The EU's privacy by default 2.0

Last December, a draft of the new European ePrivacy rules leaked. It contained a number of interesting insights in the ways the EU will regulate privacy in electronic networks. The new ePrivacy law will supplement the General Data Protection Regulation, which was enacted last May and which will enter into application on May 25, 2018.

From directive to regulation

Apart from re-shaping existing rules on spam, cookies and location-based services, the most important change is that the directive will become a regulation. I fully agree with this change. Internet-based services do not stop at the border. Services of the fourth industrial revolution will be powered by the cloud; e.g., self-driving cars will heavily rely on cloud connections. You can't have a different law relating to how your car communicates with the cloud each time you cross a border. Therefore, a clear and fully harmonized legal framework across the EU is needed to facilitate the uptake of internet-connected products. This includes the rules on e-privacy.

Hardware manufacturers and retail also covered

The second most important proposal in the draft ePrivacy Regulation is Article 10, which reads:

"The settings of all the component of the terminal equipment placed on the market shall be configured to, by default, prevent third parties from storing information, processing information already stored in the terminal equipment and preventing the use by third parties of the equipment's processing capabilities."

By using the wording "placed on the market," this provision targets the retail sector as well as the manufacturers of internet-connected products, such as smart TVs, smart energy meters, smart watches, smartphones, connected cars, computers, smart Barbies, and smart consumer products collectively known as "IoT devices".

The draft GDPR also contained a provision that required producers of devices to comply with the data protection by design requirement. That provision was subsequently deleted, as it did not make any sense in the context of the other provisions of the GDPR. The provision of the e-Privacy Regulation complements Art. 25 of the GDPR.

Nevertheless, personal information collected by the device manufacturers themselves is already covered by the privacy-by-design and -default requirements of the GDPR, as they are the controllers of the data processing. So, the settings of smart devices must be configured to ensure the rights of the consumers and to ensure the processing meets the requirements of the GDPR. But the ePrivacy Regulation will require those manufacturers to also configure those devices to prevent third parties from processing user information without the user's choice to do so. This is a duty-of-care requirement on the part of the manufacturer and retailer, which Art. 10 translates into a prohibition to sell products in the EU which do not meet this requirement.

Obviously, the retail and wholesale sector in the EU will be covered by this provision. But as most devices are manufactured outside Europe and the settings of the pre-installed software would have to be taken care of already in the factory, this provision will also cover non-European manufacturers of electronic devices. Their products may not be shipped to the EU without the proper privacy and security settings.

EU to set the standard?

Depending on whether those factories choose to produce their products for regional demand or not, by requiring that no products are placed on the market that do not meet the privacy-by-default requirement, the EU may effectively set the standard for a more secure range of consumer products across the world. Of course, the requirement does not (primarily) cover the hardware itself, but mainly the software pre-installed on the devices, up to the embedded software in the chips used in the device. Ergo, chip manufacturers may be required to ensure that only secure chips are used. On the other hand, device manufacturers, including EMS, ODM and OEM manufacturers, will be required to install software pre-configured to protect user privacy. This pertains to the operating systems used as well as to the apps pre-installed on the device. For example, pre-installed apps and browsers should all be installed with do-not-track enabled by default. All this under the direction of the companies under whose brand the product is sold. But the ultimate responsibility for compliance with this rule lies with the (web)shop selling the device.

It should be noted that the wording of article 10 limits the requirement to the import and retail phase. There is no legal obligation in the e-Privacy Regulation to keep supporting the device and its software on privacy and security once it has been sold. Ergo, keeping the device free from malware and patching the software will remain the responsibility of the user.

Note that the rule does not give the consumer a reasonable expectation of security nor a warranty that the device is secure at the moment of purchase, as the moment that the product was 'placed on the market' may lie weeks, months — or in some cases even years — before the moment of purchase. So, the faster the retailer moves their inventory, the more likely it is that the product is (still) secure. But nevertheless, this new rule, if enacted, would be a major step forward to ensure that end-user products will be secure.


Although the ePrivacy Regulation will, for the most part, be enforced by privacy and data protection authorities, the enforcement of Article 10 would be the primary responsibility of customs (preventing non-compliant products from being imported) and product safety and consumer protection authorities (preventing non-compliant products from being sold).

This requires thorough and up-to-date knowledge of privacy and information security at those agencies; knowledge that they currently are not required to have. The same is true for the procurement departments of retail stores and webshops. The level of knowledge about privacy and information security with those agencies and retailers, or lack thereof, may proof to be the Achilles' heel of this proposal.

Written By

Jeroen Terstegge, CIPP/E, CIPP/US

1 Comment

If you want to comment on this post, you need to login.

  • Domenic S. DiLullo Jr. Jan 8, 2017

    Considering the implications on the increasingly growing IoT Ecosystem and the number of sensors and devices that are to be forthcoming, one can certainly argue that the EU is setting the standard, though it will be worth to follow the new incoming administration and how the makeup of the FTC will want to tackle regulations, or potential regulation of the IoT.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»