February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

The ePrivacy Regulation: The Next European Initiative in Data Protection

While many are still digesting the changes brought about by the EU General Data Protection Regulation (GDPR), a new privacy regulation is already on its way. The Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications – in short, the ePrivacy Regulation  – is currently a draft under discussion (the latest version by the EU Council was published on 13 March 2019).

Relationship Between the ePrivacy Regulation and the GDPR

Unlike the GDPR, the draft ePrivacy Regulation focuses on privacy with respect to electronic communication services and on the data processed by electronic communication services. This means that in relation to such communication services, the ePrivacy Regulation provides the specific obligations that flesh out the more general provisions of the GDPR. The draft ePrivacy Regulation covers more than just data protection law; it also relates to non-personal data, such as metadata. Lastly, the draft ePrivacy Regulation contains provisions on telecommunication confidentiality.


The draft ePrivacy Regulation is meant to update and replace the current ePrivacy Directive, which, together with the GDPR, provides the current legal framework to ensure digital privacy for EU citizens. By changing from a directive to a regulation, the new rules will apply directly in all EU member states, and implementation into national laws will no longer be required. This promises a uniform set of rules in all member states. However, as GDPR has shown, this probably sounds easier than it will be in practice. 

Key Changes

In a nutshell, the main points of the draft ePrivacy Regulation include:



While the existing ePrivacy Directive applies to emails and text messages (SMS), the new ePrivacy Regulation aims to also catch data created or processed by the newest forms of electronic communication, such as machine-to-machine communication (Internet of Things), internet telephony, and internet access provider services.



The draft ePrivacy Regulation scope extends to more than just personal data – it covers certain non-personal data such as metadata. Not only does this further increase the compliance obligations for enterprises, it may also challenge data analytics schemes dealing with anonymized or aggregated data instead of personalized data, developed to allow big data business models.



While many concepts of when and how data may be processed may essentially stay the same, the draft ePrivacy Regulation introduces new, additional obligations requiring enterprises to adapt their compliance systems. For example, Article 7 of the draft ePrivacy Regulation requires that enterprises delete electronic communications data after its receipt by the intended recipient. Such obligation is new in many member states and would require operators to implement certain technical measures. It also raises questions about the ability to pursue certain communications, for example in relation to illegal content.



The draft ePrivacy Regulation provides a clear, albeit more restrictive, legal framework for the use of cookies and similar tools that collect data from end-users’ equipment (e.g., mobile phones and laptops). The use of cookies will require that such cookies are necessary for the transmission or the security of the electronic communication service, or that the end-user has given consent. Previous drafts of the regulation contained several different ways in which such consent could be given. The most recent draft refers to giving consent to providers via white lists.


The new draft ePrivacy Regulation has been approved by the EU Council. After the May 2019 European Parliament elections, negotiations on the regulation between the Council and the European Parliament will start. The ePrivacy Regulation will likely not enter into force before 2021, given it covers many different subjects (i.e., metadata, cookies, and telecommunications confidentiality). 

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume IX, Number 114

About this Author

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150
Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

Willeke Kemkers IP lawyer Greenberg Traurig

Willeke Kemkers is an associate in the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.  

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border...

+31 (0) 64.718.0845