e-Privacy

(Last updated: 01 December 2021 / draft ePrivacy Regulation of 10 February 2021)

We will gladly keep you updated on developments around the ePrivacy Regulation. Please subscribe to our newsletter.

Key content of the ePrivacy Regulation

The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.

On this website, CMS presents key information on the ePrivacy Regulation and the status of the legislative process. We explain in particular the scope of application of the ePrivacy Regulation and deal in detail with the hotly debated topic of tracking. We will also provide information on the rules that will apply during the transitional period.

ePrivacy Regulation – current status and timescale 

Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU Member States have not yet been able to agree on the draft legislation. The negotiations of the ePrivacy Regulation are still ongoing.

On 10 January 2017, the EU Commission presented the first draft of the ePrivacy Regulation; on 26 October 2017, the EU Parliament adopted an amended draft and voted in favour of negotiations with the Commission and the Council of the European Union (trilogue negotiations). On 5 December 2017, the Estonian EU Council presidency published its own draft. This was followed by drafts from the Bulgarian, Austrian, Romanian, Finnish, Croatian and German Council presidencies. 

Most recently, the compromise proposed by Germany failed on 4 November 2020. Up until now there has not therefore been an authoritative draft text of the Council of Ministers available. As a result, the trilogue negotiations that were scheduled to start in the second half of 2018 were delayed. With the change in the EU Council presidency on 1 January 2021 and after many years of going back and forth, the Portuguese presidency has, however, now succeeded – not completely without criticism – in convincing the Member States of its proposal of 5 January 2021. The trilogue negotiations with the European Parliament have now started. These are based on a version of the EU Council of Ministers of 10 February 2021.

In view of the fact that there are some points of contention regarding the current text of the Regulation, however, these may not progress as quickly as the Portuguese presidency has recently been pushing forward ePrivacy. The ePrivacy Regulation is certainly not expected to enter into force before 2023. A potential transitional period of 24 months means that any new regulations would then not come into effect before 2025. 

However, the GDPR has already shown that addressing new data protection regulations at an early stage can be worthwhile in order to be prepared for the need to implement the requirements in a timely manner.

ePrivacy Regulation - chronological overview

2021

• Version of the EU Council of Ministers, 10 February 2021
• Draft by the Portuguese presidency, 5 January 2021

2020

• Draft by the German presidency, 4 November 2020
• Draft by the Croatian Council presidency, 21 February 2020

2019

• 4th Draft by the Finnish Presidency, 4 October 2019
• 3rd Draft by the Finnish Presidency, 18 September 2019
• 2nd Draft by the Finnish Presidency, 26 July 2019
• Draft by the Finnish Presidency, 12 July 2019
• Progress Report by the Romanian Presidency, 20 May 2019
• Text proposed by Romanian Council presidency, 22 February 2019

2018

• Draft by the Austrian Presidency, 19 October 2018
• Draft by the Bulgarian Presidency, 22 March 2018

2017

• Draft by the EU Parliament (Report A8-0324 / 2017), 26 October 2017
• Draft by the European Commission, 10 January 2017 (German version)

Current framework of administrative fines under the ePrivacy Regulation

As is already the case with infringements of the GDPR, companies face substantial fines if they breach the ePrivacy Regulation (further information is available via the CMS GDPR Enforcement Tracker; please also see: 2nd edition of the CMS GDPR Enforcement Tracker Report 2021).

The draft ePrivacy Regulation essentially cites the provisions of the GDPR with regard to rules on legal remedies, liability and penalties. The stipulation on administrative fines (Article 23 of the draft), for example, refers to Article 83 of the GDPR.

Depending on the nature of the infringement, fines may amount to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher (Article 23(3) of the draft).

It should also be noted that the fine provisions set out in the German Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) will apply from 1 December 2021.

Data processing justified after balancing interests?

The GDPR provides legal grounds for processing personal data based on the legitimate interests of the controller (Article 6(1), sentence 1, letter f). For a long time the Committee of Permanent Representatives grappled with the question of the extent to which a similar provision should be included in the ePrivacy Regulation. If the Council of Ministers decides against this, the crucial question will be raised as to how the scopes of application of the GDPR and the ePrivacy Regulation are to be distinguished in this respect, since legitimation under Article 6(1), sentence 1, letter f of the GDPR is only possible if the GDPR is applicable. The current draft does not contain a comparable provision.