ePrivacy Regulation: What is it and how does it affect me?

Graphic depicting the ePrivacy Regulation
(Image credit: Shutterstock)

Although the EU’s General Data Protection Regulation (GDPR) has only come into force in recent years, businesses operating in EU territories may soon find that they will have to understand and adapt to an entirely new set of regulations.

Having been in development for at least five years, the new law is designed to guarantee user privacy while information is being communicated between terminals. It’s also being drafted so that it complements GDPR, and was supposed to be launched in tandem with the data protection regulations. It’s faced several delays from lobbyists and other interested parties, however, and is still being drafted by policymakers.

Where has the ePrivacy Regulation come from?

Commonly referred to as the ‘cookie law’, the ePrivacy and Electronic Communications Directive, established in 2002, came into force to handle issues such as the confidentiality of information, treatment of traffic data, spam and cookies. The forthcoming ePrivacy Regulation is an evolution of this law, and will eventually be enforceable across all EU member states, as GDPR is. This is unlike a Directive, which allows member states to introduce their own mechanisms provided they live up to the spirit of the legislation.

While GDPR centres on safeguarding personal data and ensuring information flows freely between EU nations, the ePrivacy Regulation will largely concern protecting user privacy online where data is transmitted electronically.

This was supposed to come into force on 25 May 2018 in tandem with GDPR, although continued discussions at various levels of the EU has seen some of the small print revised and tweaked over time. With a draft having only been released last month, it’s unlike we’ll see the regulation come into force for a number of months yet.

The two EU laws not only deal in similar subject matter, but the ePrivacy Regulation will also be lex specialis to GDPR. In other words, ePrivacy will deal with specific subjects, applying particular rules around those subjects, while inside the scope of GDPR - that's to say that GDPR provisions will operate above ePrivacy and continue to apply to wider protection areas that ePrivacy does not cover.

When it comes to implementation, the regulation includes a provision that allows each member state to introduce additional mechanisms to help with the application and interpretation of ePrivacy within the context of existing national laws. That's to say that while the regulation applies to all member states, how it's applied may differ.

How does the ePrivacy Regulation tie in with GDPR?

The regulation states that "electronic communications data should be defined in a sufficiently broad and technology-neutral way so as to encompass any information concerning the content transmitted or exchanged... and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication."

Communications are protected regardless of whether the data is transmitted by wire, radio, optical or electromagnetic methods. That means communication data sent via satellites, cables, fixed networks, and electricity cable systems falls under the ePrivacy Regulation.


Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation


Such data should always remain confidential, and any interference with the communication of that data, either directly by a human or through automated processes, without the consent of the user, is prohibited. Interference in this context can occur at any time during the transfer of that data or metadata, including during its transmission and at its destination. For example, listening to calls, scanning of electronic messages, monitoring of visited websites, and the monitoring of interactions between users all constitutes a breach of the regulation.

The last iteration of the ePrivacy Directive (which the ePrivacy Regulation is set to replace) came in 2009. Since then, how we communicate electronically has grown and changed massively, and the new regulation has been designed to take account of this and ensure personal privacy is maintained.

There are several key aspects:

OTT services and metadata

Today our online communications are characterised by 'over the top' (OTT) services. Most of us use OTT services every day, maybe without even realising that's what we're doing. OTT services sit on top of the services provided by our network provider, and they are 'fronted' by a named service or app. Think of Skype, WhatsApp, Facebook Messenger, or even Internet TV services.

The directive intends to bring these services within the scope of EU privacy protection rules, to ensure they are bound by the same confidentiality of communications rules as traditional telecommunications providers.

There will be privacy controls for communications content and for the 'metadata' that is associated with it, such as the time of a call, or the location you are calling from. The new regulation will require that metadata is anonymised or deleted if users don't give their consent to such data being stored.


The draft regulation states: "currently, the default settings for cookies are set in most current browsers to 'accept all cookies'. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as 'reject third-party cookies'."

The new regulation recognises that there has been something of an excess of cookie consent requests from websites. The new regulation aims to make it easier for browser settings to allow blanket acceptance or refusal of tracking cookies and other identifiers, and will clarify that consent is not needed for non-privacy intrusive cookies aimed at improving our internet experience (such as those which remember shopping cart history) or cookies used by a website to count visitors.

Companies will be obligated under the new regulation to ensure users are given the option of setting higher level cookie policies, such as a blanket 'never accept cookies', as well as those at a lower level, such as 'reject third-party cookies', presented in a form that's clearly visible and easy to understand. Clear, affirmative action from the user is also required, which will need to be offered to users on the point of installation of new software. Importantly, those users that have previously given their consent must be given options to easily withdraw their consent at a later date.

However, those cookies deemed to be 'non-privacy intrusive', such as e-commerce cookies and remembering shopping cart histories, something that we've become used to as internet users as part of an enhanced experience, will not be subject to restrictions under the regulation. Those that generate overly intrusive adverts will, of course, not be exempt under this category.

Marketing and spam

The regulation states: "Direct marketing refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organisations to support the purposes of the organisation."

Unsolicited communication through channels such as email, SMS, MMS, instant messaging, Bluetooth, and automated calling machines, will be banned under the regulation. National laws will affect how this is implemented, and people might be protected either by default or through existing 'do not call' lists that are set up to prevent marketing phone calls.

Marketing calls will need to be identified by a mandatory prefix - primarily so that users have a clear idea of who they are receiving communications from if they wish to withdraw their consent for that particular company.

The regulation also states that it's "justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons."

Excluded within this is the case of a company using email contact details to offer similar services or products to those customers with an existing relationship with said company, provided those details were obtained in accordance with GDPR.

Internet of things and public Wi-Fi

The regulation also aims to bring the most cutting-edge communication technology under its umbrella - specifically the communication of data across IoT networks and devices.

As the regulation states: "the transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this regulation should apply to the transmission of machine-to-machine communications."

Publicly accessible wireless networks, namely 'Wi-Fi hotspots', will also be subject to the regulation, regardless of their location, the company providing the service, or method in which that service is delivered. Those that are closed from the public, such as business networks, aren't subject to the ePrivacy Regulation.

What are the penalties for violating the ePrivacy Regulation?

The regulation lays out penalties for a breach in Article 23 which outlines different penalties for different infringements - the same sanctions that apply under GDPR also apply under the ePrivacy Regulation. Penalties range from up to €10,000,000 or 2% of worldwide annual turnover for some minor incidents and up to €20,000,000, or 4% of worldwide annual turnover, for more serious breaches - whichever is the higher in each case.

As we have seen with the application of the UK's Data Protection Act 2018 and GDPR, the eventual fine is heavily dependent on a number of mitigating factors, such as the scale of the incident, whether a breach of regulation occurred as a result of a deliberate act, and how diligent the company was in trying to prevent such incidents from happening.

Will the ePrivacy Regulation apply in the UK?

The short answer is yes. In order to achieve a whitelisted status from the EU, and thus deemed as a safe zone under GDPR, the UK has been required to pass its own updated Data Protection Act 2018. The idea is to create harmony across the continent and prevent a halt to the transfer of data once the UK leaves the EU, which at the time of writing is set as 31 October 2019.

Brexit is therefore unlikely to affect the ePrivacy Regulation, as the UK will want to adhere to the same principles in order to retain data adequecy. Additionally, given that the regulation covers technologies and communications that cross territories, the majority of businesses will have to comply even if they're based outside of the EU.

In much the same way as the Information Commissioner's Office (ICO) is responsible for enforcing the UK's data protection laws, it will be similarly responsible for policing the ePrivacy Regulation, although how it will go about that is still to be determined.

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.

At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.