Home / Insight / e-Privacy


European Regulation on Privacy and Electronic Communications

Go to International

(Last updated: 5 March 2021 / draft ePrivacy Regulation of 10 February 2021)

We will gladly keep you updated on developments around the ePrivacy Regulation. Please subscribe to our newsletter.

ePrivacy Newsletter
09 March 2021
EU-Min­is­ter­rat ein­igt sich auf Po­s­i­tion zur ePri­vacy-Ver­or­d­nung
Bereits 2017 legte die EU-Kom­mis­sion den er­sten En­twurf für die ePri­vacy-Ver­or­d­nung vor. Die Tri­log-Ver­hand­lun­gen wur­den in­zwis­chen beschlossen, doch der EU-Min­is­ter­rat kon­nte sich bis­lang auf keine...
17 October 2019
Neues zur ePri­vacy-Ver­or­d­nung
Nach den Euro­pawah­len im Mai 2019 haben die Ver­hand­lun­gen zur ePri­vacy-Ver­or­d­nung im Euro­pa­r­at wieder an Fahrt auf­gen­om­men. Die EU-Kom­mis­sion legte bereits im Jahr 2017 den er­sten En­twurf vor und im Ok­to­ber...
Data Law Nav­ig­at­or | Ger­many

Key content of the ePrivacy Regulation

The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.

On this website, CMS presents key information on the ePrivacy Regulation and the status of the legislative process. We explain in particular the scope of application of the ePrivacy Regulation and deal in detail with the hotly debated topic of tracking.

ePrivacy Regulation – current status and timescale 

Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU Member States have not yet been able to agree on the draft legislation. The negotiations of the ePrivacy Regulation are still ongoing now in 2021.

On 10 January 2017, the EU Commission presented the first draft of the ePrivacy Regulation; on 26 October 2017, the EU Parliament adopted an amended draft and voted in favour of negotiations with the Commission and the Council of the European Union (trilogue negotiations). On 5 December 2017, the Estonian EU Council presidency published its own draft. This was followed by drafts from the Bulgarian, Austrian, Romanian, Finnish, Croatian and German Council presidencies. 

Most recently, the compromise proposed by Germany failed on 4 November 2020. Up until now there has not therefore been an authoritative draft text of the Council of Ministers available. As a result, the trilogue negotiations that were scheduled to start in the second half of 2018 were delayed. With the change in the EU Council presidency on 1 January 2021 and after many years of going back and forth, the Portuguese presidency has, however, now succeeded – not completely without criticism – in convincing the Member States of its proposal of 5 January 2021. The triologue negotiations with the European Parliament can now finally begin. These are to be based on a version of the EU Council of Ministers of 10 February 2021.

In view of the fact that there are some points of contention regarding the current text of the Regulation, however, these may not progress as quickly as the Portuguese presidency has recently been pushing forward ePrivacy. The ePrivacy Regulation is certainly not expected to enter into force before 2023. A potential transitional period of 24 months means that any new regulations would then not come into effect before 2025. 

However, the GDPR has already shown that addressing new data protection regulations at an early stage can be worthwhile in order to be prepared for the need to implement the requirements in a timely manner.

ePrivacy Regulation - chronological overview

ePrivacy Regulation – chronological overview






Current framework of administrative fines under the ePrivacy Regulation

As is already the case with infringements of the GDPR, companies face substantial fines if they breach the ePrivacy Regulation (further information on this is available via the CMS GDPR Enforcement Tracker; please also see: 1st edition of the CMS GDPR Enforcement Tracker Report 2020).

The draft ePrivacy Regulation essentially cites the provisions of the GDPR with regard to rules on legal remedies, liability and penalties. The stipulation on administrative fines (Article 23 of the draft), for example, refers to Article 83 of the GDPR.

Depending on the nature of the infringement, fines may amount to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher (Article 23(3) of the draft).

Data processing justified after balancing interests?

The GDPR provides legal grounds for processing personal data based on the legitimate interests of the controller (Article 6(1), sentence 1, letter f). For a long time the Committee of Permanent Representatives grappled with the question of the extent to which a similar provision should be included in the ePrivacy Regulation. If the Council of Ministers decides against this, the crucial question will be raised as to how the scopes of application of the GDPR and the ePrivacy Regulation are to be distinguished in this respect, since legitimation under Article 6(1), sentence 1, letter f of the GDPR is only possible if the GDPR is applicable. The current draft does not contain a comparable provision.


Show only
28 September 2020
GDPR En­force­ment Track­er Re­port
1st edi­tion 2020All EU Mem­ber States have been re­quired to ap­ply the Gen­er­al Data Pro­tec­tion Reg­u­la­tion ("GDPR", Reg­u­la­tion (EU) 2016/679) since 25 May 2018. After a cau­tious ini­tial peri­od, the EU data pro­tec­tion au­thor­it­ies ("DPA") have in­creased their fin­ing activ­ity sig­ni­fic­antly. This GDPR En­force­ment Track­er Re­port aims to provide you with valu­able in­sights in­to the fin­ing activ­it­ies of all EU DPAs un­der the GDPR, as well as the ICO's prac­tice in the United King­dom. Our ana­lys­is is based on the pub­licly avail­able data on fines that we col­lect and com­pile at www.en­force­ment­track­er.com. We in­tend to pub­lish an­nu­al edi­tions of this re­port, and we ex­pect that the rel­ev­ance of in­sights will stead­ily in­crease as more data on fines be­comes avail­able.Over­view, coun­try and sec­tor ap­proachIn search of guid­ance on how to op­tim­ise its own data pro­tec­tion strategy and pri­or­it­ise data pro­tec­tion meas­ures, a com­pany will nat­ur­ally want to look at its peers and the com­pet­ent au­thor­it­ies' prac­tice. This holds true both in terms of busi­ness sec­tors and jur­is­dic­tion. Kick­ing off with an over­all sum­mary on the ex­ist­ing fines ("Num­bers and Fig­ures"), we have cor­res­pond­ingly di­vided the fines in­to the fol­low­ing busi­ness sec­tors and con­sidered the re­spect­ive fines' ori­gins:Fin­ance, in­sur­ance and con­sultingAc­com­mod­a­tion and hos­pit­al­ity­Health careIn­dustry, com­merce and real es­tate­Media, tele­coms and broad­cast­ing­Pub­lic sec­tor­Trans­port­a­tion and en­ergy­In­di­vidu­als and private as­so­ci­ation­sEm­ploy­er­sY­our takeawaysThe in-depth ana­lys­is per­mits first con­clu­sions to be drawn as to which busi­ness sec­tors at­trac­ted par­tic­u­larly hefty fines. We have also ana­lysed the DPAs' reas­on­ings for the fines. These as­pects to­geth­er al­low us to provide you with key takeaways for each busi­ness sec­tor. Apart from the law­ful­ness of each data pro­cessing op­er­a­tion, bol­ster­ing data se­cur­ity should re­main in the spot­light for every or­gan­isa­tion. Lit­ig­a­tion in data pro­tec­tion is set to in­crease in the near fu­ture. Or­gan­isa­tions that main­tain up-to-date se­cur­ity meas­ures will be best pre­pared for the fu­ture and for po­ten­tial lit­ig­a­tion.