Updated: Oct 31, 2018

One of the goals put forth by the Digital Market Strategy was to revisit the privacy safeguards established in the Directive 2002/58/EC (the e-Privacy Directive) in order to ensure an adequate protection of users and businesses in the electronic communication sector. Further scrutiny of the e-Privacy Directive[1] conducted by the European Commission confirmed the validity of underlying principles of the framework but at the same time acknowledged the obsolescence of its technological and economic scope. In particular, the e-Privacy Directive has failed to address so-called Over-the-Top (the “OTT”) communication services (e.g. web-based email services, instant messengers, voice over Internet Protocol) that, unlike traditional telecommunication providers, are not subject to existing regulatory requirements. The draft of the new e-Privacy Regulation[2] (the “Regulation” or “Proposal) published in 2017 seeks to revamp this and, together with the General Data Protection Regulation[3] (the GDPR), fortify the framework for the data processing in the European Union.

The GDPR and e-Privacy Regulation: Legal Synergy

The new e-Privacy Regulation is set to be the lex specialis to the GDPR further cascading its approach on the protection of sensitive information in the context of electronic communication. With the e-Privacy Regulation focusing exclusively on the electronic communication segment, all other aspects of personal data protection, unless elucidated in the e-Privacy Regulation, shall be governed by the GDPR. The status of a regulation renders the legislation in question immediately enforceable in all Member States. To this end, the e-Privacy Regulation was set to enter into force simultaneously with the GDPR on May 25, 2018, however, the process has been delayed due to the ongoing discussions pending on the European Council’s part. Once fully operable, the local control over enforcement of the e-Privacy Regulation will be entrusted to the supervisory authorities already tasked with the monitoring of the GDPR compliance[4].

Broadened Material Scope and Legislative Novelties

In terms of scope the e-Privacy Regulation will cover both content and metadata derived from the electronic communication generated by legal and/ or natural persons. According to the Proposal, since metadata may reveal confidential and private details about involved parties while legal persons can exchange trade secrets and other information of substantial business value in the course of electronic communication flow, the adequate safeguards shall be extended to them, too. Notably, legal entities shall benefit from the same degree of end-users’ rights protection vis-a-vis supervisory authorities as natural persons.

Mindful of the lesson learned by the e-Privacy Directive, core definitions of the Regulation are deliberately articulated in a broad and technologically neutral manner to keep it future-proof.

Apart from focusing on the OTT service providers, the e-Privacy Regulation will apply to all players on the market of electronic communication including:

  • providers of publicly available directories[5],

  • legal and natural persons carrying out direct marketing or collecting information related to or directly stored in end-users’ terminal equipment[6],

  • public wireless network providers[7],

  • Internet of Things platforms providers (in the context of transmission of machine-to-machine communication)[8].

The Regulation will encompass electronic communication connected with the provision and use of electronic communication services in the European Union, regardless of whether or not the activity itself takes place in the European Union. In addition, it will also apply to cases where provision of electronic communication services was carried out from outside of the European Union to end-users in the European Union.

Terminal Equipment Protection

The draft of the e-Privacy Regulation has emphasised the importance of appropriate protection for the terminal equipment[9] forming an inalienable part of the electronic communication network and information related to usage of such equipment. Keeping in mind the exposure that terminal equipment may have towards various hidden identifiers, spyware and other unwanted tracking features, the Regulation devises an enhanced privacy protection regime in this area and prescribes for consent to be the main ground allowing for interference with the terminal equipment-related data (save for a set of exceptions outlined in Article 8 (1)).

Underlying Role of Consent and Cookies Acceptance

The notion of consent is central for the purposes of the Regulation. Apart from the certain exceptions, the processing of the abovementioned electronic communication data is subject to authorisation from the end-user. The quality standards of such consent mirror the ones adopted by the GDPR[10]. In particular, it should include an affirmative action manifested through a user-friendly method secured by a provider. The Regulation regards appropriate browser settings or other applications as one of such methods and, similarly to the GDPR, allows for the consent to be withdrawn at any time with no impediments attached to the process[11].

The fact that the end-user’s consent must be sought, in order to utilize electronic communication metadata, should be viewed through the prism of new commercial opportunities. Once such consent is granted service providers will be able to explore new areas for potential business engagements. Heatmaps indicating the presence of an individual are used to exemplify this[12].

Another element of the EU digital agenda that the Regulation is yet to ameliorate is the rules for acceptance of cookies. The main approach propounded in the draft is to simplify the cookies acceptance mechanism by streamlining consent through browser settings. At the same time, no consent will be needed for non-privacy intrusive cookies upgrading browsing experience (e.g. remembering shopping card history)[13] or cookies tracking web-site’s visitors’ traffic.

Unsolicited Marketing Communication Reform

The e-Privacy Regulation has also addressed an issue of marketing electronic communication by shifting the gears and granting consumer a higher degree of control over direct marketing communication coming their way. In particular, unsolicited electronic communication carried out via SMS, emails and automated calling machines will be prohibited. In case of publicly available number-based interpersonal communication services end-users shall be provided with either an option to block calls from a concrete number or any anonymous number or stop automatic call forwarding process[14]. Marketing callers will be obliged to reveal their phone numbers[15] or use a prefix indicating that the call in question is of marketing nature[16].

It will be fair to conclude that with all heated discussions around the topic as well as political and commercial reverberations it entails, the e-Privacy Regulation has been one of the most eagerly anticipated pieces of legislation in the European Union. It’s unique symbiosis with the GDPR, ambitious material scope, revised approach towards cookies and terminal equipment as well as a strong focus on the end-user’s consent will play an important role in shaping the future of the market of electronic communications in the EU and beyond.

At present, 2020 appears to be a realistic timeline[17] for the Regulation to come into force subject to trilogue negotiations between the European Parliament, European Commission and European Council progressing.

[1] Ex-post REFIT evaluation of the ePrivacy Directive 2002/58/EC, outcomes available at (last accessed 10.08.2018).

[2] Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), text available at (last accessed 10.08.2018).

[3] Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive).

[4] Article 18.

[5] Article 2 (c).

[6] Section 8 of the Proposal.

[7] Section 13 of the Proposal.

[8] Section 12 of the Proposal.

[9] See Chapter II.

[10] Article 9 (1).

[11] Article 9 (3).

[12] Section 17 of the Proposal.

[13] Section 22 of the Proposal.

[14] Article 15.

[15] Article 16 (3) a.

[16] Article 16 (3) b.

[17] David Mayer, “ePrivacy rapporteur furious over Austria’s limited ambition”, IAPP, available at (last accessed 11.08.2018).


©2018 eprivacy tracker. Powered by PIERSTONE.

logo (1).png