ePrivacy Directive

The ePrivacy Directive (Directive 2002/58/EC), officially known as the "Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector," is a European Union (EU) law that establishes specific privacy rules for electronic communications services and networks. Adopted in 2002 and amended in 2009 (by Directive 2009/136/EC, which introduced the "cookie law" amendments), it aims to complement the broader data protection framework, most notably the General Data Protection Regulation (GDPR), by providing sector-specific rules for areas like confidentiality of communications, traffic data, and the use of cookies.

Key Provisions and Scope

The ePrivacy Directive applies to providers of publicly available electronic communications services and networks within the EU. Its main provisions include:

• Confidentiality of Communications: It prohibits listening, tapping, storage, or other kinds of interception or surveillance of communications and related traffic data without the consent of the users concerned, except when legally authorised.
• Traffic and Location Data: It regulates the processing and retention of traffic data (data relating to a communication, such as source, destination, time, duration, and volume) and location data (data indicating the geographic position of a user's terminal equipment). Such data can generally only be processed for billing, interconnect payments, fraud prevention, or specific value-added services with user consent, and must be erased or anonymized once no longer needed.
• Cookies and Similar Technologies: Article 5(3) of the Directive, often referred to as the "cookie law," requires service providers to obtain users' informed consent before storing or accessing information on a user's terminal equipment (e.g., computer or smartphone), unless such storage or access is strictly necessary for the provision of a service explicitly requested by the user. This provision has led to the widespread appearance of cookie consent banners on websites.
• Unsolicited Communications (Spam): It regulates unsolicited commercial communications (spam) by email, SMS, and other electronic means. It generally requires prior consent ("opt-in") for such communications to individuals, with an exception for existing customer relationships ("soft opt-in") under certain conditions.
• Data Security: It obliges providers of electronic communications services to take appropriate technical and organisational measures to safeguard the security of their services.

Relationship with GDPR

The ePrivacy Directive is often referred to as a "lex specialis" (specific law) to the GDPR ("lex generalis" or general law). This means that where there is an overlap in scope, the ePrivacy Directive takes precedence because it provides more specific rules for electronic communications data. However, the GDPR's general principles, such as the requirements for lawful processing, data subject rights, and accountability, still apply in areas not specifically covered by the ePrivacy Directive. The two regulations are designed to be complementary, with the ePrivacy Directive focusing on the confidentiality of communications and specific technical aspects, while the GDPR addresses broader personal data processing across all sectors.

Proposed ePrivacy Regulation

Recognising that the Directive, particularly its 2002 text, is outdated in the context of rapid technological developments and the GDPR's entry into force, the European Commission proposed a new ePrivacy Regulation in 2017 to replace the Directive. The aim is to strengthen privacy protections in electronic communications, extend its scope to new communication services (like WhatsApp, Skype, and other Over-The-Top or OTT services), align it more closely with the GDPR, and ensure consistent application across the EU as a regulation, rather than a directive which requires national transposition.

Key objectives of the proposed ePrivacy Regulation include:

• Expanding the scope to cover all electronic communications services, regardless of whether they are provided by traditional telcos or OTT providers.
• Strengthening rules on the confidentiality of communications, including content and metadata.
• Clarifying and strengthening the rules on cookies and similar tracking technologies, with a focus on making consent mechanisms more user-friendly and effective.
• Providing stricter rules for direct marketing communications.
• Introducing significant fines for non-compliance, similar to those under the GDPR.

However, the legislative process for the ePrivacy Regulation has faced significant delays and disagreements among EU member states and institutions, particularly regarding the scope of data processing, the use of cookies, and the balance between privacy and innovation. As of late 2023, negotiations are ongoing, and its final adoption remains uncertain.

Impact and Significance

The ePrivacy Directive has had a profound impact on the digital landscape within the EU and globally, particularly through its "cookie law" provisions, which have influenced similar regulations elsewhere. It has raised user awareness about online tracking and the need for consent. For businesses, it has necessitated significant changes in website design, advertising practices, and data handling procedures for electronic communications. While aiming to protect privacy, its implementation, especially regarding cookie banners, has also drawn criticism for creating "consent fatigue" and potentially hindering legitimate online services and innovation.