The European Commission today published its formal proposal for a new regulation on e-Privacy (“ePR”), following publication of a leaked draft in late December 2016. The Commission also issued a communication on “Exchanging and Protecting Personal Data in a Globalised World” and a proposal for a Data Protection Regulation applicable to the EU institutions, as part of its Digital Single Market strategy.

The proposed ePR is intended to replace the current e-privacy Directive, updating it in line with the General Data Protection Regulation (“GDPR”) and technological developments that have occurred since the e-privacy Directive was amended in 2009.

The ePR proposal regulates the processing of electronic communications data and metadata, storage and erasure. In line with the proposed Electronic Communications Code, it would extend the obligations applicable to traditional electronic communications networks and services to cover certain online services, such as Voice over IP and web-based e-mail services. The proposed ePR also contains revised rules of general applicability regarding the installation and use of so-called cookies and similar apps as well as the sending of unsolicited communications. The European Commission proposes that the supervisory authorities responsible for the monitoring of the GDPR also monitor the application of the ePR. The proposed level of fines for violations reflects the GDPR values (up to 2% or 4% of worldwide turnover).

The proposed legislation must now be reviewed by the European Parliament and the Council. The European Commission aspires to have the ePR enter into force on 25 May 2018, the same date as the GDPR. This is an ambitious objective given the concerns about the proposed rules that have already been raised by industry and consumer rights groups.