Extending the scope of cybersecurity across Europe – the European Commission’s proposed e-Privacy Regulation

Extending the scope of cybersecurity across Europe – the European Commission’s proposed e-Privacy Regulation

The European Commission has proposed a new Privacy and Electronic Communications (e-Privacy) Regulation (the draft e-Privacy Regulation) which would replace the current e-Privacy Directive (2002/58/EC). This is part of the EU’s Digital Single Market Strategy to increase trust in and the security of digital services. The draft e-Privacy Regulation would update current privacy laws in line with technological developments and extend its scope to all electronic communications providers. The draft e-Privacy Regulation would also align the e-privacy rules with the EU’s General Data Protection Regulation (GDPR) (as discussed in a previous article).

Currently, online privacy across the EU is covered by the e-Privacy Directive (2002/58/EC) which was implemented into our national law by the Privacy and Electronic Communications Regulations 2003. If implemented, the draft e-Privacy Regulation would be directly applicable in all Member States, ensuring that individuals and businesses in the EU would benefit from a single set of rules rather than relying on national legislation implementing the Directive.

What changes would the draft e-Privacy Regulation bring?

Extended scope

The draft e-Privacy Regulation seeks to extend the scope of protection to all electronic communications service providers, which would include WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber. It would also extend to interpersonal communications services that are ancillary to another service, for example a gaming app that allows users to talk to each other.

Increasing protected content

The draft e-Privacy Regulation not only extends who the rules apply to, but also what is protected. Whilst the e-Privacy Directive protected the concept of traffic data, the protected content would extend to the metadata derived from electronic communications, such as the location or time of a call. This metadata must be anonymised or deleted unless users consent otherwise or the data is required for specific purposes such as billing.


The draft e-Privacy Regulation aims to reduce the amount of consent requests that internet users experience when visiting different websites and generally provide an easier way for users to accept or refuse the tracking of cookies.

It provides that non-privacy intrusive cookies that either (i) improve internet experience (such as saving the contents of a shopping cart) or (ii) measure the number of visitors to a website will no longer require consent from the user. This will replace the current approach which only allows “strictly necessary” cookies to be placed without user consent.

Direct Marketing

The European Commission also aims to protect users further from unsolicited electronic communication by any means.

Under the draft e-Privacy Regulation, in addition to current consent rules for unsolicited marketing, marketing callers would now also be required to display their phone number or use a pre-fix which would indicate a marketing call.


As with the GDPR, enforcement of the draft e-Privacy Regulation would be the responsibility of national data protection authorities. Fines for breaches of the draft e-Privacy Regulation would be significantly higher than current thresholds and would be in line with those under the GDPR as follows:

  • Up to the higher of €10 million or 2% of worldwide turnover for breaches in relation to notice and consent, unsolicited communications and default privacy settings.
  • Up to the higher of €20 million or 4% of worldwide turnover for breaches of confidentiality of communications, processing of electronic communications data and limits on time periods for data erasure.

What now?

The current aim is for the draft e-Privacy Regulation to enter into force on the same date as the GDPR on 25 May 2018.  One can see the benefit of aligning the two related Regulations.  This is, however, a very aggressive timescale for Euorpean legislation and there is a possibility that it will not be achieved.

What action should businesses take?

A review of marketing practices in light of the proposed changes is essential. Businesses should look out for any updated guidance from the Information Commissioner’s Office and also generally have this draft e-Privacy Regulation on their radar when reviewing their plan for complying with the GDPR. If businesses are unsure or have any particular concerns, they should seek further legal advice.

For more information please contact Tom Torkar on tom.torkar@michelmores.com or +44 (0)1392 687626