ePrivacy Regulation (withdrawn)

Background and Scope

The ePrivacy Regulation aims to replace the outdated ePrivacy Directive (2002/58/EC), which “has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications”. This legislative update addresses critical gaps in the current framework, particularly regarding new electronic communications services and tracking techniques not covered by existing rules.

A key development is the expansion of scope to include Over-the-Top communications services (OTTs) such as Voice over IP, instant messaging, and web-based email services. These services, which are generally not subject to current EU electronic communications frameworks, will now be brought into scope to reflect market reality. The regulation also extends protection to machine-to-machine communications to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things (IOT) in the digital single market.

The regulation protects both natural and legal persons’ communications and applies to providers of electronic communications services, software providers enabling electronic communications, and entities using such services for direct marketing.

Key Obligations

• Confidentiality requirement: Electronic communications data must be treated as confidential, with strict prohibitions on interference including listening, tapping, storing, monitoring, scanning, interception, surveillance and processing by unauthorized parties.
• Consent for metadata processing: The regulation requires informed consent for processing electronic communications metadata, with the same meaning and conditions as under GDPR. Importantly, consent can be expressed through software technical settings, and providers must facilitate easy withdrawal with six-month reminders.
• Terminal equipment protection: Any interference with end-user terminal equipment requires specific consent, with limited exceptions for technical storage strictly necessary for requested services.
• Browser privacy settings: Software providers must configure browsers to offer options preventing third parties from storing information on terminal equipment. Users must be offered privacy settings ranging from higher to lower protection levels, with clear affirmative action required for third-party tracking cookies.
• Direct marketing rules: Consent is required before sending commercial electronic communications for direct marketing to natural persons, with exceptions for existing customer relationships where opt-out options are provided. Marketing communications must clearly identify the sender and provide easy withdrawal mechanisms.