Home / Insight / e-Privacy


The e-Privacy Regulation

Back to e-Privacy

What is the E-Privacy Regulation?

The E-Privacy Regulation (ePR) is an addition to the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. The aim of both the GDBR and the E-Privacy Regulation is to ensure that personal data within the EU are protected. The E-Privacy Regulation is a set of rules proposed by the European Union focusing specifically on the field of electronic telecommunications.

The E-Privacy Regulation is intended to ensure confidentiality in electronic communications throughout Europe and to regulate how both personal and non-personal data are handled online.

Protecting privacy in the digital world

The E-Privacy Regulation sets outs new rules to protect users and their data on the Internet, for example simplifying rules for handling cookies and increasing data security for communications services such as WhatsApp. The E-Privacy Regulation also has consequences for privacy in the area of online marketing.

Data Law Nav­ig­at­or | Aus­tria
In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws...

E-Privacy: Geographical scope

Just as is the case with the GDPR, the Regulation will apply directly in all EU Member States and therefore, unlike a Directive, does not have to be transposed into national law. It is thus a set of rules that takes account of technical and economic developments in the market and will replace the E-Privacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC) currently in place.

Not only will this serve to harmonise the legal situation in all EU Member States (which varies considerably at present), but it will also ensure that the privacy of users of electronic communications services is protected to a high degree.

E-Privacy: Current status

The original intention was for the E-Privacy Regulation to take effect at the same time as the GDPR on 25 May 2018, but the final version was not completed on time.

It is highly likely for the final text not to be adopted before the end of 2019/2020, because so-called trilogue meetings between the Commission, the Council and the EU Parliament are pending in order to reconcile the individual drafts. It is not yet clear how much time will be required for these trilogue meetings.

Once the final version of the E-Privacy Regulation is presented, an approximately two-year implementation period begins, which means that the Regulation is not expected to take effect before 2022.

What companies should do now

Since the E-Privacy Regulation sets out a drastic tightening of the fines that can be imposed and the explicit right of competitors to sue, companies (in particular their marketing departments) should monitor developments in order to be prepared for the ePR.

Companies would therefore be well advised to start evaluating their website tracking methods, reviewing privacy policies and cookie policies, and ensuring that they are in possession of valid consent for cookies and direct advertising in good time

Prepare your company for the E-Privacy Regulation in good time. Our privacy experts will be happy to advise you.

Contact us directly:



Which types of data processing are covered by the E-Privacy Regulation?

The E-Privacy Regulation applies to how communications data are processed when using electronic communications services and to information relating to the end-user’s terminal equipment.

This means that, in contrast to the GDPR, processing both personal and non-personal communications data falls under the material scope of the E-Privacy Regulation – regardless of whether the service in question is provided for a fee or not.

To whom does the E-Privacy Regulation apply?

The entire online sector is affected by the E-Privacy Regulation.

This includes a whole host of companies such as those in the advertising industry, Internet service providers, as well as third-country electronic communication providers offering their services to end users in the EU.

All over-the-top services, i.e. providers of electronic communications services offering IP-based services such as VoIP (Skype), messenger platforms (WhatsApp), webmail (Gmail) and social media (Facebook, Instagram), are covered by this regulation to the same extent as machine-to-machine communication between “smart” devices that is an increasingly common occurrence in the Internet of Things.

What are the penalties for non-compliance?

In the event that any provisions of the E-Privacy Regulation are violated, severe fines may be levied – the EU will align the penalties under the E-Privacy Regulation with those of the GDPR.

This means that the unlawfully processing communications data will be subject to an administrative fine of up to EUR 10 million or up to 2 % of a company’s total worldwide annual turnover (Article 23 para. 2 (a) of the draft). Unlawful direct marketing communications will be subject to the same administrative fine (Article 23 para. 2 (d) of the draft).

Administrative fines of up to EUR 20 million or up to 4 % of a company’s total worldwide annual turnover may be imposed for violations of the principle of confidentiality of communications, the authorised processing of electronic communications, and time limits for erasure under Articles 5, 6 and 7 of the draft (Article 23 para. 3 of the draft).

In addition to these fines, end users can claim material and non-material compensation from the infringer (Article 22 of the draft).

It is interesting to note that Article 21 para. 2 of the draft explicitly protects legitimate business interests of third parties, meaning that competitors shall have a right to initiate legal proceedings in respect of infringements of the E-Privacy Regulation.

When will the E-Privacy Regulation come into force?

The E-Privacy Regulation is not expected to take effect before 2022.

View FAQs >> Hide FAQs >>