Home / Insight / e-Privacy


The ePrivacy Regulation

Back to e-Privacy

What is the ePrivacy Regulation?

The ePrivacy Regulation (ePR) is an addition to the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. The aim of both the GDBR and the ePR is to ensure that personal data within the EU are protected. The ePR is a set of rules proposed by the European Union focusing specifically on the field of electronic telecommunications.

The ePR is intended to ensure confidentiality in electronic communications throughout Europe and to regulate how both personal and non-personal data are handled online.

Protecting privacy in the digital world

The ePR sets outs new rules to protect users and their data on the Internet, for example simplifying rules for handling cookies and increasing data security for communications services such as WhatsApp. The ePR also has consequences for privacy in the area of online marketing.

Data Law Nav­ig­at­or | Aus­tria
In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws...

Geographical scope

Just as is the case with the GDPR, the Regulation will apply directly in all EU Member States and therefore, unlike a Directive, does not have to be transposed into national law. It is thus a set of rules that takes account of technical and economic developments in the market and will replace the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC) currently in place.

Not only will this serve to harmonise the legal situation in all EU Member States (which varies considerably at present), but it will also ensure that the privacy of users of electronic communications services is protected to a high degree.

Current status

The original intention was for the ePrivacy Regulation to take effect at the same time as the GDPR on 25 May 2018, but the final version was not completed on time.

It is highly likely for the final text not to be adopted before the end of 2019/2020, because so-called trilogue meetings between the Commission, the Council and the EU Parliament are pending in order to reconcile the individual drafts. It is not yet clear how much time will be required for these trilogue meetings.

Once the final version of the ePrivacy Regulation is presented, an approximately two-year implementation period begins, which means that the Regulation is not expected to take effect before 2022.

What companies should do now

Since the ePrivacy Regulation sets out a drastic tightening of the fines that can be imposed and the explicit right of competitors to sue, companies (in particular their marketing departments) should monitor developments in order to be prepared for the ePR.

Companies would therefore be well advised to start evaluating their website tracking methods, reviewing privacy policies and cookie policies, and ensuring that they are in possession of valid consent for cookies and direct advertising in good time

Prepare your company for the ePrivacy Regulation in good time. Our privacy experts will be happy to advise you.

Contact us directly:



Which types of data processing are covered by the ePrivacy Regulation?

The ePrivacy Regulation applies to how communications data are processed when using electronic communications services and to information relating to the end-user’s terminal equipment.

This means that, in contrast to the GDPR, processing both personal and non-personal communications data falls under the material scope of the ePrivacy Regulation – regardless of whether the service in question is provided for a fee or not.

To whom does the ePrivacy Regulation apply?

The entire online sector is affected by the ePrivacy Regulation.

This includes a whole host of companies such as those in the advertising industry, Internet service providers, as well as third-country electronic communication providers offering their services to end users in the EU.

All over-the-top services, i.e. providers of electronic communications services offering IP-based services such as VoIP (Skype), messenger platforms (WhatsApp), webmail (Gmail) and social media (Facebook, Instagram), are covered by this regulation to the same extent as machine-to-machine communication between “smart” devices that is an increasingly common occurrence in the Internet of Things.

What are the penalties for non-compliance?

In the event that any provisions of the ePrivacy Regulation are violated, severe fines may be levied – the EU will align the penalties under the ePrivacy Regulation with those of the GDPR.

This means that the unlawfully processing communications data will be subject to an administrative fine of up to EUR 10 million or up to 2 % of a company’s total worldwide annual turnover (Article 23 para. 2 (a) of the draft). Unlawful direct marketing communications will be subject to the same administrative fine (Article 23 para. 2 (d) of the draft).

Administrative fines of up to EUR 20 million or up to 4 % of a company’s total worldwide annual turnover may be imposed for violations of the principle of confidentiality of communications, the authorised processing of electronic communications, and time limits for erasure under Articles 5, 6 and 7 of the draft (Article 23 para. 3 of the draft).

In addition to these fines, end users can claim material and non-material compensation from the infringer (Article 22 of the draft).

It is interesting to note that Article 21 para. 2 of the draft explicitly protects legitimate business interests of third parties, meaning that competitors shall have a right to initiate legal proceedings in respect of infringements of the ePrivacy Regulation.

When will the ePrivacy Regulation come into force?

The ePrivacy Regulation is not expected to take effect before 2022.

View FAQs >> Hide FAQs >>