top of page

The e-Privacy Regulation

The PymeLegal Team,

Consultancy of private and intellectual property

The e-Privacy Regulation will be the European regulation that will replace the Directive (EU) 2002/58 on Privacy and Electronic Communications in force in Europe, which in Spain was transposed by the Law on Information Society Services and Electronic Commerce 34/2002 (the LSSI).

Together with the RGPD, it will be one of the basic European regulations that will regulate privacy and the protection of personal data in the electronic communications sector, reinforcing the privacy of citizens and companies on the Internet and other digital communication channels.

This Regulation will be directly applicable in all Member States (as the RGPD) and will have the character of "lex especialis" (special law) as opposed to the character of "lex generalis" (general law) that the RGPD has, that is, if there is a conflict of application between this Regulation and the RGPD, the e-Privacy Regulation will be applied preferentially, since the special law takes precedence over the general law.

Who will the e-Privacy Regulation protect?

Unlike the RGPD, which only protects individuals, this Regulation will protect both private users and companies; electronic communications may contain very private information (such as health information, for example), but they may also contain confidential information of high economic value or reveal trade secrets, and that is why companies deserve protection through this regulation.

These activities will be protected independently for all users located in the EU or whose information belongs to European users.

What will this Regulation regulate?

The e-Privacy Regulation is closely linked to the GDPR, as both regulate the same element: privacy. On the one hand, one regulates it in its broadest sense (the GDPR); on the other, it regulates communications through the Internet and other digital communication channels. This Regulation will also regulate the use of the information obtained on the equipment or terminals of the users of these services and the metadata referring to the end-users in the EU. It will also regulate the restriction of caller identification, blocking of unwanted incoming calls by the users, etc. And the possibility for consent to be obtained through the browser, requesting the user a specific configuration at the time of installation and modifiable at any time.

What are the new features of this new Regulation?

This Regulation will bring several new features, among them, those related to the consent given so far in electronic communications, cookies and control over electronic communications and commercial calls.

Regarding consent, the provisions of the RGPD will apply, and this time also to companies, i.e., the collection of consent must be express, free, informed and unambiguous. Consent expressed directly by the user will prevail over consent given using browser settings. We must also bear in mind that users who have consented to the processing of electronic communications data (newsletter, for example) must be periodically reminded of the possibility of withdrawing the consent given, and must do so at least once every twelve months. It should be borne in mind that the data must be processed for the period of time required for the fulfillment of the purpose, and if they are to be processed for a longer period of time, they must be anonymized. For the time being, it is left to the Member States to decide how long a user is considered a "customer" to send commercial communications.

As regards metadata, the processing of metadata in electronic communications will be permitted in the following cases:

  • Because they are necessary for the management or optimization of the network or to meet the technical requirements of quality of service;

  • For the execution of a contract for electronic communications services (in case of being necessary for billing, calculating interconnection payments, detecting or ceasing for fraudulent or abusive use of electronic communications services or subscription to the same);

  • If consent has been given for such purpose:

  • For the protection of vital interests

  • Or if certain requirements are met, with respect to location metadata necessary for scientific, historical research purposes or statistical purposes.

Metadata that are processed and are compatible in electronic communications, when their processing is for a purpose other than that for which they were initially collected, and their processing has not been based on the user's consent, the provider will be required to analyze whether the processing of the data for this new purpose is compatible with the initial one. (even, in certain cases, it will be necessary to carry out an Impact Assessment) and if so, it can only be carried out with anonymized data.

And about cookies, the prohibition on processing such information is maintained, with the following exceptions:

  • That the user has consented to the processing (the most common assumption).

  • That the processing is carried out to provide the electronic communications service.

  • That it is strictly necessary to provide a service required by the user.

  • That is necessary for audience measurement.

  • That it is necessary for security purposes, fraud prevention or to detect technical failures.

  • If it is required for a software update.

  • To locate the end user's terminal in an emergency call.

As we have seen with consent or metadata, if the information collected is to be used for a purpose other than that initially intended, the provider must analyze the compatibility of these purposes. And the processing will only be consistent if the information is erased or anonymized when it is no longer needed.

  • Another of the most important new features is that relating to user control over electronic communications and unsolicited commercial calls.

About unsolicited commercial calls, the regulation will leave it up to the Member States to develop rules on the obligations of operators (such as identification).

An important point concerns unsolicited commercial and unsolicited communications. As a general rule, they may only be sent if the recipient has given his or her consent. However, the legitimate interest in sending them will continue to be taken into account as long as the possibility of opposing their sending is given. In addition, it is also established that communications must identify the sender, and use an address to which it can be answered, so that addresses beginning with "noreply@..." will no longer be valid.

What are the penalties?

As for the sanctions set by this Regulation, they are similar to those of the GDPR: the user whose rights have been violated will be entitled to receive financial compensation. And, in addition, the amounts of the penalties may reach up to 10 million euros or 20 million euros or 2% or 4% of the profits obtained by the company.

And when does it come into force and when will it be applicable?

There has been talking of the e-Privacy Regulation since 2016, having a first draft as early as 2017 and the idea of the European Union was to approve it at the same time as the General Data Protection Regulation, but this objective was not achieved and, as of today, there is still no binding decision on its approval. The EU Member States are unable to reach an agreement.

What there does seem to be a quorum on is that, once it is published, a 2-year moratorium will be given to companies so that they can adapt to the new regulation and make it fully effective.


From what we have seen, this will be a Regulation that will pivot based on privacy by default, as advocated by the GDPR, protecting both individual and corporate users. However, it will add a few headaches for marketing departments and website managers as it will regulate a series of obligations that will be much more restrictive than those known up to now. Some sectors even fear that the changes made to business models for the GDPR will have to be modified due to the arrival of this regulation.

We will keep a close eye on all developments regarding this regulation and will keep you informed. If you have any clarification or query, do not hesitate to contact us; we are at your disposal!

- The PymeLegal Team

71 views0 comments


bottom of page