The ePrivacy Regulation: When And Why You Should Care

Author:Michael Kyprianou & Co LLC
Profession:Michael Kyprianou & Co LLC

What is the ePrivacy Regulation?

The ePrivacy Regulation1 ('ePR') is an unfinished EU law first published in January 2017 that is meant to become an extension of the European Union's General Data Protection Regulation ('GDPR').2

The ePR is an attempt to streamline and improve EU laws regarding privacy of communications through users' electronic devices. The ePR targets the use of cookies and other tracking technologies, electronic marketing, metadata processing and so called 'over-the-top' communication services like WhatsApp and Skype.

The ePR was originally supposed to be approved in May 2018, however the text has not been finalised yet and is still being negotiated. When the ePR does eventually become applicable it will repeal the current ePrivacy Directive ('ePD' - known also as the cookie-law).

Differences between ePR and GDPR

Although there is some overlap between the ePR and the GDPR, in practice these regulations are intended to complement each other in the protection of individuals' personal data and how this data is used by the entities possessing it. The GDPR has a very broad scope concerning the collection and processing of 'Personal Data' of individuals. The ePR on the other hand, is intended to safeguard the privacy of individuals in the context of the various channels of electronic communications.

In instances where there is overlap between these two laws, the ePR is to be deemed 'lex specialis' with respect to the GDPR, which consequently is to be considered 'lex generalis'. By definition, this means that with regards to those areas which fall within the scope of both the ePR and the GDPR, the ePR takes precedence over the less specialised GDPR. Consequently, most data protection issues that fall outside the ePR will fall within the scope of the GDPR.

Who will be affected?


The ePR is intended to regulate those organizations and individual providers dealing with publicly available electronic communication, specifically those that use or store information from EU users' electronic equipment.

The following are a few examples of such entities:

Website owners Users of online tracking tools Telephone/internet/fax marketers Communication service providers Owners of publicly available directories Publicly available wireless network operators Internet users located within the EU

Internet users, mainly those browsing within the EU, will see changes in service policies and the way their communication data are being handled. Depending on the final text of the ePR they could see a significant reduction in popups and advertisement spam, though critics worry the ePR might block their access to certain international sites or cause even more spam.

Member states

Member states will likely see national legislation in the framework of the ePrivacy directive replaced by the ePR articles, in a similar manner to that experienced in the transition caused by the GDPR. Data protection authorities will have to carry out...

To continue reading