The e-privacy regulation proposal: a new data-protection framework for electronic communications

On 10 January 2017, the European Commission presented a proposal for a Regulation on Privacy and Electronic Communications, repealing Directive 2002/58/EC on e-privacy, revised in 2009. The proposal aims to achieve the establishment of a new data-protection legal framework by complementing and particularizing the General Data Protection Regulation (GDPR) 2016/679 in regard to electronic communications data.

The legal instrument chosen is a regulation that will be self-executing and legally binding in all Member States. This will offer the benefit of legal certainty and uniformity of the rules to foster a digital single market.

The e-privacy proposal takes account of the important technological and economic development in the sector of electronic communications and will modernize existing principles according to the new practices. It aims to promote a high level of protection of confidentiality in communications regardless of the technology used.

The proposal is currently going through the European Union (EU) legislative process. Both the Article 29 Working Party (WP29) and the European Data Protection Supervisor (EDPS) released their opinions, in April of this year, as well as the European Economic and Social Committee (EESC), in July. On 26 October 2017, the European Parliament has voted in favor of the amendments proposed by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) in plenary session. The next step in the process toward the new e-privacy regulation is the discussion among Member States in the Council of the European Union.

The European Commission’s original intention was to make the e-privacy regulation applicable starting 25 May 2018, in line with the GDPR. As a result of the complicated admission process and from the controversial discussions, it is unlikely that the regulation will be adopted soon enough. In addition, the EU Parliament proposes a one-year period of transition between the entry into force of the regulation and its application.

Even if the final text is not yet adopted, it is recommended for organizations to keep in mind the upcoming e-privacy regulation and to anticipate some important elements in their GDPR strategy.

To read more, this piece was originally published on

EY Legal Services Contacts:


Fabrice Naftalski – Global Data Privacy Law Leader