E-Privacy Regulation

This is a proposed European regulation

UK and Brexit

The E-Privacy Regulation may not apply to the UK, as it is unlikely to become law before Brexit. However, there are reasons why it might be adopted, depending on the approach that the UK takes to market access to the EU for digital services.

British companies will almost certainly have to comply with the ePrivacy Regulation for their EU-based users/customers regardless of whether they comply for their non-EU based users/customers.

Commission’s key objectives

  • New players: privacy rules will in the future also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger and Skype. This will ensure that these popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.
  • Stronger rules: all people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
  • Communications content and metadata: privacy is guaranteed for communications content and metadata, e.g. time of a call and location. Metadata have a high privacy component and is to be anonymised or deleted if users did not give their consent, unless the data is needed for billing.
  • New business opportunities: once consent is given for communications data - content and/or metadata - to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals; these could help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.
  • Protection against spam: this proposal bans unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement: the enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.[1]

Data retention

The last E-Privacy Directive mentioned the possibility of data retention, which was a controversial decision at the time. The effect of this has however been positive, as it means that data retention is a matter of EU law, so CJEU judgments apply. For the new regulation:

The proposal does not include any specific provisions in the field of data retention. It maintains the substance of Article 15 of the ePrivacy Directive and aligns it with specific wording of Article 23 of the GDPR, which provides grounds for Member States to restrict the scope of the rights and obligations in specific articles of the ePrivacy Directive. Therefore, Member States are free to keep or create national data retention frameworks that provide, inter alia, for targeted retention measures, in so far as such frameworks comply with Union law, taking into account the case-law of the Court of Justice on the interpretation of the ePrivacy Directive and the Charter of Fundamental Rights.[2]

External links

Summary of the proposal


The Regulation will apply to:

the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users[3]

It does not apply to private networks, nor to “activities which fall outside the scope of Union law”, presumably including national security.[4] It is “without prejudice” to the provisions of the E-Commerce Directive and the GDPR.[5]


  1. Commission proposal
  2. 1- Proposal for a Regulation of the European Parliament and of the Council (PDF, linked) section 1.3
  3. Article 2, Commission draft
  4. Article 2 (2), Commission draft
  5. Article 2 (4) and (5), Commission draft