Leaked Draft ePrivacy Regulation: What to Expect from the New Rules

by Latham & Watkins LLP

An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.

If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU.

The European Commission works on the reform of the ePrivacy Directive (2002/58/EC) for two reasons. Firstly, it is mostly based on the European Data Protection Directive (95/46/EC) which will be replaced by the General Data Protection Regulation ((EU) 2016/679) (GDPR) on 25 May 2018. Secondly, it forms part of the European Commission’s strategy for a Digital Single Market to make the EU’s single market fit for the digital age. The new ePrivacy Regulation is intended to complement the proposed European Electronic Communications Code.

The key changes introduced by the Draft in comparison with the ePrivacy Directive are:

  • Regulation instead of Directive. The Draft is in the form of a regulation rather than a directive – this means it will be directly applicable in all EU Member States. It limits the scope for national implementation, but reserves rights for the Commission to further detail the rules in delegated acts. A similar limitation of Member States rights in favor of European Commission powers was proposed for the GDPR. The Draft, however, is less progressive on the point, presumably taking into account that the GDPR approach got completely reversed during the political negotiations. The potential consequences of the new ePrivacy Regulation differ substantially between Member States, because they have used the flexibility for national implementations under the ePrivacy Directive in different ways (for example with respect to B2B- or voice-to-voice marketing). The Draft is less flexible.
  • Not just personal data. The ePrivacy Directive generally limits its scope to the processing of “personal data” and includes some provisions protecting subscribers and users which can be individuals or legal entities. The general scope of the Draft skips the limitation to “personal data” and applies generally to all electronic communications data, i.e. data related to an “end-user” which can also be individuals or legal entities. Some provisions also apply to information about “equipment” of end-users. There will be areas of application to which the privacy focused GDPR will not apply, leaving the ePrivacy Regulation on its own. Therefore, the Draft includes a number of references to the GDPR which would make provisions – like the consent requirements – applicable whether or not personal data is processed.
  • Not just telecoms. The Draft applies to the processing of data in connection with communications services including services over the Internet (over-the-top or OTT) which are currently not regulated by the ePrivacy Directive. The scope also includes machine-to-machine communications in order to regulate the Internet of Things. As a result, the extended scope captures types of data processing in the Internet the GDPR has been designed for.
  • Broader territorial reach. The Draft has a broad territorial scope and applies to data processed in connection with the provision of electronic communications services in the EU even if the processing does not actually take place in the EU. This includes any offer of electronic communications services to end-users in the EU. The independent definition of the territorial reach may lead to inconsistencies with the territorial scope of the GDPR, but takes broadly a similar extra-territorial approach. As a consequence, new services from outside the EU will probably have no choice than excluding EU users and possibly geo-blocking the EU ‑ including non EU citizens visiting Europe – when they introduce new services until they have the ability to ensure compliance with EU regulations.
  • Limited right to process metadata. The Draft moves from the term “traffic data” to “metadata” which is defined broadly to include any data related to the communication of content. Metadata – but not content – can be processed to the extent necessary for the security, quality, billing, fraud protection and emergency services purposes. For any other processing of metadata, the end-user has to give consent. Unless one of the legal grounds apply, metadata has to be deleted as soon as the communication has taken place. The concept might put established security measures that rely on monitoring and storage of content in question. It is also remains unclear – due to an incomplete sentence – how metadata necessary for the provision of services can be legally processed.
  • Choice between consent or paywall. Consent has to comply with the burdensome requirements of the GDPR. This includes the requirement that consent has to be freely given. The GDPR allows companies to make a contract dependent on providing consent, if the consent is necessary for the performance of the contract. This may include the requirement to provide consent for marketing use, if the service is funded by marketing revenues. A recitals of the Draft elaborates further on the point and states that end-users have a free choice if similar services are available for an “affordable price”. This would lead to the solution of giving users the choice of using a service with marketing for free or paying a reasonable fee for a service without marketing. The consent requirements are also intended to apply to consent from legal entities.
  • Periodic withdrawal right. In addition to the requirements of the GDPR, the Draft mentions that an end-user should be given the opportunity to withdraw from consent not just any time, but also in periodic intervals of six months. It could be clearer what this would look like in practice, but it does not seem to require to renew consent every six months.
  • Limited right to store data. The Draft suggests limited retention periods for metadata, which should be anonymized or deleted once the communication has occurred, except where there are lawful grounds for retention, such as for security and billing purposes. The Draft allows that the parties communicating may store such data, if they have sole control over the storage. This probably means that each party may store the data under its sole control, but the wording is not clear. It is also not clear whether in case of a communication with an employee of a company, the company or the employee would be regarded as the relevant end-user who should have sole control over the data.
  • Nuanced new cookie rules. The Draft specifies the protection of the end-user’s terminal equipment and information stored by it, including cookies. For certain situations, the Draft allows the use of such equipment or the collection of information from the equipment without consent (for example first party cookies for analytics). It also specifies that consent may be expressed by browser settings, but requires at the same time that such settings have to be configured by default to prevent third parties from storing information. The same applies for software such as apps. These requirements would cause high implementation costs and reduce the number of devices that will allow third party access to cookies.
  • Stricter limitations against unsolicited communication. As under the ePrivacy Directive, e-mail marketing is not permitted without the end-user’s consent unless it relates to similar products or services offered to an existing customer. However, the Draft provides for a broader protection against unsolicited communication, because it does not only apply to automatic calling machines, fax and e-mail. Any use of electronic communication services to transmit direct marketing communications for B2B and B2C purposes is covered. This could potentially include marketing communication displayed on websites. Again, it should be noted that these restrictions are not limited to situations in which personal data is processed. The Draft also covers marketing calls for which it requires not only consent but also a caller line to be displayed at which the legal entity conducting the marketing can be reached and a specific  code or prefix that identifies that the call has a marketing purpose. Member States, however, will still be able to keep national opt-out concepts for voice-to-voice calls.
  • National surveillance and data retention possible. The Draft leaves it to the Member States to regulate national security matters. This indicates that the Commission has finally parted from the idea to reintroduce European data retention rules. However, the Draft requires compliance with the Charter which will keep the door open for oversight by the surveillance critical Court of Justice of the European Union (see judgments in Digital Rights Ireland and Schrems).
  • Increased fines: The Draft Regulation mirrors the fines in the new GDPR, imposing penalties for non-compliance of up to 4% of total worldwide annual turnover or 20 million Euros, whichever is higher.

Originally, the Commission aimed to replace the ePrivacy Directive simultaneously with the GDPR on 25 May 2018. The Draft does not include this date and, therefore, indicates that the Commission has become more realistic as to the potential duration of the legislative process. Given the broad scope and level of detail of the Draft, one should expect a long process to reach a political agreement. The Draft brings many issues that have been solved in the GDPR negotiations back on the table. An attempt to reopen these issues will inevitably lengthen the political process. Therefore, one has to be prepared for a time period of substantial legal uncertainties when the GDPR becomes applicable and the old ePrivacy Directive will be still in force. The Draft proposes that the new ePrivacy Regulation should become applicable twenty days plus six months after it is published in its final form. Not much time for companies to get compliant.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.