Text of new e-Privacy regulation leaked

On 12th December 2016, the text of the replacement for the e-Privacy Directive was leaked. The draft suggests a significant toughening of the online and direct marketing landscape and, predictably, a convergence with the provisions in the General Data Protection Regulation.  

This is just a draft: the actual Commission proposal may be different and the final, agreed instrument, different again. When the text of the General Data Protection Regulation was leaked, almost 5 years ago to the day, in December 2011, the leaked text turned out to be significantly harsher than the text which was actually published. Online advertisers, browser providers and device manufacturers will be hoping the same is true here.


The e-Privacy Directive is the EU legislation which contains rules on cookies and similar technology. 

The draft broadly maintains the current consent rule for cookies. This will either need prior consent, or have to be strictly necessary to carry out the communication with the user or to provide an online request by the user. The recitals suggest that services requested by a user could be somewhat more liberally interpreted than at present - so personalisation cookies (to set language preferences) may be exempt on this basis. 

The draft suggests that the rules should apply not just to cookies, or to information stored on or retrieved from the device (as at present) but whenever information about the device is collected.

What about analytics? Data protection authorities and others had suggested a derogation from the cookie consent requirement for cookies used for analytics. The draft does not refer to analytics but does suggest a derogation for 'web audience measuring to that service' 'carried out by the provider of the information society service'. Analytics providers could, perhaps, spend the holiday period penning alternative wording which better captures their activities. 


Unsurprisingly, the definition of consent used in GDPR is to be read across into the draft e-Privacy text. However, the draft also introduces significant practical changes, so that obtaining consent will require much more effort. Technology providers are required to include default settings which must all be set to preclude third parties from storing of information on, or using  information about, an end-users device. So, browsers would have to be pre-configured so that cookies used for frequency capping of ads or ad-serving would be blocked by default unless a user opts to enable them.

Similarly, mobile device manufacturers and operating system manufacturers would have to ensure that SDKs (used by app developers to allow ad tech companies to collect data) are blocked by default. Presumably device identifiers would also have to be activated by the user before they are transmitted for use by third parties for non-essential purposes. 

The draft also states that end-user consent can be expressed by technical settings of a software application which enables access to the Internet: if all browsers are set to default to reject cookies, then it follows that switching settings to allow cookies will operate as a permission for cookies, without need for overlays or interstitial consent pages. 


The e-Privacy Directive also contains rules on email and phone marketing. 

The draft proposes a general prior consent (ie opt-in) requirement whenever electronic communications services are used to transmit direct marketing. The current distinctions between corporate subscribers and individual subscribers are not retained - although the so-called soft opt-in for email marketing for similar products and services in limited circumstances is retained. 

There are broader definitions of electronic communications service and direct marketing  (any form of advertising sent to one or more identified or identifiable end users of electronic communications services). The definition does not state by whom the end-user must be identifiable. This could apply to targeted display ads in social media (eg custom audience initiatives) - indeed to all advertising in social media (as the platform always knows who the end user is) - and, if identifiability is determined by reference to the knowledge of the ISP, to all general display ads, even those which are contextual.

Voice calls are generally considered more intrusive than other forms of marketing. Bizarrely, although online ads are to be regulated heavily, Member States are to retain the right to allow live voice calls for marketing on an opt-out basis. However, direct marketing calls must use a specific marketing prefix number, so that end-users can recognise them as marketing calls.


Data protection authorities are to be responsible for supervising the rules on cookies, confidentiality of communications and use of metadata (see below). They could also be responsible for other areas of the draft, but need not be. For this core area of data protection authority supervision, the consistency rules set out in GDPR will apply (eg the role of a lead authority whose remit is to ensure consensus of authorities and the role of the European Data Protection Board as arbiter and tribunal).


The draft follows the approach of GDPR in extending broader rights to individuals (such as rights for representative bodies to bring claims and provisions tilting the balance of proof in favour of individuals). The bigger sanctions available to data protection authorities are also read across. 

The 4% penalty will be available for breaches of communications secrecy requirements, cookies and rules on use of metadata. The lower 2% penalty will be applicable to providers of devices and software who fail in their privacy by default obligations (eg browsers who do not implement third party cookie blocking by default), to directory providers (see below) and to users of location data who do not comply with the opt-out requirements (see below). 


The Commission has followed the approach of GDPR - and suggested that the new text be a Regulation: precluding Member State implementation and variation. As the text tries to harmonise a previously very diverse area (communications secrecy), there may be considerable opposition to this from member states.


The draft suggests that it will come into force 20 days after publication in the Official Journal and will be effective 6 months after that. The Commission objective had been to ensure that changes to this instrument were effective at the same time as GDPR - ie 25th May 2018. To meet this timescale (allowing the for the language checking and translation process at the end of the process), the Commission would have to ensure that the draft is finalized and the legislative process ended by early October 2017: fasten your seat belts: it will be a fast and bumpy ride.



Mobile devices routinely communicate with nearby wi-fi access points. Service providers can make use of this - to track the location of someone with a mobile device and to record the location of the wi-fi access point for later use in mapping products. The draft restricts all non-essential data collection  of this type. It codifies industry best practice, requiring that clear notice is given of any data collection of this type (possibly via icons), that users are told about ways of minimising collection and have a right to object to any collection for purposes of profiling and direct marketing.


The broad structure of the current rule is retained: service providers are allowed to use meta data (broadly, the data currently defined as traffic data) for necessary purposes - such as billing, fraud prevention and ensuring service quality. These purposes are broadened slightly - acknowledged problem areas such as use of metadata to assist the emergency services and to allow detection of technical faults and errors are included as permitted purposes.

In addition, service providers are allowed to use metadata with consent of the end-user to whom the data relates. However, users must be asked about their consent every 6 months.  Further, if the purpose of processing could be achieved with anonymous data, the data must be anonymised. In addition, if the processing would be a for a high risk purpose, then the Privacy Impact Assessment process under the General Data Protection Regulation is triggered.

Once the permitted purpose has been fulfilled, the data must be erased or anonymised. The Regulation is more prescriptive about how this should be determined - for example making clear that, for billing data, this period would end once a bill can no longer be challenged. 

The Regulation also states that end-users should only lawfully be allowed to store copies of their own communications, or to allow a third party to store them, if they retain 'sole control'  over the communications data. This would seemingly rule out ad-based email or other communication services if there is any scanning of stored communications or posts. As drafted, this would also seem to restrict one user's ability to forward a communication to another recipient (as the sender would no longer have 'sole control' of the communication): this seems a bizarre over-regulation of private life. 


Any interference with secrecy of content of communications is illegal unless the affected end-user consents, or the Regulation permits the interference. However, the Regulation does not (and cannot) apply to activities which fall outside the scope of EU law - so activities carried out for national security purposes would remain to be regulated at Member State level. The current rules - allowing derogations for national security, defence and prevention and detection of crime - are broadly still permitted.


Member states can introduce rules allowing this where required to provide evidence of a commercial transaction or other business communication.  


The current rules (allowing users to block the identification of their number when they call someone, or, for example, to block calls where the number has been withheld) are broadly restated. There are also provisions applying them to international calls. There are carve-outs where this is required for emergency services or to prevent malicious or nuisance calls. 


Telcos have to deploy state of the art technology to help consumers stop unwanted calls - including offering them an ability to block calls from specific numbers. 


Can only include natural persons who have consented to be included. Legal persons can be included on an opt-out basis.


The draft follows GDPR in stating that it applies to organisations who provide services to individuals in the EU - in this case, if an organisation provides an electronic communications service from outside the EU to an individual in the EU, then any electronic communications data processed in connection with the provision of that service is affected.

Latest insights

More Insights

Related capabilities