Module 8 · ePrivacy Directive, location data & biometric data
The ePrivacy Directive (2002/58) governs data from terminal equipment over public electronic communications networks - its main basis is consent and it does NOT recognise legitimate interest. It is lex specialis over the GDPR. Article 5(1) protects confidentiality of communications; Article 15(1) allows limited exceptions. Location data usually needs opt-in consent. Biometric data (Article 4(14)) is special-category only when processed to uniquely identify a person.
The ePrivacy Directive (Directive 2002/58) governs data from terminal equipment over public electronic communications networks. Its main legal basis is consent (except where processing is part of a service the user expressly requested), and it does NOT recognise legitimate interest. It is lex specialis over the GDPR. If data passes only over a private network (e.g. a corporate intranet), ePrivacy does not apply - though monitoring rules still do.
- Article 5(1) - confidentiality of communications; no interception without consent.
- Article 15(1) - Member States may make limited exceptions (national security, law enforcement).
- A lawful-business-purpose exemption allows interception over public networks where defined by Member State law.
Location data is an identifier under the GDPR (personal data if it can identify alone or combined). Under ePrivacy it usually requires opt-in consent given how intrusive it is.
Biometric data (Article 4(14)) is 'personal data resulting from specific technical processing... which allow or confirm the unique identification' (facial images, fingerprints, DNA, retina, voice, gait). Two uses: Identification ('who are you?') and Authentication ('are you who you claim to be?'). It is special-category only when processed for the purpose of uniquely identifying a person - a yearbook photo is not. See EDPB Guidelines 05/2022 on facial recognition in law enforcement.