In January 2017, the European Commission proposed the text of the new Privacy and Electronic Communications Regulations (“e-Privacy Regs”) to replace the e-Privacy Directive currently in force.

Together with the General Data Protection Regulation (“GDPR”) the e-Privacy Regs, if adopted, will provide a new privacy framework for electronic communications. (You can find one of our updates on the GDPR here).

The legislation is aimed at over-the-top (“OTT”) communications which include content, services or applications that are provided to end users over the internet. OTT services such as WhatsApp or Skype challenge traditional telecommunications services.

The purpose of the draft e-Privacy Regs is to bring OTT services into scope and harmonise the legal approach in this area across EU member states.

When will it come into force?

The draft regulation states expressly that it will come into force on the same date as the GDPR, being 25 May 2018.

Who will it apply to?

The draft regulation will apply to all providers of electronic communications services, such as voice-over-internet protocol, text message and email providers. Other sites and apps offering ancillary electronic communication tools (such as video games companies, hotel recommendation websites and dating apps) may also fall within the scope of the draft regulation.

What are the key changes to be aware of?

The draft regulation provides that e-communications data (including content data and metadata) may be processed when necessary for specific legal purposes or to detect technical faults to ensure the security of communications.

Content data

Specifically, content data can be used either:

  • with the consent of the end user (provided that processing is necessary for the provision of the services); or
  • when all end users concerned have given their consent for one or more purposes that cannot be fulfilled if the information is rendered anonymous.

It must be erased or anonymised after receipt of the content by the end user.


Metadata can be used, when necessary to do so, for:

  • mandatory quality of service requirements;
  • billing and calculating interconnection payment;
  • detecting or stopping fraudulent or abusive use of, or subscription to, electronic communications services; or
  • when the end user’s consent has been given for one or more purposes that cannot be fulfilled if the information is rendered anonymous.

Once the permitted use has been fulfilled, metadata must be erased or anonymised.


Consent is still required unless the use of cookies is necessary for the sole purpose of carrying out the communication or strictly necessary and proportionate for the legitimate purposes of enabling the use of a specific service requested by the end user.

Consent could be provided via web browser settings. If non-complying software has been installed at the date the e-Privacy Regs come into force, it will need to be updated to comply with consent requirements on its first update or by 25 August 2018 at the latest.

Websites using Google Analytics or other analytics software, and software developers permitting electronic communications, must offer the option of preventing third-party cookies. End users must be informed during the initial set-up about their privacy settings options and must consent to a setting before they can continue with the installation.

Direct marketing and electronic communications definitions are also broader than those currently in force. For B2C communications, the sender needs to obtain individual consent for direct e-marketing. For B2B communications, the proposed e-Privacy Regs allow EU member states to interpret this to ensure that corporate end users are sufficiently protected.

What are the penalties for non-compliance?


The draft regulation introduces fines, in line with the GDPR, ranging from:

  • €10 million or up to 2% of the total annual turnover for violating unsolicited communication rules to €20 million; or
  • 4% of the total worldwide turnover for the unlawful processing of communications data.


There is also a potential right for those affected to claim compensation and damages from communication providers if they have “suffered material or non-material damage as a result of an infringement”.

What can companies do to prepare for the e-Privacy Regs?

Companies will need to ensure that they use e-communications data in line with the e-Privacy Regs, think carefully about how they obtain user consent and ensure that they clearly explain the purpose of third-party cookies. If the end user refuses to give consent, browsers are legally obliged to immediately block these cookies.

The penalties for infringements could be severely damaging and companies should begin looking at their compliance measures.