The ePrivacy Regulation and its Impact

What is ePrivacy Regulation?

The ePrivacy Regulation (ePR) is a proposal for a Regulation on Privacy and Electronic Communications. Its full name is “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).” It would repeal the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive) and is lex specialis to the General Data Protection Regulation. It would particularise and complement the latter on the electronic communications data that qualify as personal data like the requirements for consent to the use of cookies and opt-outs.

The scope of the ePrivacy Regulation would apply to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing.

What is the difference between ePrivacy Regulation vs GDPR?

The ePrivacy Regulation will replace the ePrivacy and Electronic Communications Directive 2002, which was implemented in the UK in 2003. The fact it is a regulation is important, as this means it will be a legal act and will be immediately enforceable in its entirety across all EU member states, as opposed to a directive, which allows states to introduce their own mechanisms, provided they match the spirit of the original directive.

Where GDPR is focused on protecting personal data, the ePrivacy Regulation is more about protecting personal privacy (both for individuals and businesses) across electronic communications. The distinction is important, as you’ll see when we talk about the scope of the ePrivacy Regulation and the kinds of services it applies to.

Given the close relationship between the two, it was intended for the ePrivacy Regulation to come into force on the same day as GDPR on 25 May 2018. However, the ePrivacy regulation has been subject to a great deal of lobbying and deliberation, and its draft was published too late (January 2017) to be enacted in time. The EU has been largely focused on passing the General Data Protection Regulation, and as such, it’s unlikely that the ePrivacy Regulation will be passed until at least the second half of 2019.


Where has this ePrivacy Regulation come from?

The ePrivacy Regulation has not come out of the blue. It’s the latest in a line of regulations which successively update and replace each other. The most famous of these, referred to widely as the ‘Cookie Law’, which came into force in May 2011 and remains in force until it is superseded by the ePrivacy Regulation, gives users the right to opt out of cookie tracking on sites they visit.

What does ePrivacy Regulation cover?

The regulation states that “electronic communications data should be defined in a sufficiently broad and technology-neutral way so as to encompass any information concerning the content transmitted or exchanged… and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication.”

Communications are protected regardless of whether the data is transmitted by wire, radio, optical or electromagnetic methods. That means communication data sent via satellites, cables, fixed networks, and electricity cable systems falls under the ePrivacy Regulation.

Such data should always remain confidential, and any interference with the communication of that data, either directly by a human or through automated processes, without the consent of the user, is prohibited. Interference in this context can occur at any time during the transfer of that data or metadata, including during its transmission and at its destination. For example, listening to calls, scanning of electronic messages, monitoring of visited websites, and the monitoring of interactions between users all constitutes a breach of the regulation.

There are several key aspects:

OTT services and metadata:

OTT service

Today our online communications are characterized by ‘over the top’ (OTT) services. Most of us use OTT services every day, maybe without even realizing that’s what we are doing. OTT services sit on top of the services provided by our network provider, and they are ‘fronted’ by a named service or app. Think of Skype, WhatsApp, Facebook Messenger, or even Internet TV services.

The directive intends to bring these services within the scope of EU privacy protection rules, to ensure that they are bound by the same confidentiality of communications rules as traditional telecommunications providers.

There will be privacy controls for communications content and for the ‘metadata’ that is associated with it, such as the time of a call, or the location you are calling from. The new regulation will require that metadata is anonymized or deleted if users don’t give their consent to such data being stored.



The draft regulation states: “Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third-party cookies’.”

The new regulation recognizes that there has been something of an excess of cookie consent requests from websites. The new Regulation aims to make it easier for browser settings to allow blanket acceptance or refusal of tracking cookies and other identifiers, and will clarify that consent is not needed for non-privacy intrusive cookies aimed at improving our internet experience (such as those which remember shopping cart history) or cookies used by a website to count visitors.

Companies will be obligated under the new regulation to ensure users are given the option of setting higher level cookie policies, such as a blanket ‘never accept cookies’, as well as those at a lower level, such as ‘reject third-party cookies’, presented in a form that’s clearly visible and easy to understand. Clear, affirmative action from the user is also required, which will need to be offered to users on the point of installation of new software. Importantly, those users that have previously given their consent must be given options to easily withdraw their consent at a later date.

Marketing and spam:

The Regulation states: “Direct marketing refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organizations to support the purposes of the organization.”

Unsolicited communication through channels such as email, SMS, MMS, instant messaging, Bluetooth, and automated calling machines, will be banned under the regulation. National laws will affect how this is implemented, and people might be protected either by default or through existing ‘do not call’ lists that are set up to prevent marketing phone calls.

Marketing calls will need to be identified by a mandatory prefix – primarily so that users have a clear idea of who they are receiving communications from if they wish to withdraw their consent for that particular company.

Internet of things and public Wi-Fi:

public wifi

The regulation also aims to bring the most cutting-edge communication technology under its umbrella – specifically the communication of data across IoT networks and devices.

As the regulation states: “The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications.”

Publicly accessible wireless networks, namely ‘Wi-Fi hotspots’, will also be subject to the regulation, regardless of their location, the company providing the service, or method in which that service is delivered. Those that are closed from the public, such as business networks, are not subject to the ePrivacy Regulation.

What are the penalties for breaches?


The regulation lays out penalties for a breach in Article 23 which outlines different penalties for different infringements – the same sanctions that apply under GDPR also apply under the ePrivacy Regulation. Penalties range from up to €10,000,000 or 2% of worldwide annual turnover for some breaches and up to €20,000,000 or 4% of worldwide annual turnover for some breaches – whichever is the higher in each case.

As we have seen with the application of the UK’s Data Protection Act and GDPR, the eventual fine is heavily dependent on a number of mitigating factors, such as the scale of the incident and whether a breach of regulation occurred as a result of a deliberate act.

For more information and any clarification on ePrivacy Regulation, please visit its Official Site :

Leave a Comment