Everything you need to know about the upcoming EU ePrivacy Regulation on the Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, with updates as they occur.

While quite some organizations are investing in personal data protection and privacy measures to – more or less – attain GDPR compliance and others are still in the stage of GDPR awareness, trying to get their heads around their duties as data controllers (and processors) or figuring out how to guarantee the exercise of data subject rights under the GDPR, another EU Regulation requires your attention: the new EU ePrivacy Regulation.

On this page, which continues to be updated until – and probably after – the final ePrivacy Regulation is published in the Official Journal of the European Union and, next, applies (which is not the same as being published and, in case of a grace period, not the same as enterered into force), you find everything you need to know on the state, essence and evolutions of the EU ePrivacy Regulation.

The new ePrivacy Regulation, which in January 2017 was published as a proposal text, aims to be an update of the EU’s existing ePrivacy legal framework, more specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009, requiring prior consent regarding cookies.

Since then the Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136) often was called the cookie law by the marketers and Internet professionals among us (and is the reason why you see cookie consent popups on many websites, including ours) since it became national law in EU countries with a gradual implementation, national differences and, let’s say relatively inconsistent enforcement across these countries. Indeed, just as was the case with the pre-decessor of the GDPR or General Data Protetion Regulation.

Attention though: the ePrivacy Directive and Regulation isn’t just about cookies. It concerns electronic communications and the right of confidentiality, data/privacy protection and more. In other words: again personal data protection.

Electronic communications means that it includes the Web, the Internet (email, apps, you name it), telephone, instant messaging and so on. So we are also talking about spam, direct marketing, telecommunication firms, mobile app developers, online advertising networks and, often overlooked, the IoT (Internet  of Things), among many many others. A look at the text, the impact, the challenges and the evolutions.

Table of Contents

• EU ePrivacy: from a Directive to a Regulation
• New stipulations and consequences of the coming ePrivacy Regulation

• The EU ePrivacy Regulation and cookies
• The ePrivacy Regulation and the Internet of Things
• The ePrivacy Regulation and Over-the-Top communication services
• The ePrivacy Regulation, direct marketing and email marketing
• The impact of the correlation with the GDPR
• (Tele)communications content and metadata

• When will the new EU ePrivacy Regulation come into action?
• October 19, 2017: LIBE Committee votes in favor of amended ePrivacy Regulation texts

• A victory for advocates of strict privacy and data protection rules
• A blow to European publishing, media and advertising industries 

• October 26, 2017: EP votes in favor of amended version and Lauristin report in plenary despite criticism of lobby groups and political differences
• ePrivacy Regulation updates January 2018

• The consolidated version of the European Council and further ePrivacy Regulation topics to analyze 
• Next steps and WHEN the ePrivacy Regulation might be applied (which is not the same as entering into force)

EU ePrivacy: from a Directive to a Regulation

Why is this coming new ePrivacy Regulation important, why is it needed and how is it different?

First of all note the difference in the terms: whereas now we have an ePrivacy Directive, the newcomer is called an ePrivacy Regulation. This means that the new ePrivacy Regulation is self-executing and becomes legally binding across the EU, whereas its predecessor, the ePrivacy Directive, required local regulations for implementation with the mentioned inconsistent enforcement as one consequence. Again, just like the GDPR.

Secondly, the current ePrivacy Directive came as a complement of the EU’s Data Protection Directive. It’s exactly this Data Protection Directive that is being replaced by the General Data Protection Regulation or GDPR. As a consequence but also to ‘improve’ the current so-called ‘cookie law’ and, among others, include new forms of electronic communications (IoT and more), the new ePrivacy Regulation complements the GDPR and in pretty much the same way strives towards uniformity across the single digital market as a Regulation instead of a Directive.

As a matter of fact there are more touchpoints between the GDPR and the ePrivacy Regulation:

1. The ePrivacy Regulation is lex specialis to the GDPR. That’s a legal principle, in full ‘principe lex specialis derogat legi generali’, which essentially means that the lex specialis, in this case the ePrivacy Regulation, overrides the lex generalis, in this case the GDPR (personal data protection in general), with the ePrivacy Regulation covering the mentioned specific areas.
2. Both the GDPR and the ePrivacy Regulation are part of the reform of the EU data protection framework, which also includes a new set of rules governing the free flow of NON-personal data in the EU, which the European Commission proposed in September 2017.

To read part 2 click here, to read part 3 click here.