The European ePrivacy Directive: The Companion to GDPR About Which You Need to Know
Along with the General Data Protection Regulation,1 there is a companion piece of legislation that also went into effect. That companion piece is called the ePrivacy Directive.2 The ePrivacy Directive was supposed to come into effect in May, 2018, but that has been delayed until sometime in 2019.
The ePrivacy Directive, while being a companion to the GDPR, differs from the latter in significant ways. In contrast, GDPR is all about capturing and storing data (at rest), while the ePrivacy Directive is designed primarily to protect that data while in transit.
Note, however, that the ePrivacy Directed covers a broader range of data than the GDPR. The GDPR is focused on privacy of the individual. The ePrivacy Directive, however, includes non-personal data.3 This difference has much to do with the difference in legal foundation between the two laws. The basis for the ePrivacy Directive are Article 16 and Article 114 of the Treaty on the Functioning of the European Union as well as Article 7 of the Charter of Fundamental Rights. The GDPR, on the other hand, is based on Article 8 of the European Charter of Human Rights, which is interpreted similarly to Article 7 of the Charter of Fundamental Rights.
As with GDPR, the ePrivacy Directive has some teeth in the remedies. Article 23 of the ePrivacy Directive allows administrative fines of up to EUR 10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
While the penalties may seem onerous, the way to avoid them is simple: encrypt the data while it is in transit. You can send the data as an encrypted file, or transmit it by, for example, SSH or VPN on the Internet. These protocols are inexpensive (usually free) and are easy to set up. Much easier, in fact, than inventing excuses.
1 Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation ("GDPR").
2 Regulation (EU) 2017/0003(COD), commonly known as the “ePrivacy Directive.”
3Id, at 2.2.