ePrivacy – the illegitimate child of the GDPR?

The European Union (EU) data privacy legislation aims at following the rules set out in the EU Charter of Fundamental Rights. The most important articles in this context being Article 7 on the respect for private and family life and Article 8 on the protection of personal data.[1] The current GDPR legislation covers all the issues laid out in Article 8, which are in summary: right to protection of personal data, consent or other legal purposes, right to access, right to rectification, and authority control.

The ePrivacy Directive[2] and the General Data Protection Regulation (GDPR) provide the current legal framework to ensure digital privacy for EU citizens. The ePrivacy Directive is originally from 2002 so it is somewhat outdated considering the advances in technology and change in the usage of technology in the last 17 years. For example, the term “voice telephony call”[3] has not been used in a while. The last revision of the ePrivacy Directive was done in 2009, but even in the past 10 years the change and development in technology has been mindboggling.

The European Commission has reviewed the Directive to align it with the GDPR and has provided a proposal[4] in 2017 for a Regulation on Privacy and Electronic Communications to replace the 2009 Directive.[5] The exact content, or when it will become applicable, is still under discussion. ePrivacy will change electronic direct marketing and cookie use, as well as have impact on targeted advertising.[6]

The main aim of the Commission’s proposal is to update and keep up with the fast-paced world. The key points have been listed as the following:

  • Applying to new players such as WhatsApp, Messenger and Skype
  • Stronger rules as all players would have the same level of protection (instead of a directive only setting the minimum requirements)
  • Privacy guarantee for communications content and metadata
  • Traditional telecom operators will have more opportunities to provide additional services, once consent has been given
  • Simplifying the rules on cookies making them more user-friendly
  • Banning unsolicited emails. SMS, automated calling machines
  • Enforcement to the data protection authorities, who are also in charge of the GDPR enforcement[7]

It has been deemed that the ePrivacy initiative has witnessed the highest amount of lobbying ever seen.[8] Some have even called ePrivacy the illegitimate child of the GDPR. Could the reason be that it should have been implemented simultaneously with the GDPR but instead will come into force later on and thus be ”born out of wedlock”? Nevertheless, now all that can be done is wait for the EU bodies to take the next steps and see how lobbying will affect the final outcome. Even though it is unlikely that anything will happen in the next few months (due to the upcoming EU elections), all companies and bodies that were affected by the GDPR should stay active and alert on this topic.

To summarise:

  • What? An add-on legislation to the current GDPR but with a focus on electronic means
  • When? The legislation is already in force, but it is not known when the update will come into force
  • Where? EU, so it will affect all citizens and companies within the EU




[2] DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), (read 18.2.2019)

[3] Preamble 27 of the Directive 2002/58/EC

[4] Proposal for a Regulation on Privacy and Electronic Communications (10.1.2017), (read 18.2.2019)

[5] EU Digital Privacy (12.11.2018): Digital privacy (read 29.1.2019)

[6] EY Finland (15.1.2019): Tietosuojalaki voimaan 1.1.2019 – mitä pitää tietää? (read 29.1.2019)

[7] Proposal for an ePrivacy Regulation (2018): (read 20.2.2019)

[8] Shutting down ePrivacy: lobby bandwagon targets Council (2018) (read 15.4.2019)