Privacy & Data Protection

ePrivacy Regulation

Latest Developments

February 2021 – the EU Council of Ministers reached a General Approach on the proposal for the ePrivacy Regulations.


While the GDPR is the main legislative framework for data protection rules, some other EU laws contain rules on the use of personal data too. For example, the Second Payment Services Directive (PSD2) which contains rules around access and use of payment data, but the ePrivacy regulation is perhaps the most wellknown – and long anticipated.

The purpose of the ePrivacy regulation (historically), is to provide specific privacy and data protection rules in relation to electronic communications. Key points of the proposed ePrivacy regulation are:

Expanded scope: The scope of the ePrivacy rules will be extended to apply to so-called ‘over the top’ electronic communication service providers such as VoIP, various (B2B and B2C) messaging and communication services and videoconference providers. This is to ensure that these popular services provide the same level of protection of the confidentiality of communications as traditional telecoms services.

Communications content and metadata: The rules around the use of communication metadata (i.e., time, location and addressees) and content data are updated to ensure strong privacy protection, but also enable companies to explore new business models under the right safeguards.

Updated rules on cookies: The European Commission sought to streamline the cookie rules with new provisions and seeks to rely (again) on browser settings to accept cookies and other identifiers and allow more exemptions for non-privacy-intrusive cookies which have the potential to improve the internet experience (e.g., remembering users’ shopping cart history) or analytical cookies. Given the amount of disagreement around the new rules and continuous opposition against the use of cookies for commercial purposes such as advertisements, it is not certain whether the new rules will be adopted.

Protection against spam: The proposal upholds the general ban on unsolicited electronic communications by email, SMS, and automated calling machines and extends it to other means to send such messages, such as via over-the-top communication channels.

More effective enforcement: The enforcement of the confidentiality rules in the regulation will be the responsibility of data protection authorities, already in charge of enforcement of the General Data Protection Regulation.

How could it be relevant for you?

Marketing via online advertisements and the sending of electronic messages is of vital importance for many companies, both those operating in a B2B environment as well as B2C environment, and companies should be aware of the reforms and there is still the opportunity to engage in the legislative process.

In addition to the marketing rules, the proposals around confidentiality are relevant to parties offering communication services, both traditional players such as telecom operators as well as companies that provide ‘over-the-top’ communication services (including as part of a wider offering).

Next steps

Tough negotiations are expected in the trilogue-phase of the proposal, where the Council and the European Parliament will need to reach consensus on the text, together with the European Commission. While it is not clear when the Regulation will be adopted there will be opportunities for industry to contribute to the decision-making process.

*Information is accurate up to 27 November 2023

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection


Digital Identity and Trust Services