Last week the European Commission published proposals for replacing the current ePrivacy Directive. Reforming ePrivacy laws is the final piece of the jigsaw for data protection law reform, following last year's adoption of the General Data Protection Regulation (GDPR).

Why is the Commission proposing reforms?

The GDPR introduces substantial reforms to EU data protection law, including stricter rules on things like consent and enforcement powers. However, rules on ePrivacy (including electronic marketing and the tracking of online activities) are currently governed by a separate piece of legislation, the ePrivacy Directive. The new Regulation is intended to ensure consistency across data privacy laws by adopting many of the principles in the GDPR.

In addition, the Commission acknowledges frustrations with the current rules on website cookies.

What is being proposed under the ePrivacy Regulation?

Firstly, the new laws will take the form of a Regulation, rather than a Directive. This means, as with the GDPR, that they will apply automatically in each member state, avoiding the need for local implementing legislation (and the potential for inconsistent implementation). For more on what Brexit might mean for this, see our post on >Data Protection and Brexit.

The draft ePrivacy Regulation includes a number of reforms:

  • Extension of reach to cover anyone providing services to citizens in the EU (mirroring the GDPR)
  • Extension of rules on electronic communication providers to new "over the top" service providers of electronic communications such as WhatsApp, Facebook Messenger and Skype, but potentially covering any service facilitating electronic messaging (for example dating apps and ecommerce websites).
  • The extension of rules to data created by Internet of Things devices
  • Clarification on the use of meta data created other than in relation to electronic communications services
  • Simplified rules on Cookies and other technologies capable of tracking users' behaviour. These include the removal of the need for cookies for "web audience measuring" (analytics?) or "non-privacy intrusive cookies improving internet experience". The Commission gives the example of a cookie to remember a shopping cart history. The Regulation will also enable users to use browser settings to control cookies.
  • A requirement for consent (opt-in) for any electronic marketing, though the soft opt-in right under the current ePrivacy Directive to market similar services to existing customers will remain.
  • A requirement for marketing calls to display a caller ID or use a special prefix that indicates that the call is a marketing call.

When will the ePrivacy Regulation come into force?

At this stage, the ePrivacy Regulation is simply a proposal from the European Commission and requires approval from the European Parliament and the Council before it can be adopted. For GDPR, that took the best part of four years. The Commission's plans for the ePrivacy Regulation are more ambitious. It is calling upon the Parliament and the Council to "work swiftly" to ensure that the ePrivacy Regulation is adopted by 25 May 2018 - the day on which the GDPR comes into force.

Whether this is achievable remains to be seen (though it is worth noting that the ePrivacy Regulation is somewhat shorter than the GDPR).

You can find more on EU data protection law reform on our GDPR hub.

Next steps

The ePrivacy Regulation doesn't just apply to tech companies. It will affect all organisations that operate online or carry out electronic marketing - whether by phone, email/SMS or through other electronic means. If you would like to discuss how the ePrivacy Regulation might affect your organisation, please get in touch.


Martin Sloan