Home / Insight / e-Privacy


European Regulation on Privacy and Electronic Communications

Go to International

(Last updated: 18 January 2024 / draft ePrivacy Regulation of 10 February 2021)

We will gladly keep you updated on developments around the ePrivacy Regulation. Please subscribe to our newsletter.

ePrivacy Newsletter

TTDSG part I: Telekom­munika­tionsdatens­chutz 2.0?
Der Beitrag widmet sich den wesentlichen Neuerungen des TTDSG im Bereich...
The transitional period until the ePrivacy Regulation comes into effect
The transitional period and the new German Act on the Regulation of Data...
Data Law Navigator | Germany

Key content of the ePrivacy Regulation

The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.

On this website, CMS presents key information on the ePrivacy Regulation and the status of the legislative process. We explain in particular the scope of application of the ePrivacy Regulation and deal in detail with the hotly debated topic of tracking. We will also provide information on the rules that will apply during the transitional period.

ePrivacy Regulation – current status and timescale 

Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU Member States have not yet been able to agree on the draft legislation. The negotiations of the ePrivacy Regulation are still ongoing.

On 10 January 2017, the EU Commission presented the first draft of the ePrivacy Regulation; on 26 October 2017, the EU Parliament adopted an amended draft and voted in favour of negotiations with the Commission and the Council of the European Union (trilogue negotiations). On 5 December 2017, the Estonian EU Council presidency published its own draft. This was followed by drafts from the Bulgarian, Austrian, Romanian, Finnish, Croatian and German Council presidencies. 

Most recently, the compromise proposed by Germany failed on 4 November 2020. Up until now there has not therefore been an authoritative draft text of the Council of Ministers available. As a result, the trilogue negotiations that were scheduled to start in the second half of 2018 were delayed. With the change in the EU Council presidency on 1 January 2021 and after many years of going back and forth, the Portuguese presidency has now succeeded – not completely without criticism – in convincing the Member States of its proposal of 5 January 2021. The trilogue negotiations with the European Parliament have started. These are based on a version of the EU Council of Ministers from 10 February 2021.

However, in view of the fact that there are some points of contention regarding the current text of the Regulation, these negotiations have not progressed as quickly as when the Portuguese presidency was pushing the matter of ePrivacy recently. However, experience with the GDPR has already shown that addressing new data protection regulations at an early stage can be worthwhile so that organisations are prepared for the need to implement the requirements in a timely manner.

ePrivacy Regulation - chronological overview

ePrivacy Regulation – Chronological overview







Current framework of administrative fines under the ePrivacy Regulation

As is already the case with infringements of the GDPR, companies face substantial fines if they breach the ePrivacy Regulation (further information is available via the CMS GDPR Enforcement Tracker; please also see: 4th edition of the CMS GDPR Enforcement Tracker Report).

The draft ePrivacy Regulation essentially cites the provisions of the GDPR with regard to rules on legal remedies, liability and penalties. The stipulation on administrative fines (Article 23 of the draft), for example, refers to Article 83 of the GDPR.

Depending on the nature of the infringement, fines may amount to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher (Article 23(3) of the draft).

It should also be noted that the fine provisions set out in the German Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) applies since 1 December 2021.

Data processing justified after balancing interests?

The GDPR provides legal grounds for processing personal data based on the legitimate interests of the controller (Article 6(1), sentence 1, letter f). For a long time the Committee of Permanent Representatives grappled with the question of the extent to which a similar provision should be included in the ePrivacy Regulation. If the Council of Ministers decides against this, the crucial question will be raised as to how the scopes of application of the GDPR and the ePrivacy Regulation are to be distinguished in this respect, since legitimation under Article 6(1), sentence 1, letter f of the GDPR is only possible if the GDPR is applicable. The current draft does not contain a comparable provision.

International Digital Regulation Hub
Following the EU Commission plan “A Europe fit for the digital age”, we have witnessed a lot of digital regulations in the EU including DMA and DSA, AI Act, Data Act and there is still more to come.Whilst presenting companies with a tumultuous landscape to navigate, the legal obligations imposed also present opportunities to develop their business in a new digital framework safeguarding responsible business practices, fair competition and personal data.The CMS Digital Regulation Hub is home to our Digital Regulation Tracker Tool, providing an overview of the key regulatory instruments for area of law, sectors and business activities which are critical for decision makers as they adapt to the increasingly digital landscape.In addition to this unique tool, we explore the impact this tsunami of regulation is having for businesses across a variety of industries and how GCs can ride the waves to stay ahead of the curve. Our latest re­port il­lus­trates the key findings across Platforms, Content providers, Life Sciences & Healthcare, Energy & Infrastructure, Banking & Finance and Automotive industries.To discuss how to cope with the challenges of Digital Regulations and to explore the opportunities for your business, please contact one of our International experts.
Technology Transformation: Managing Risks in a Changing Landscape
Changing tech, changing risks

Explore more

e-Privacy Newsletter
Scope of application of the e-Privacy Regulation
Tracking under the e-Privacy Regulation
The transitional period until the ePrivacy Regulation comes into effect
Digital Regulation
A new legal framework for the digital world


The Changing Face of Cyber Claims
A cyber insurance loss study in Continental Europe
Data protection and security
Expert legal advisers