Reform of the ePrivacy Directive - ePrivacy Regulation
Proposed on 10 January 2017, the draft ePrivacy Regulation would replace the ePrivacy Directive with a directly applicable regulation aligned to the GDPR. It extends to all electronic communications providers (including OTT services), requires consent to process content and metadata, streamlines cookie rules, and enforces a two-tier fine regime (€10m/2% and €20m/4%). Enforcement falls to national .
After a 2015 study and a 2016 consultation, the Commission released the draft ePrivacy Regulation on 10 January 2017. Being a regulation, it would be directly applicable and provide a single set of rules. Parliament's LIBE committee tabled over 800 amendments; the Council settled its position in February 2021.
- Wider application: all electronic communications providers - messaging, email, voice, not just telecoms
- Confidentiality: no listening, tapping, intercepting, scanning or storing without consent, save narrow public-interest exceptions
- Consent for content and metadata: must be anonymised or deleted without consent, unless needed e.g. for billing
- Revised cookie rules: no consent for non-intrusive cookies (shopping cart, login, visitor counting); fewer consent pop-ups
- Anti-spam: ban on unsolicited communications without consent, with a soft opt-in for similar products; marketing callers must show their number or a prefix
- Enforcement by national DPAs
| Breach type | Maximum fine |
|---|---|
| Notice/consent, default settings, public directories, unsolicited communications | €10 million or 2% of worldwide annual turnover |
| Confidentiality of communications, permitted processing, time limits for erasure | €20 million or 4% of worldwide annual turnover |
The ePrivacy Regulation was intended to apply from May 2018 alongside the GDPR, but slipped. At the time of writing it remained a proposal still in negotiation between Parliament and the Council.