OneTrust_Square Banner_300x250_DD_ROS_01_19
European Commission proposes formal ePrivacy Regulation

The battle lines for Europe’s new ePrivacy Regulation have been drawn, as the European Commission presented its formal proposals on Tuesday.

Alongside other communications on the data economy, data protection rules for the EU institutions, and a consultation (expect more on this in this week’s IAPP Europe Data Protection Digest), Commission Vice President Andrus Ansip and Commissioner Věra Jourová unveiled their plans for data protection in the realm of electronic communications.

A leak of an early draft of the regulation, reported by The Privacy Advisor in December, means that few of the proposals will come as a surprise.

Expanded scope

As expected, the new regulation (an update of the current ePrivacy Directive) will be extended to apply to any company processing data in connection with communications services, not just traditional telco providers; that means so called over-the-top service providers (often referred to as "OTT"), even those where communications is an ancillary feature, such as dating apps or review sites.

This has prompted concern from Computer & Communications Industry Association Vice President James Waterworth: “Today’s proposal applies to all services that have a communications element meaning dating apps, video game services, travel and ecommerce sites, dramatically enlarging the range of services covered. This proposal will need work to ensure it delivers on the promise of strong and clear protections, instead of coming at the cost of free, innovative online services. Unfortunately it risks incoherence and confusion with the General Data Protection Regulation requiring one approach to safeguarding privacy and ePrivacy another,” he said.

The type of data covered is likewise extended to include machine-to-machine communications in order to regulate the Internet of Things. The current ePrivacy Directive broadly focuses on the processing of personal data, but the new regulation will go much further. “The emphasis on consent for access to device data is going to require much creativity from everyone,” Eduardo Ustaran, CIPP/E, a partner at Hogan Lovells, told The Privacy Advisor.

"This framework has been drafted with the Internet of Things and its users’ privacy in mind." - Eduardo Ustaran

“This framework has been drafted with the Internet of Things and its users’ privacy in mind. There are two sides to the regulation: one that looks at the providers of communications services and another at businesses that rely on digital means to interact with customers. So everyone under the sun, really!” Ustaran added.

The telco industry has long called for OTT and web service providers to be subject to the same rules as it, so you would think it would welcome the proposals. Not so.

The European Telecommunications Network Operators association and GSMA Europe said that although they “recognise the European Commission’s goal to protect the confidentiality of electronic communications and establish a harmonised framework for electronic communications data,” they fear that when combined with the GDPR, the new ePrivacy rules could result in “unfair double regulation” of their sector.

“While we embrace the need to fully protect consumers, we believe that the General Data Protection Regulation already provides a technologically-neutral and future-oriented framework to this end,” said the groups, noting in particular the permission to further process data “when compatible with the initial purpose for which the data was collected, when an impact assessment has been performed and if appropriate safeguards apply.”

“In this way we can, for example, perform big data analytics in the interest of customers or for public purposes,” they added.


But they may have something to cheer in the proposals on the processing of metadata, which is not subject to as stringent protections as content. “The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC [the current ePrivacy Directive] this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users’ consent,” reads the Commission draft. 

“Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals,” continues the proposal.

Afke Schaart, vice-president Europe at GSMA, said: “Just like the Commission, we consider it is fundamental to create a privacy framework that enhances consumer trust in the context of electronic communications. However, we must ensure that the detailed requirements, such as the limited lawful grounds for processing, do not inadvertently frustrate use of metadata that is both innovative and sensitive to privacy concerns.”


In its document the Commission also admits it got the previous law wrong on cookies. “We have tried to overcome banner-fatigue,” said a Commission representative.

“In terms of effectiveness and efficiency, the REFIT evaluation found that the Directive has not fully met its objectives. The evaluation further showed that some provisions have created an unnecessary burden on businesses and consumers. For example, the consent rule to protect the confidentiality of terminal equipment failed to reach its objectives as end-users face requests to accept tracking cookies without understanding their meaning and, in some cases, are even exposed to cookies being set without their consent.

“The consent rule is over-inclusive, as it also covers non-privacy intrusive practices, and under-inclusive, as it does not clearly cover some tracking techniques (e.g. device fingerprinting) which may not entail access/storage in the device,” reads the Commission document.

This means that fingerprinting, spyware and other tracking practices will henceforth also require explicit consent. 

To get around the problem of cookie-consent fatigue, the Commission proposes that web browser settings be taken as consent.

“Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored,” reads the Commission document.

“By centralising the consent in software such as internet browsers, a significant proportion of businesses would be able to do away with cookie banners and notices,” it added.

“It may become more difficult for online targeted advertisers to obtain consent if a large proportion of users opt for 'reject third-party cookies' settings,” reads the document, and instead proposes a range of options from “accept all” to “reject all.” Yet, despite touting the proposals as “privacy by design,” the draft would not require web browsers to have “reject all cookies” set as default.

A Commission representative told The Privacy Advisor that a “reject all cookies” default was not the correct approach “because there can be value added services given to consumers to improve their use of the internet” via cookies.

A Commission representative told The Privacy Advisor that a “reject all cookies” default was not the correct approach “because there can be value added services given to consumers to improve their use of the internet” via cookies.

Monique Goyens, Director-General of the European Consumer Organisation, commented: “This reform is the opportunity to confront the widespread problem of online tracking. Consumers must have an alternative to being under 24/7 commercial surveillance when using digital services. When 89 percent of respondents to a recent EU survey say they want their browser to protect their communication by default, then the EU should heed their call. Smart devices and apps should not track consumers’ behaviour by default.” 

These proposals will of course have to get the thumbs up from the European Parliament. Jan Philipp Albrecht, the MEP in charge of steering through the GDPR last year, welcomed the move to include OTT providers such as Skype and WhatsApp, but said, “the rules around tracking user activity are completely back to front. Service providers should require the explicit consent of users if they want to track their activity; under these proposals, they would be able to assume consent unless the user says otherwise.

“The default service should always be the most data protection-friendly, as stipulated by the existing data protection regulation. We know that intelligence agencies are applying blanket data collection and service providers should respond by doing everything technically possible to secure the fundamental right of privacy. We expect the European Parliament and Council to bring forward the changes needed to make sure this promising package truly delivers for users.” 

Former Commissioner, and now MEP, Viviane Reding agreed with Albrecht: “I welcome today’s proposal to strengthen the right to privacy in electronic communications. The choice of a regulation over a directive lowers compliance costs for businesses and increases protection for end-users in all Member States. I also salute the extension of the scope to over-the-top services. The key red line is that this legislation must be fully aligned with the General Data Protection Regulation. The use of the same definitions and the reference to the principle of ‘Privacy by Design’ are therefore steps in the right direction. Our new framework is a state-of-the-art data protection legislation that is stoking global admiration and must be complemented by this new initiative, not diluted.” 

“The European Commission has resisted the most extreme demands from certain parts of industry,” said Joe McNamee, executive director of European Digital Rights. “However, to promote trust, privacy and innovation, the proposal still needs significant improvement.”

Some confusion spawned by the December leak has already been cleared up. On the question of withdrawal of consent, users must be reminded of this possibility every six months. Fines are likewise tough: up to €20 million or 4 percent of worldwide annual turnover.

But expect much debate over definitions and technicalities in the coming months.

Written By

Jennifer Baker


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Privacy Core® e-learning Library Expands Again

Two innovative additions to our Privacy Awareness curriculum coming in April: Recognizing and Avoiding Social Engineering and Identifying Phishing Attacks.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

What an amazing Summit! Looking for session presentations? Click through to the webpage and look in the session's description for a link to view slides.

Canada Privacy Symposium 2017

Early Bird discounts may be gone, but not your chance to catch this year's stellar lineup! Register today.

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»