The e-Commerce Directive and GDPR : towards convergence of legal regimes in the algorithmic society?

Abstract

The legal regimes of online intermediaries’ liability and data protection have been conceived on parallel tracks. Whereas the Data Protection Directive could not exclude from its scope of application the e-Commerce Directive due to chronological reasons, the latter expressly clarified that its scope does not include data protection matters. The rise of the algorithmic society has blurred this traditional gap. From a merely passive role, new online intermediaries such as search engines and social networks have acquired an increasingly active role in managing online contents. At the same time, their role in deciding how to process personal data has transformed these actors from data processors to controllers. This evolving framework has led to the convergence of the parallel tracks which have started to overlap. In particular, the ECJ decision in Google Spain and the Italian Google Vivi Down saga have shown the intersections between the two regimes. The adoption of the General Data Protection Regulation (GDPR) has contributed to reducing the gap between the regimes of data protection and ISP liability. The GDPR has clarified that the application of the new Regulation should not affect the rules provided for by the e-Commerce Directive, in particular, those regarding ISP’s liability. The result could be a potential overlap of two layers which, until the adoption of the GDPR, were conceived from two different perspectives.