Ch 3.6 - ePrivacy

Privacy and Electronic Communications (ePrivacy) Directive

Directive 2002/58/EC (the ePrivacy Directive) adds specific rules for the communications sector, replacing the 1997 directive to reflect convergence. It applies to publicly available electronic communications services, requires opt-in consent for most digital marketing, protects confidentiality of communications and traffic data, and - via the 2009 amendment - added breach notice for telecoms and the cookie consent rule in Article 5(3). A draft ePrivacy Regulation is intended to replace it.

Directive 2002/58/EC widened telecoms law to all electronic communications (phone, fax, internet, email) to reflect convergence. It applies to the processing of personal data in publicly available electronic communications services on public networks - so a private company intranet is generally outside it (though GDPR principles still apply). It was published 31 July 2002, to be implemented by 31 October 2003, and was amended on 24 November 2009.

Providers must take technical/organisational measures to secure their services and warn subscribers of particular risks
States must ensure confidentiality of communications and traffic data, subject to exceptions (e.g. user consent or legal authorisation)
Most digital marketing (email, SMS, MMS, fax) needs prior opt-in consent; person-to-person phone marketing is excluded; a soft opt-in exists for existing customers
Restrictions on traffic and billing data; rights on itemised billing, call-line ID, directories, call forwarding, unsolicited calls
Location data may be processed only if anonymised, or with consent for a value-added service for the necessary duration
Subscribers must be informed before inclusion in a directory

ePrivacy Directive timeline
Date	Event
1997	Original telecoms-sector privacy directive
12 July 2002	Directive 2002/58/EC adopted
31 July 2002	Published in the Official Journal
31 October 2003	Member state implementation deadline
24 November 2009	Amended (breach notice + cookie consent in Art 5(3))
10 January 2017	Commission proposes the ePrivacy Regulation

Cookie rule

The 2009 amendment added Article 5(3): storing or accessing information on a user's device needs informed consent, except where it is strictly necessary to transmit a communication or to provide a service explicitly requested by the user. Since the GDPR, ‘consent' here is read against the GDPR definition of consent.

Key terms - quick answers

What is “ePrivacy Directive”?

Directive 2002/58/EC on privacy in the electronic communications sector; complements the GDPR/Directive.

What is “Convergence”?

The merging of telecoms, internet and media technologies that prompted widening telecoms law to all electronic communications.

What is “Traffic data”?

Data processed to convey a communication or bill for it; subject to restrictions and confidentiality.

What is “Cookie consent”?

Requirement under Article 5(3) that storing/accessing information on a user's device needs informed consent, with narrow exceptions.

← Law Enforcement Directive (LED)Reform of the ePrivacy Directive - ePrivacy Regulation →