Over the past few years, the European Commission has embarked on a major modernisation of the EU's data protection framework.

Along with the adoption of GDPR, the Commission also created a regulation, which protects the private lives of EU citizens by guarding their personal data in electronic communications. This ePrivacy Regulation aims at repealing and replacing the current ePrivacy Directive (Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector). Intense work on the development of this regulation took place during the Bulgarian Presidency of the European Union earlier in 2018.

Part of the Digital Single Market Strategy to bolster trust in and the security of the digital market, the regulation aims to create greater legal certainty, and to increase the effectiveness and level of protection for privacy and personal data in electronic communications.

While the GDPR protects personal data, the ePrivacy Regulation ensures the confidentiality of communications, and applies to both individuals and legal entities. (This focus on legal entities is considered necessary to protect business secrets or other sensitive information that have an economic value.)

Motives for updating e-privacy rules

Since the last review of the ePrivacy Directive in 2009, new players providing electronic communications services have emerged in the market. These Over-the-Top services, such as WhatsApp, Facebook Messenger and Skype, are for the most part not subject to current EU rules. The ePrivacy Regulation intends to change this.

How will the regulationaffect current legislation

Part of the regulatory framework for electronic communications, the ePrivacy Regulation will be lex specialis to the GDPR, and will expand upon and complement it pertaining to any electronic communications data qualifying as personal data. All matters concerning the processing of personal data that are not specifically addressed by the proposed regulation will be covered by the GDPR.

As for Bulgarian legislation, the regulation will repeal the 2007 Bulgarian Electronic Communications Act.

How will the Regulation affect business?

In addition to companies offering electronic communications services, the regulation will apply to the digital output of almost every company in its use of technology, such as cookies and direct marketing communication (including email newsletters). These businesses will have to incorporate the new requirements into their GDPR readiness planning.

Below are some of the changes the new regulation will bring:

  • Stronger rules: all people and businesses in the EU will enjoy the same level of protection for electronic communications. Businesses will also benefit from one single set of rules across the EU.
  • New players: privacy rules will apply to new players such as WhatsApp, Facebook Messenger and Skype, and will ensure that these popular services guarantee the same level of communications confidentiality as traditional telecoms.
  • Communications content and metadata: privacy will be guaranteed for communications content and metadata, including information like the times and location of phone calls. Metadata is considered highly private and is to be anonymised or deleted if users do not give their consent (unless the data is needed for billing).
  • Simpler rules on cookies: the regulation will follow the tendency of extending exceptions for the consent rules for cookies and similar technology. The new rules will be user-friendly since browser settings will make it easier to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies mean to improve the internet experience (e.g. remembering shopping cart histories) or cookies used by websites to count visitors.
  • Protection against spam: rules concerning unsolicited electronic communications (by email, SMS and automated calling machines) will remain strict. Additional possible regulation could include showing the phone numbers of telemarketers or citing a prefix that indicates a marketing call.
  • More effective enforcement: the enforcement of confidentiality rules will be the responsibility of the same data protection authorities already in charge of the GDPR.


Fines levied by the regulation are in line with GDPR levels and could be as much as EUR 20,000,000, or in the case of a business, up to 4% of total worldwide annual turnover for the preceding financial year: whichever is higher.


The ePrivacy Regulation is part of a comprehensive regulatory system for personal data and privacy at the EU level and should have entered into force at the same time as the GDPR. Although the ePrivacy Regulation has been delayed, it should be adopted sometime in early 2019.