Guide: the most important facts about the ePrivacy Regulation

All important information on the ePrivacy Regulation (ePR), compact and simply explained.

  • The ePrivacy Regulation: the basics
  • Scope of application
  • ePrivacy and GDPR
  • Rights, obligations, and impacts
  • Sanctions
Ab 2020 gilt die europäische ePrivacy-Verordnung (ePVO) für alle Länder der Europäischen Union.

The ePrivacy Regulation: the basics

Die E-Privacy-Verordnung (auch ePrivacy-Verordnung oder ePVO) ist ein Vorschlag für eine Verordnung über den Datenschutz und die elektronische Kommunikation. Die ePVO ist als Spezialgesetz innerhalb des EU-Datenschutzrechts angelegt. Der vollständige Name lautet „Verordnung des Europäischen Parlaments und des Rates über die Achtung des Privatlebens und den Schutz personenbezogener Daten in der elektronischen Kommunikation und zur Aufhebung der Richtlinie 2002/58/EG (Verordnung über den Schutz der Privatsphäre und der elektronischen Kommunikation)“.

The ePrivacy Regulation is intended to protect confidentiality and privacy in the electronic communications sector, which is governed by Article 95 of the GDPR. The ePR is intended to fill regulatory gaps and define new requirements, as the existing ePrivacy Directive has not kept pace with technological and market developments. With regard to German law, it is intended to replace the provisions on data protection in the Telemediengesetz (TMG), the Telekommunikationsgesetz (TKG), and the provisions on advertising in the Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb, UWG).

The ePR is intended to apply comprehensively since it does not only refer to the processing of personal data. The scope of the ePR would apply to any company that provides any form of online communications service, uses online tracking technologies or conducts electronic direct marketing. Data of natural and legal persons will be protected and the regulation will apply to all providers of electronic communications, regardless of the registered office of the company and regardless of whether the service is offered against payment or free of charge. The main aim is to extend the scope of data protection to so-called over-the-top providers (OTT), such as WhatsApp or Skype, "to ensure effective legal protection of privacy and communications". This is also intended to ensure uniform application and efficient protection in the context of online communication.

E-privacy or ePrivacy is the common term when it comes to handling personal data on the Internet and the associated protection of privacy.

The ePrivacy Directive has been in existence since 2002. It has been transposed into the national law of the individual EU member states and has been reflected in the Federal Republic of Germany, for example, in individual regulations in the Telemediengesetz (TMG). This directive was supplemented in 2009 by the so-called "Cookie Directive". In addition, German legislation, for example, has so far distinguished between telecommunications services and telemedia services, a distinction that in many areas is no longer up to date.

Due to poor implementation in individual member states, among other things, this directive is now to be replaced by uniform legislation directly applicable in all member states. This should also take account of technological progress since 2002 and 2009 respectively.

Scope of application

The ePrivacy Regulation was originally scheduled to enter into force on May 25, 2018 together with the GDPR, but as of today, it is more likely that the ePR will come into force in the course of 2019. The legislative process for the ePR has not yet been completed.

As an EU regulation, the ePR should apply directly in every member state of the EU and require no national implementation. Within the framework of opening clauses, national adaptations are possible in individual areas.

The legislative process for the ePR has not yet been completed, among other things because individual member states and trade associations have expressed requests for changes. The EU Commission, the EU Parliament, and the Council of the European Union still have to agree on the final content of the regulation. However, it is not yet possible to predict when this will happen.

The draft of the ePR under the Austrian Council Presidency has created a new need for discussion. Among other things, data processing for "compatible purposes" was introduced in Article 6 Para. 2a. Under this provision, communication metadata (e.g. numbers called, websites visited, geographical location, time, date, and duration of a call made by a person) can be processed for compatible purposes of the provider without the consent of the user. This extension requires a particularly critical review.

The deletion of Article 10 must also be discussed. Originally, this regulation provided for browser solutions which provide for user consent to targeting measures (such as cookies). The software had to inform the end user of the privacy settings and to require the end user to agree to the setting in order to continue the installation. This regulation had already been amended by the Council's draft of May 4, 2018, which only provided for information on privacy settings. Deleting this provision would mean that Article 23 of the draft would also have to be amended and that there would no longer be any sanctions for producers who do not comply with the obligation laid down in Article 10.

ePrivacy and GDPR

The ePrivacy Regulation is a lex specialis to the GDPR, i.e. a special law that takes precedence over the general law (the GDPR). The regulation supplements the GDPR with regard to electronic communication data. The ePR applies comprehensively as it does not only apply to the processing of personal data. It is intended to repeal the ePrivacy Directive of 2002 and is specialised for the general DSGVO. It is intended to specify and supplement these with regard to the requirements for consent to the use of cookies and opt-outs.

Rights, obligations, and impacts

  1. Encryption shall not only be ensured by the user. Providers are obliged to secure data according to the current state of the art and to protect it from unauthorized access.
  2. Spatial tracking by programs that are not actively used shall be prohibited.
  3. A detailed transparency and documentation obligation shall be introduced for prosecutors, so that providers can be obliged to disclose state inquiries.
  4. Data processing shall only be possible with the consent of the user. This is to be extended in particular to providers of online communication such as WhatsApp or Facebook Messenger.
  5. An effective protection against tracking shall be established, which shall include a comprehensive setting for deactivating tracking functions.
  6. All settings in software and devices shall be set by default to the more privacy-friendly version, the so-called "privacy-by-default" setting.

... on targeting

Should the ePR be applied unchanged, targeting would not be possible as before. The question, however, is whether there will or will no longer be any targeting under the ePR that will continue to enable digital business success.

... on tracking

The current draft provides that tracking measures should be made subject to consent. In combination with the prohibition on linking, this means that websites must function without restriction and be accessible even if users reject tracking measures.

Prohibition of coupling

The prohibition of coupling in the GDPR shall be substantiated or tightened in the regulatory area of the ePR. The current draft stipulates that it should not be permissible to make certain contents dependent on the consent to the setting of certain cookies.

A complete overview of all obligations cannot be given at this stage. However, it is clear that the draft of the ePR envisages obliging providers of communications services such as messenger services (WhatsApp, Facebook) to encrypt communications using state-of-the-art technology and thus protect them from unauthorized access. Exceptions for government agencies in the interest of national security should be possible, but these would have to be precisely documented and published in annual statistics.

In addition, the reform is intended to limit offline tracking, which currently generates motion profiles using smartphone data (e.g. in shopping centers, airports or city centers). It remains to be seen what specific obligations will be imposed on providers.


The sanctions for non-compliance amount to up to 20 million € or, in the case of a company, up to 4 % of the total worldwide annual turnover, whichever is the higher.

In order to prevent sanctions, it is advisable to develop an understanding of the matter and already identify areas of business which, according to the draft ePR, are or might become risky. Expert advice is particularly recommended. Christian Allner will be happy to answer any questions you may have about the ePrivacy Regulation.