The European Commission ("EC") officially revealed its proposed draft E-Privacy Regulation this January.

The draft is set to replace the current EU E-Privacy Directive (2002/58/EC as amended) ("Directive") which is implemented into UK law by the Privacy and Electronic Communications Regulations ("PECR"). (PECR imposes rules on electronic communications including nuisance marketing and cookie consent.)


Readers may recall that in 2016 a public consultation concerning the Directive took place. On 19 December the EC released feedback to the consultation together with the results of the Eurobarometer survey.

  • The Eurobarometer survey canvassed the views of European citizens on e-privacy and concluded that the confidentiality of user data, including emails and instant messages, were of the utmost importance to EU users.
  • In the consultation, 83% of non-industry responders (comprising citizens, consumer and civil society organisations) considered it appropriate to have specific confidentiality rules for the electronic communications sector; 63% of industry respondents disagreed.

Draft E-Privacy Regulation: Impact

The draft regulation will be directly effective in EU member states when implemented, including the UK. This means that on the implementation date the regulation becomes law throughout every Member State. Like the GDPR (but unlike the current Directive), this will help to remove the cross-border disparity in application of e-privacy law by promoting equivalent e-privacy standards across the EU.

The regulation is scheduled to apply from 25 May 2018, the same date as the GDPR, but in contrast to the GDPR, the regulation is far from finalised. At present the proposals of the draft regulation are to:

  • catch over-the-top communications (e.g. WhatsApp, Messenger, Facebook and Skype). These newer forms of communication are not considered in the current rules;
  • reflect the definition of consent in the GDPR whilst clarifying the rules on cookies and other required consents;
  • impose stricter direct marketing requirements, including obligations on marketers to identify themselves (already applicable in the UK);
  • offer protection for businesses as well as individuals; and
  • increase the financial penalty applicable for non-compliance. Some breaches under the draft will attract financial penalties up to 4% of annual business turnover worldwide or €20,000,000, whichever is higher.

The draft regulation will undergo further review and scrutiny from the European Parliament and Council of Ministers before finalisation. A key point to note is that at present the ICO can fine up to £500,000 for data privacy breaches, under the draft proposals, this figure rises significantly. Organisations should ensure that, once the proposals are finalised, they audit all affected areas e.g. marketing processes and web consents, and ensure that they are compliant with the new rules. Organisations should continue to watch out for developments in respect of the draft regulation's implementation into law.

To view the EC publication on the proposals, please click here.