonise the processing of personal data by the telecoms sector. Until it is amended, the ePrivacy Directive will co-exist with the GDPR (which applies to all sectors including the telecoms sector).

N/A

The Directive was adopted in 1995, before the ePrivacy Directive which was adopted in 2002 and amended in 2009. Consequently, the Directive did not address this issue.

 Rec.173; Art.95

The GDPR does not impose additional obligations on telecoms providers that process personal data under the ePrivacy Directive. However, there remains some uncertainty in the relationship between the ePrivacy Directive and the GDPR, which will require future clarification.

 The coexistence of the GDPR alongside the ePrivacy Directive may give rise to uncertainty in the telecoms sector, and requires clarification.

 It is expected that the ePrivacy Directive will be replaced by a Regulation in the near future. This is currently being debated by the relevant European institutions and interested parties.

Relationship with existing international agreements

Member states can transfer personal data outside the EU or to an international organisation if there is an international agreement in place that does not prejudice other provisions of EU data protection law and includes an appropriate level of protection for the fundamental rights of the data subject.

N/A

The Directive did not directly address this issue.

 Rec.102, 115; Art.48, 96

International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to the entry into force of the GDPR, and which are compliant with applicable EU law remain in force until amended, replaced or revoked.

 The GDPR does not affect the validity of existing international agreements that have already been concluded by Member States.

   

Commentary: Effect of the repeal of the Directive

The repeal of the Directive leaves the national laws that implement the Directive in an uncertain position. Ultimately, it is likely that this issue will be resolved under the national laws of each Member State, with some Member States electing to keep portions of their existing data protection laws in force under the GDPR (e.g., for the purposes outlined in Chapter 17). However, any remaining national laws that directly conflict with the GDPR would be set aside.

Commentary: Co-existence of the ePrivacy Directive and the GDPR

The adoption of the GDPR while the ePrivacy Directive is still in force could lead to legal uncertainty for all stakeholders— telecoms providers, consumers and regulatory bodies—given the inconsistences between the two pieces of legislation and potential differences in interpretation. For example, the territorial scope of the ePrivacy Directive and the basis on which a telecoms provider would need to comply with its provisions, are unclear. The ePrivacy Directive only refers to processing "in the Community" whereas the GDPR further applies to processing taking place outside the EU (see Chapter 4).

Another example of the gap between the GDPR and the ePrivacy Directive arises in respect of data breach notification requirements:

  • under the GDPR a controller has 72 hours to notify the DPA of a data breach (see Chapter 10); but
  • under the ePrivacy Directive (and Regulation (EU) No. 611/2010) a telecoms provider only has 24 hours to notify the competent national authority (which may be a DPA or a separate telecoms regulator, depending on the laws of the relevant Member State).

It should also be noted that, under Art.2(4), the GDPR is stated to be without prejudice to the provisions of the eCommerce Directive and, in particular, the intermediary liability provisions in Articles 12 to 15 of that Directive.

Commentary: International Agreements concluded prior to the adoption of the GDPR

The GDPR does not affect international agreements involving the transfer of personal data to third countries which were concluded by Member States prior to the entry into force of the GDPR. One example of such an agreement is the bilateral agreement on Mutual Legal Assistance Treaty ("MLAT") between the UK and the US, which includes provisions regarding the processing of personal data. Under the GDPR, the MLAT remains in force until amended, replaced or revoked.

   

   

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Complying with the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Legal basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP

 

Top