Go back to menu

Proposal for a Regulation on Privacy and Electronic Communications

Another brick in the construction of the Digital Single Market

27 April 2017

On 10 January 2017, the European Parliament and the Council approved a proposal for a Regulation addressing privacy and confidentiality issues involving electronic communications. This Proposal, which will supersede a Directive dated 2002, will impose stricter rules for electronic communications and will adapt the current legislative framework, which has become obsolete, to the new needs and challenges of the market.

The context of this proposal for a Regulation

Almost one year ago, we referred to the Proposal for a Directive on contracts for online and other remote sales of goods. The European Union issued that proposal in order to develop the European Digital Single Market (DSM) strategy, a top priority for the European Union.

Now, we return to the path of the DSM to explain one of the latest proposals made by the European Union within the DSM strategy: the Proposal for a Regulation on Privacy and Electronic Communications, which was approved on 10 January 2017.

As we will see, the Proposal is aimed at reinforcing the protection of fundamental rights and freedoms, of both natural and legal persons, namely the respect for private life, confidentiality of communications and protection of personal data in the electronic communications sector.

Why this new proposal for a Regulation?

According to surveys and data handled by the institutions of the European Union, security and privacy risks inherent to digital services are one of the biggest concerns for users (natural and legal persons) when it comes to the use of electronic communications.

The regulation in place dates back to 2002, and is represented by the Directive 2002/58/EC, concerning the processing of personal data and the protection of privacy in the electronic communications sector. Although the objectives and principles of the ePrivacy Directive are still valid, major technological developments have occurred since the last revision of the ePrivacy Directive in 2009, which has become obsolete.

Therefore, the time has come for a revision and update of the ePrivacy Directive, a revision that is necessary to adapt the current legislation to the market and to the new challenges of the future (e.g. Internet of things, Over-the-Top communications, and etcetera). The Proposal is born of an extensive process of revision and update and is destined to derogate the ePrivacy Directive.

It is important to take into account that the Proposal needs to be understood and interpreted within the broader context of the DSM strategy and, in particular, in conjunction with Regulation of the European Parliament and of the Council, on General Data Protection (the GDPR). As explained in the Explanatory Memorandum of the Proposal, the Regulation will be "lex specialis to the GDPR and will particularise and complement it as regards electronic communications data that qualify as personal data".   

Summary of key issues

Some of the main issues covered by the Proposal are the following:

  1. Unlike the ePrivacy Directive, the Regulation will be applicable to the "non-traditional" providers of electronic communication services (i.e. WhatsApp, Facebook Messenger, Skype, Gmail, iMessage or Viber).
  2. When the Regulation, which is directly applicable, supersedes the ePrivacy Directive, all citizens and legal persons within the European Union will benefit from the same level of protection in their electronic communications.
  3. The Regulation contains strict provisions regarding the use of metadata (which will be private and shall be rendered anonymous or deleted unless users give their consent); cookies (the Proposal advocates for clarification and simplification of the consent rule for the use of cookies and other identifiers); and spam (the Regulation prohibits all types of unsolicited electronic communications unless users have agreed to it).
  4. The supervisory authorities of the Member States will be empowered to impose penalties in the event of infringement of the Regulation. The fines may amount to 20 million Euro or 4% of the total worldwide annual turnover of the infringer, whichever is higher.
Next steps

The Proposal was issued on 10 January 2017 and now needs to be approved by the European Parliament and by the Council.

According to the current text of the Proposal, on 25 May 2018, the ePrivacy Directive will be derogated and the Regulation will become directly applicable to all Member States as of the same date.

This date coincides with the entry into force of the GDPR, which reinforces the fact that both the Proposal and the GDPR will complement each other and shall be considered two more pieces of the DSM puzzle.