This website uses cookies so that we can provide you with the best user experience possible. Our Cookie Notice is part of our Privacy Policy and explains in detail how and why we use cookies. To take full advantage of our website, we recommend that you click on “Accept All”. You can change these settings at any time via the button “Update Cookie Preferences” in our Cookie Notice.
Technical cookies are required for the site to function properly, to be legally compliant and secure. Session cookies only last for the duration of your visit and are deleted from your device when you close your internet browser. Persistent cookies, however, remain and continue functioning on repeat visits.
CMS does not use any cookie based Analytics or tracking on our websites; see details here.
Personalisation cookies collect information about your website browsing habits and offer you a personalised user experience based on past visits, your location or browser settings. They also allow you to log in to personalised areas and to access third party tools that may be embedded in our website. Some functionality will not work if you don’t accept these cookies.
(Last updated: 5 March 2021 / draft ePrivacy Regulation of 10 February 2021)
We will gladly keep you updated on developments around the ePrivacy Regulation. Please subscribe to our newsletter.
The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.
On this website, CMS presents key information on the ePrivacy Regulation and the status of the legislative process. We explain in particular the scope of application of the ePrivacy Regulation and deal in detail with the hotly debated topic of tracking.
Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU Member States have not yet been able to agree on the draft legislation. The negotiations of the ePrivacy Regulation are still ongoing now in 2021.
On 10 January 2017, the EU Commission presented the first draft of the ePrivacy Regulation; on 26 October 2017, the EU Parliament adopted an amended draft and voted in favour of negotiations with the Commission and the Council of the European Union (trilogue negotiations). On 5 December 2017, the Estonian EU Council presidency published its own draft. This was followed by drafts from the Bulgarian, Austrian, Romanian, Finnish, Croatian and German Council presidencies.
Most recently, the compromise proposed by Germany failed on 4 November 2020. Up until now there has not therefore been an authoritative draft text of the Council of Ministers available. As a result, the trilogue negotiations that were scheduled to start in the second half of 2018 were delayed. With the change in the EU Council presidency on 1 January 2021 and after many years of going back and forth, the Portuguese presidency has, however, now succeeded – not completely without criticism – in convincing the Member States of its proposal of 5 January 2021. The triologue negotiations with the European Parliament can now finally begin. These are to be based on a version of the EU Council of Ministers of 10 February 2021.
In view of the fact that there are some points of contention regarding the current text of the Regulation, however, these may not progress as quickly as the Portuguese presidency has recently been pushing forward ePrivacy. The ePrivacy Regulation is certainly not expected to enter into force before 2023. A potential transitional period of 24 months means that any new regulations would then not come into effect before 2025.
However, the GDPR has already shown that addressing new data protection regulations at an early stage can be worthwhile in order to be prepared for the need to implement the requirements in a timely manner.
As is already the case with infringements of the GDPR, companies face substantial fines if they breach the ePrivacy Regulation (further information on this is available via the CMS GDPR Enforcement Tracker; please also see: 1st edition of the CMS GDPR Enforcement Tracker Report 2020).
The draft ePrivacy Regulation essentially cites the provisions of the GDPR with regard to rules on legal remedies, liability and penalties. The stipulation on administrative fines (Article 23 of the draft), for example, refers to Article 83 of the GDPR.
Depending on the nature of the infringement, fines may amount to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher (Article 23(3) of the draft).
The GDPR provides legal grounds for processing personal data based on the legitimate interests of the controller (Article 6(1), sentence 1, letter f). For a long time the Committee of Permanent Representatives grappled with the question of the extent to which a similar provision should be included in the ePrivacy Regulation. If the Council of Ministers decides against this, the crucial question will be raised as to how the scopes of application of the GDPR and the ePrivacy Regulation are to be distinguished in this respect, since legitimation under Article 6(1), sentence 1, letter f of the GDPR is only possible if the GDPR is applicable. The current draft does not contain a comparable provision.
%20(2).jpg?v=3)
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.