EU Commission’s ePrivacy Regulation Proposal to align electronic communications privacy to GDPR

On January 10, 2017, the European Commission issued a draft for a new ePrivacy Regulation (“Proposal”) that would replace Directive 2002/58/EC (‘the ePrivacy Directive’), implementing a higher level of privacy for all electronic communications.

Scope of application: The Proposal applies to all electronic communication providers – including EU institutions – and aim at aligning the existing rules, which date back to 2002, with the newer data protection framework set out by the GDPR.  The Proposal expands the scope of the ePrivacy Directive to internet-based voice services and (such as Over-the-Top), IoT and machine-to-machine communications. It applies to content of communications and metadata.

Territorial scope: the Draft Regulation applies to electronic communications services to end-users in the EU and protects also information related to the terminal equipment of EU end-users.

The Proposal takes into account workshops, public consultations, surveys, as well as an impact assessment supported by a Commission’s study.


  • broader scope: the current ePrivacy Directive only applies to traditional telecoms operators, while the proposed Regulation will apply also to new providers of electronic communications services (e.g., WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber);
  • homogeneityby using a directly applicable Regulation, there will be one single set of rules across the EU;
  • communication content and metadataboth content and metadata derived from electronic communications (e.g. time of a call and location) will be safeguarded. Both will need to be anonymised or deleted if users have not given their consent, unless the data is required, for instance for billing purposes;
  • new business opportunitiesonce consent for data processing is given is given for communication data,  telecoms operators will be able to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals;
  • simpler rules on cookies: there will be an easier way to accept or refuse cookies and other identifiers. No consent will be needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history or to count the website’s visitors);
  • protection against unsolicited electronic communications: the Proposal bans spam if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Also, marketing callers will need to display their phone number or use a special prefix that indicates a marketing call;
  • more effective enforcement: national data protection authorities will responsible for enforcement;
  • data protection rules for EU institutions and bodies: anyone whose personal data are handled by EU institutions will benefit from higher standards of protection;
  • international data protection: the Proposal sets out a strategic approach to international transfers of personal data for law enforcement cooperation. Also the Commission will engage proactively in discussions on reaching “adequacy decisions” (allowing for the free flow of personal data to countries with “essentially equivalent” data protection rules to those in the EU).

What’s next: The draft will now have to be approved by the EU Parliament and Council, and hopefully adopted by 25 May 2018, when the GDPR will come into force.

More on the new ePrivacy Regulation is available at…

For more information, Francesca Giannoni-Crystal and Federica Romanelli.



Follow us on& Like us on