Firms attempting to comply with the GDPR also have to be careful they don’t trip over the EU’s ePrivacy Directive.
Those that violate both laws could face higher fines and double scrutiny, judging by an opinion issued earlier this month by the European Data Protection Board in response to a query from Belgian authorities.
But there are limits. In assessing authority, the EDPB writes that national authorities can assess compliance with the ePrivacy Directive “only if national law confers this competence on them." Some national laws do not.
However, the opinion adds that “the mere fact that a subset of the (data) processing falls within the scope of the e-Privacy Directive, does not limit the competence of data protection authorities under the GDPR.”
And it adds that “an infringement of the GDPR might also constitute an infringement of national ePrivacy rules.” Authorities may “take this factual finding as to an infringement of the ePrivacy rules when applying the GDPR.”
GDPR fines are higher. In the UK, “the Information Commissioner's Office has the power to issue fines of up to 4% of a company's annual global turnover, of €20 million, whichever is highest, for serious breaches of the GDPR, whereas a £500,000 cap applies to the maximum fine it can impose under the e-Privacy regime,” writes Out-Law.com.The EDPB concludes that while GDPR regulations to not apply to the national enforcement of the ePrivacy Directive, the “cooperation and consistency mechanism remains fully applicable.”