New EU regulation governs the business’s web presence. Corporate websites and electronic means of communication should be consistent with the new data protection rules


The Regulation on Privacy and Electronic Communications (e-Privacy Regulation) is the next step following the adoption of the General Data Protection Regulation (GDPR) in the harmonization of data protection in the European Union. The e-Privacy Regulation aims to regulate the processing of electronic communication data by the providers of electronic communications services.

Objective of the Regulation

After coming into force, the e-Privacy Regulation will replace the Directive on privacy and electronic communications, as supplemented by the so-called “Cookie Directive”. The main reasons for the adoption of the new regulation are the important technical and economic developments in the market in recent years. A large number of innovative internet services enabling inter-personal communication, such as Skype, WhatsApp, Facebook Messenger, Google Hangouts, are being increasingly preferred to conventional communication services. The so-called OTT-services are currently left to self-regulation by the industry itself, since they are not covered by the Directive on privacy and electronic communications. The European legislator intends to create uniform rules for all communication services, this time changing the legal instrument from a directive to a regulation, which applies directly at the national level and does not require transposition into national law.

The e-Privacy Regulation aims to provide a unified level of data protection with respect to the use of communications services and to create a common European framework for companies. The new regulation should supplement the GDPR in the area Internet services. It sets its focus on the internet industry and respectively shall take precedence in this field over the provisions of the GDPR. Substantial changes are expected in the analysis of user data, in the e-mail marketing and most notably in the use of cookies.

Scope of application

The e-privacy Regulation establishes rules in order to protect fundamental rights and freedoms of natural and legal persons in connection with the provision and use of communication services and governs in particular the rights to privacy and communication and the protection of individuals with regard to the processing of personal data.

The rules apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet, i.e. apps and browser providers. The Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment. Hence the Regulation should apply not only to providers of electronic communications services but to all company websites using cookies. Even “hotspots” fall within the scope of the Regulation, in contrast to closed groups of end-users such as corporate networks. The principle of confidentiality should apply to current and future means of communication, including phone calls, internet access, instant messaging applications, e-mail, internet telephony and the sharing of personal content on social media.

Legislation procedure

The e-Privacy Regulation is still pending before the European legislator. On 10 January 2017, the EU Commission presented the first draft of the Regulation. In the summer of 2017 followed the opinions of the Article 29 Working Party and of four committees of the European Parliament. In October 2017 the draft legislative resolution of the European Parliament was published, introducing substantial changes to the draft. The Commission’s draft needs to be examined by the EU Council before trilogue negotiations between the legislative bodies can begin. The Finnish presidency of the Council has currently presented several new draft proposals. Originally, it was planned that the e-Privacy Regulation would come into force at the same time as the GDPR on 24 May 2018. The legislative procedure was delayed. By now, it is expected that the e-Privacy Regulation will not come into force before the beginning of 2021.

Significant changes in the latest draft proposals

Direct marketing

Direct marketing via electronic communications requires opt-in consent of the end-users. Direct marketing for own similar products and services to existing customers would still be based on legitimate interest with a right to opt-out, if such end-users are clearly and distinctly given the opportunity to object, free of charge and in an easy manner. The right to object needs to be given at the time of collection of the data and each time that a message is sent for direct marketing purposes. Member States may provide by law a set period of time, after the sale of the product or service occurred, within which the customer’s contact details may be used for direct marketing purposes.

Rules regarding cookies (See also

The new proposal clarifies the prohibition of coupling of consent stating that users must have a genuine choice with regard to accepting or declining cookies. The conditional access to website content may be made conditional on the well-informed acceptance of cookies, only if an equivalent offer does not involve consenting to other than cookies that are technically required to operate the website or to provide the website service to the user. So-called cookie walls are not allowed.

Processing of metadata

The possibilities for metadata processing are limited. Metadata is data, which describes other data or contains information about it, and consequently may include personal data. Providers of electronic communications services need to obtain the users’ consent to process metadata. In case such a consent is missing, the processing of metadata is allowed only in very specific circumstances, i.e. for the protection of the vital interest of an end-user. Processing of electronic communication metadata for scientific research is considered to be permitted processing.

For further information contact:

Vanya Chichova, Senior Associate

This article has an informative purpose and is not representative of detailed legal advice. If you are interested in receiving advice in the context of a certain situation, we can happily assist you. The law firm is not responsible for any harm caused by acts or omissions undertaken due to this text.