Chapter 18: Relationships with other laws – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 18: Relationships with other laws – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Overview

Why does this topic matter to organisations?

From the GDPR Effective Date, the GDPR will be the main instrument governing EU data protection law across all Member States. The Directive, which is almost 20 years old, will be repealed. However, the relationship between the GDPR and a number of other laws remains unclear, and is subject to guidance from the EDPB that will not be published for some time.

What types of organisations are most affected?

All types of organisations are affected by the adoption of the GDPR; however, the potential uncertainty regarding the relationship between the GDPR and other laws is likely to be an issue for telecoms providers in particular.

What should organisations do to prepare?

Organisations (and in particular, telecoms providers) should identify whether there are any rules to which they are presently subject, that are likely to conflict with the GDPR.

Where relevant, industry associations should prepare submissions to the EDPB, requesting or proposing clarifications on key areas.

 

Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.

   
   

Detailed analysis

Issue

The Directive

The GDPR

Impact

blank

Repeal of the Directive

From the GDPR Effective Date, the Directive will no longer apply in the EU.

blank

N/A

The Directive clearly did not address this point.

materially changes

Rec.171; Art.94

The GDPR repeals the Directive, with effect from the GDPR Effective Date. From that point on, any references to the Directive will be construed as references to the GDPR, and any references to the WP29 will be construed as references to the EDPB.

neutral

The purpose of the GDPR is essentially to replace the Directive. It follows that the Directive must be repealed from the GDPR Effective Date (i.e., 25 May 2018).

blank

Relationship with the ePrivacy Directive

The ePrivacy Directive provides a specific set of privacy rules to harmonise the processing of personal data by the telecoms sector. Until it is amended, the ePrivacy Directive will co-exist with the GDPR (which applies to all sectors including the telecoms sector).

blank

N/A

The Directive was adopted in 1995, before the ePrivacy Directive which was adopted in 2002 and amended in 2009. Consequently, the Directive does not address this issue.

does not materially change

Rec.173; Art.95

The GDPR does not impose additional obligations on telecoms providers that process personal data under the ePrivacy Directive. However, there remains some uncertainty in the relationship between the ePrivacy Directive and the GDPR, which will require future clarification.

negative

The coexistence of the GDPR alongside the ePrivacy Directive may give rise to uncertainty in the telecoms sector, and requires clarification.

 

positive

The European Commission is currently reviewing the relationship between the GDPR and the ePrivacy Directive and is expected to provide further clarity on this issue.

blank

Relationship with existing international agreements

Member states can transfer personal data outside the EU or to an international organisation if there is an international agreement in place that does not prejudice other provisions of EU data protection law and includes an appropriate level of protection for the fundamental rights of the data subject.

blank

N/A

The Directive does not directly address this issue.

does not materially change

Rec.102, 115; Art.48, 96

International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to the entry into force of the GDPR, and which are compliant with applicable EU law remain in force until amended, replaced or revoked.

neutral

The GDPR does not affect the validity of existing international agreements that have already been concluded by Member States.

 

Further analysis

Commentary: Effect of the repeal of the Directive

The repeal of the Directive leaves the national laws that implement the Directive in an uncertain position. For example, in the case of the UK, the Data Protection Act 1998 purports to implement the Directive. Once the Directive is repealed, what happens to the Data Protection Act 1998? Ultimately, it is likely that this issue will be resolved under the national laws of each Member State, with some Member States electing to keep portions of their existing data protection laws in force under the GDPR (e.g., for the purposes outlined in Chapter 17). However, any remaining national laws that directly conflict with the GDPR would be set aside.

Commentary: Co-existence of the ePrivacy Directive and the GDPR

Adopting the GDPR while the ePrivacy Directive is still in force could lead to legal uncertainty for all stakeholders—telecoms providers, consumers and regulatory bodies—given the inconsistences between the two pieces of legislation and potential differences in interpretation. For example, the territorial scope of the ePrivacy Directive and the basis on which a telecoms provider would need to comply with its provisions, are unclear. The ePrivacy Directive only refers to processing "in the Community" whereas the GDPR further applies to processing taking place outside the EU (see Chapter 4).

Another example of the gap between the GDPR and the ePrivacy Directive arises in respect of data breach notification requirements:

  • under the GDPR a controller has 72 hours to notify the DPA of a data breach (see Chapter 10); but
  • under the ePrivacy Directive (and

Regulation (EU) No. 611/2010) a telecoms provider only has 24 hours to notify the competent national authority (which may be a DPA or a separate telecoms regulator, depending on the laws of the relevant Member State). It should also be noted that, under Art.2(4), the GDPR is stated to be without prejudice to the provisions of the eCommerce Directive and, in particular, the intermediary liability provisions in Articles 12 to 15 of that Directive.

Commentary: International Agreements concluded prior to the adoption of the GDPR

The GDPR does not affect international agreements involving the transfer of personal data to third countries which were concluded by Member States prior to the entry into force of the GDPR. One example of such an agreement is the bilateral agreement on Mutual Legal Assistance Treaty ("MLAT") between the UK and the US, which includes provisions regarding the processing of personal data. Under the GDPR, the MLAT will remain in force until amended, replaced or revoked.

 

NEXT CHAPTER
Chapter 19: Transitional provisions

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP