The new EU ePrivacy Regulation & new data protection laws – What does it mean?

In addition to GDPR compliance, the protection of personal data in the realm of electronic communication services in the EU will soon be regulated by the new ePrivacy Regulation, which is expected to be adopted later this year. The regulation is designed to enhance the privacy of users of electronic communication services. Below is a snippet of the major changes that will be introduced by the new data protection laws.

From Directive to Regulation

The ePrivacy Regulation will replace the ePrivacy Directive (2002/58/EC). Unlike the Directive which required member States to pass the necessary laws in their jurisdictions to ensure that its spirit is achieved, the Regulation will in itself be enforceable across the EU.

Broader definition of an “electronic communications network”

The regulation takes into account changes in technology over the years and defines an “electronic communications network” broadly to include ancillary communications services that are premised on other networks. These include Facebook, WhatsApp, Instagram, Snapchat, Skype, Google calls etc. All these will be required to provide better privacy for their users.

GDPR Consent

The regulation will adopt the same parameters on consent in regard to the processing of personal data as provided for under the GDPR. This implies that for consent to be considered lawful, it must be freely given, specific, informed, unambiguous and explicit. Consent must also be easy to withdraw. Further, children below the age of 16 years will only be able to consent through persons in a position of parental responsibility. (Member states may reduce the age of consent to not less than 13 years, i.e. UK).


The new data protection laws will make consent unnecessary for essential cookies that are necessary for websites to operate and analytic cookies that simply measure the number of visitors to a website. However other cookies for example, those that monitor behaviour of users will require consent. That consent will have to conform to the parameters of lawful consent as explained above. The use of cookie banners on websites to solicit for consent is expected to be abandoned as the consent to cookies will be in-built in the installation of web browsers.

Direct marketing

In what would be a departure from the current PECR regime (PECR being the UK implementation of the Directive) B2B direct marketing shall need prior consent. The move will likely make it more difficult for growing business to acquire new customers. In a similar vein, all telemarketing calls share require prior consent. The user should be able to identify the number calling them or by use of a prefix to be alerted that the call is for marketing purposes. The end user must be able to call back the number where the need arises.

GDPR like Remedies

Just like the GDPR, the regulation shall require each Member State to have an independent supervisory body to ensure its enforcement. End users who suffer damage shall have a right to be compensated by the electronic communication service providers. Service providers will also be liable to pay administrative fines of up to 20 million Euros or 4% of their annual worldwide turnover for infringement of the regulation. Electronic communication service providers must therefore work closely and regularly with Data protection officers and consultants to ensure compliance with the regulation.


The type of deal upon which Britain leaves the EU will have a bearing on the ePrivacy legal regime. A “soft Brexit” would mean that any new data Protection laws including the ePrivacy Regulation may continue to have application in the UK. A “hard Brexit” would mean that the UK would have to rely on its own laws including those on data protection and Privacy and be treated as a “third country” by the EU.

As at March 2019.