Just over two weeks to go to comment on the extremely extensive ePrivacy guidelines of the EDPB, now covering pretty much any interaction with the Internet or a computer. Working on one anonymised response in particular to integrate concerns of certain organisations, I wonder once more why the EDPB did not seek to better justify its authority for adopting those “guidelines”. Some pointers for those who might be preparing (or considering submitting) a response:
– the EDPB’s predecessor, WP29, didn’t have the power to adopt guidelines, but it did notably have the power to “make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the [EU]” (Art. 30(3) of Directive 95/46/EC) – basically, data protection in broad terms
[Opinion 04/2012 on Cookie Consent Exemption referred to that justification for its authority]
– the EDPB’s powers to adopt opinions/guidelines/recommendations under Art. 70 GDPR *all* directly refer only to the GDPR itself, except for 70(1)(b): “advise the Commission on any issue related to the protection of personal data in the Union
– *no* reference anywhere to the power to make recommendations or adopt guidelines on broader matters, in any way that is equivalent to Art. 30(3) of Directive 95/46/EC
– Art. 70(1)(e) GDPR, to which the EDPB itself refers in its proposed ePrivacy guidelines, states that the EDPB shall “examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of [the GDPR] and issue guidelines, recommendations and best practices in order to encourage consistent application of [the GDPR]
So does the EDPB consider that it can interpret Art. 70(1)(e) GDPR to also mean “the ePrivacy Directive” as well as “the GDPR”, just by virtue of Art. 15(3) ePrivacy Directive? Or should we consider that the proposed guidelines are there purely to encourage consistent application of the GDPR? (which in turn raises questions as to their scope)
When asked for clarification, some told me simply “we put the justification in the guidelines”. Not exactly convincing.
It’s important to recall also that not all authorities entrusted with enforcement of Art. 5(3) ePrivacy Directive are part of the EDPB.
So, tip for those responding: indicate in your response if you have concerns about the EDPB’s authority. And get a lawyer to double-check your response – you don’t want your response to suggest that you accept their authority unconditionally.
Need a hand? Reach out quickly! (Deadline for responding: 18 January 2024)
More in-depth comments on the guidelines:
– Part I: By what authority? https://lnkd.in/ekdviZ_K
– Part II: Overbroad notions and regulator activism? https://lnkd.in/eDV4NSRX
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗