Search for:

The European Commission has proposed a new Regulation on Privacy and Electronic Communications (dated January 10, 2017, COM (2017) 10 final) (“Draft ePrivacy Regulation”) that is intended to supplement the General Data Protection Regulation (“GDPR”) with the same effective date as the GDPR (May 25, 2018).

The Draft ePrivacy Regulation is intended to replace the existing “ePrivacy Directive” (Directive on privacy and electronic communications 2002/58/EC as amended by the so called “Cookie Directive” 2009/136/EC which is particularly known for its controversially discussed provisions on the use of cookies). Proposing this legal act, the EU Commission follows the same approach as the GDPR: Fostering harmonization by relying on the legal instrument of a regulation that is directly applicable in all EU Member States and in contrast to the ePrivacy Directive does not need to be transposed into local law.

While some of the provisions are already known from the ePrivacy Directive other parts of the Draft ePrivacy Regulation contain significant changes:

Extended scope

The Draft ePrivacy Regulation has a much broader scope than its predecessor and applies to:

  1. the processing of electronic communications data carried out in connection with the provision and the use of electronic communication services. Electronic communications data means content data exchanged by means of electronic communications services, such as text, voice, videos, images, and sound. But it also means electronic communications metadata which is processed for the purposes of transmitting, distributing or exchanging such content (e.g. location data on the location of the equipment generated in the context of providing electronic communications services, and the date, time, duration and the type of communication).
  2. information related to terminal equipment of end-users which means virtually any kind of information related to devices that can be used for electronic communication by sending, processing or receiving information.

Electronic communications data (content data and metadata)

The Draft ePrivacy Regulation fosters the confidentiality of electronic communications data. At the same time it has the objective to broaden the possibilities of electronic communication service providers to process electronic communications data based on end-user consent.

Still, there hardly remains any room for processing of electronic communications data based on consent. With regard to metadata, consent can only serve as a basis for processing provided that consent is given for one or more specified purposes and the purpose(s) concerned could not be fulfilled by processing anonymized information. Similar strict requirements apply to the processing of electronic communications content which is only permitted on the basis of consent. This consent must be:

  1. either particularly given for the sole purpose of the provision of a specific service to an end-user while at the same time the provision of that service cannot be fulfilled without the processing of such content; or
  2. if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes and that those purpose(s) cannot be fulfilled by processing anonymized information. In this case, consulting the supervisory authority is an additional requirement.

Direct marketing activities

The rules concerning direct marketing activities carried out by means of electronic communications services, including the use of voice-to-voice calls and electronic mail, will not change the basic consent requirement already set out by the ePrivacy Directive. Due to the broad definition of electronic communications services and electronic mail the consent requirement does not only apply with regard to SMS and email, but basically to the use of all kinds of messaging functions (e.g. such functions contained in applications or internet portals) and messages, including such containing text, voice, video, sound or images.

Using electronic mail for direct marketing of own similar products or services will still be permitted, provided the “electronic contact details” have been obtained from a customer in the context of the sale of a product and the customer is clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.

Like the ePrivacy Directive the Draft ePrivacy Regulation gives EU Member States the possibility to permit voice-to-voice call marketing on an opt-out basis.

Use of cookies and similar technologies

The Draft ePrivacy Regulation contains updated rules on the use of cookies and similar, possibly more advanced, technologies that comprise the use of the processing and storage capabilities of terminal equipment and the collection of information from terminal equipment, including about its software and hardware.

This new provision clearly and particularly aims at limiting access to terminal equipment for device fingerprinting and similar activities. The Draft ePrivacy Regulation only provides for three exceptions from the obligation to obtain consent, involving very limited or no intrusion of privacy. The relevant exceptions apply if the relevant activity is necessary for

  1. the sole purpose of carrying out the transmission of electronic communication (esp. transfer of an electronic message),
  2. providing an information society service requested by the end-user (e.g. session cookies for shipping cart functions in online shops or for the purpose of keeping track of online form input), or
  3. web audience measuring (e.g. web traffic), but only provided that such measurement is carried out by the provider of the information society service (i.e. not a third party) requested by the end-user.

The Draft ePrivacy Regulation clarifies that consent can be expressed by using appropriate technical settings of a software application enabling access to the internet. This in particular means that web browser settings can be used to express consent.

Privacy by design and default obligations for internet browsers and other software permitting electronic communications

In this context the Draft ePrivacy Regulation imposes new privacy by design and default obligations on providers of software permitting electronic communications particularly aiming at providers of internet browsers and similar software. The respective software must offer the option to prevent third parties from storing cookies or other information on the end-user equipment or from processing information already stored thereon. The software must be designed to, upon installation, inform the end-user about the privacy setting options of the software and require the end-user to consent to a setting to continue with the installation. The recitals of the Draft ePrivacy Regulation clarify that in this situation users should be offered a set of privacy setting options, ranging from higher (e.g. “never accept cookies”) to intermediate (e.g. “reject third party cookies” or “only accept first party cookies”) and lower (e.g. “always accept cookies”). In case of software that has already been installed before the effective date of the ePrivacy Regulation, the aforementioned requirements apply from the time of the first update of the software, but no later than August 25, 2018.

Device tracking

The Draft ePrivacy Regulation contains strict limitations for the collection of information emitted by electronic communication equipment that can be used for device tracking activities. Equipment connecting to electronic communications networks emits certain sets of information to enable it to connect to another device and / or to network equipment (e.g. to connect to a wireless local area network, “WLAN”). This includes identifiers like MAC addresses or IMEI. The collection of such information will be permitted in two cases only:

  1. if it is done exclusively in order to and for the time necessary to establish a connection (e.g. connection to a WLAN); or
  2. if a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and some other information required under the GDPR as well as any measure the user can take to stop or minimize the collection. This second alternative aims at businesses tracking customers based on the collection of information received from user equipment, for instance, tracking movements of a customer within a shop based on information received from the customers’ smartphone via WLAN routers operated by the shop.

Liability and penalties

The Draft ePrivacy Regulation stipulates fines that are aligned to the ones contained in the GDPR. Depending on the kind of infringement the supervisory authorities are entitled to impose fines of up to EUR 10,000,000 or EUR 20,000,000, or in the case of an undertaking, up to 2 or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Furthermore, end-users are given the right to make a claim for material or non-material damage due to infringements of the Draft ePrivacy Regulation and to receive compensation from the infringer for the damage suffered. For the infringer it will be difficult to avoid liability as the infringer will have to prove not being responsible in any way for the event that has caused the damage.


Dr. Holger Lutz is co-head of the German Information Technology Group and is based in Baker McKenzie's Frankfurt office. He studied law at the Johann Wolfgang Goethe-University in Frankfurt/Main. He also studied at the University of Edinburgh and gained an "LL.M. in Innovation, Technology and the Law". During his legal clerkship he worked for a German data protection authority as well as international law firms. In 2008 he obtained his Doctor of Law degree on a topic related to software licenses in Frankfurt/Main.


Prof. Dr. Michael Schmidl is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He is a partner at Baker McKenzie´s Munich office and advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Mr. Schmidl also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.