Module 1 · Directive vs Regulation, the EDPB and ePrivacy
A Directive obliges Member States to implement it in local law; a Regulation is directly applicable with no local implementation needed - the GDPR is a Regulation (though it allows about 50 provisions for national tailoring). On 25 May 2018 the EDPB replaced the Article 29 Working Party. The ePrivacy Directive sits alongside the GDPR; EDPB Opinion 5/2019 explains their interplay (complement, parallel, lex specialis, lex generalis).
| Directive | Regulation | |
|---|---|---|
| Who is bound | Obligations on Member States, whose governments implement it | Directly binds everyone in every Member State |
| Local implementation | Required - transposed into national law | None needed - directly applicable and enforceable |
| Consistency | Varies by state (Data Protection Directive had 34 articles, implemented differently) | One set of rules for all states (GDPR allows ~50 provisions for tailoring) |
| Example | Data Protection Directive (1995); ePrivacy Directive | GDPR |
As of 25 May 2018, the EDPB replaced the Article 29 Working Party. It is an independent European body contributing to consistent application and DPA cooperation, made of national DPA representatives plus the EDPS. Article 29 Working Party guidance remains relevant where it aligns with the GDPR (especially guidelines endorsed by the EDPB).
The ePrivacy Directive (Directive 2002/58; in force May 2011) governs privacy in the electronic communications sector and was originally aligned to the Data Protection Directive. EDPB Opinion 5/2019 sets out four interplay characteristics with the GDPR.
- To complement: several ePrivacy provisions complement the GDPR (e.g. protecting "subscribers" and "users").
- Article 95 GDPR: avoid duplicate administrative burdens; breach-notification obligations apply in parallel under both instruments per their scopes.
- To particularise (lex specialis): special provisions prevail over general rules; e.g. Article 6 ePrivacy limits traffic-data processing, so not all Article 6 GDPR bases are available.
- Co-existence (lex generalis): where no lex specialis applies, the general rule applies; e.g. no specific ePrivacy provision on access to traffic data → the GDPR applies.