On 18 June 2021, the EDPB adopted internal document No. 04/2021 on the criteria for the territorial competence of supervisory authorities for the enforcement of Article 5(3) of the ePrivacy Directive.
In view of recent decisions adopted by some SAs that are competent to enforce Article 5(3)
of the ePrivacy Directive[1], the EDPB has issued an Opinion aimed at establishing a uniform interpretation regulations of the territorial jurisdiction of SAs responsible for the enforcement of Article 5(3). Decisions adopted by SAs have shown that the territorial scope of application of the Directive may vary between different SAs, particularly where the controller/service provider is established in several Member States. Uncertainties on this issue could jeopardize decisions adopted by SAs across the Union.
The Opinion cites Article 17(1) of the ePrivacy Directive according with ““Member States shall bring into force the provisions necessary to comply with this Directive” while Article 15(1)
of the same Directive states that “Member States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented”. In view of the above, Member States are obliged to take the measures necessary to ensure that the objectives set out in the Directive are met, but the Directive makes
no reference to its territorial application. This issue was however addressed by the CJEU case law on the territorial application of the repealed Directive 95/46/EC. In the case Wirtschaftsakademie Schleswig-Holstein, C-210/16, 5 June 2018, the Court stated that the supervisory authority of a Member State was entitled to exercise its powers against
an establishment of an undertaking situated in its territory and in the course of whose activities the processing is carried out, even if the establishment responsible for the collection and processing of data was situated in another Member State.[2]
If the data controller/service provider has no establishment in a Member State, the national law of this Member State may provide other criteria than establishment to enforce its national law in respect of this controller/service provider
It follows from the above that each competent SA authority is entitled to enforce its national law implementing the Directive as far as it concerns entities within its territorial jurisdiction.
In addition, it must be stressed that the provisions implementing the Directive cannot prevent the SA of another Member State from enforcing the Directive in accordance with national legislation, as this would be contrary to Article 1.1 of the Directive, which aims to protect the fundamental rights and freedoms of data subjects.
As regards possible sanctions in case of infringement of the Directive, Member States have been given some leeway in setting their limits. The fine imposed on the data controller/service provider could depend only on the national law of the country concerned. It seems that in such a situation, a fine could fail to serve as a deterrent to infringements in certain situations. Effective protection of European user data might not be ensured. However, there is nothing
to prevent supervisory authorities from initiating a cross-border dialogue to create harmonized conditions for privacy and electronic communications issues in accordance with Article 15a(4) of the Directive
In view of the above, the EDPB came to the following conclusions. SAs are competent
to enforce Article 5(3) of the ePrivacy directive are entitled to exercise the powers granted to them under their national law when:
In any event, the measures taken:
[1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) as amended by Directive 2006/24/EC and Directive 2009/136/EC
[2] The Court ruled that “ Articles 4 and 28 of Directive 95/46 must be interpreted as meaning that, where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State.”