Fact-checked by Grok 2 weeks ago

ePrivacy Regulation

The ePrivacy Regulation was a proposed European Union legislative instrument, formally introduced by the European Commission on 10 January 2017 as Regulation (EU) 2017/XXX concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (ePrivacy Directive). Intended to modernize rules on confidentiality in electronic communications amid technological advancements like over-the-top services and widespread tracking, it sought to harmonize protections across member states by establishing uniform requirements for consent in accessing terminal equipment, processing metadata, and handling unsolicited communications, while aligning with the General Data Protection Regulation (GDPR). Despite initial aims to enhance user trust in digital services through stricter safeguards against unauthorized surveillance and data repurposing, the proposal encountered persistent deadlock in trilogue negotiations between the Commission, Parliament, and Council, particularly over provisions permitting scanning of encrypted communications for child sexual abuse material (CSAM) detection, which privacy advocates argued undermined end-to-end encryption without sufficient empirical justification for efficacy or proportionality. Key elements included mandatory opt-in consent for non-essential and trackers—extending beyond websites to apps and machine-to-machine communications—and prohibitions on communications without explicit user permission, except for limited or integrity purposes. The regulation would have applied directly to communications services (ECS) providers, including VoIP and messaging platforms, imposing fines up to 4% of global annual turnover for violations, akin to GDPR enforcement. Controversies arose from tensions between bolstering fundamentals, such as the inviolability of communications content and derived from first principles of informational , and demands from for access mechanisms, which empirical analyses have shown often fail to deliver promised gains while eroding causal trust in digital infrastructure. Business stakeholders, including advertisers, criticized the consent burdens as potentially stifling innovation, while empirical on compliance costs under the existing highlighted uneven transposition and enforcement across member states, exacerbating fragmentation. Progress stalled after the Council's general approach in February 2021, with no final agreement reached amid shifting political priorities. On 12 February 2025, the announced in its 2025 Work Programme the withdrawal of the proposal, citing lack of consensus and integration of core elements into other digital frameworks like the , leaving the 2002 in force despite its acknowledged inadequacies in addressing modern threats such as pervasive collection. This outcome underscores broader challenges in EU lawmaking, where source-credible assessments from bodies like the European Data Protection Supervisor have repeatedly emphasized the need for evidence-based rules prioritizing causal privacy protections over speculative interventions, yet institutional inertia and competing interests prevailed.

Historical Context

Origins in ePrivacy Directive

The , formally known as Directive 2002/58/EC, was adopted by the and the Council on 12 July 2002 to establish targeted protections for privacy and personal data in the electronic communications sector, serving as a complement to the general rules under Directive 95/46/EC. Its primary aims included safeguarding the confidentiality of communications against unauthorized interception and ensuring the security of public communications networks, while promoting the free movement of related data and services across the European Community. The directive applied specifically to the processing of personal data in publicly available electronic communications services, addressing risks from advanced digital technologies such as internet-based services that had emerged since earlier frameworks. Originating from the need to update privacy rules amid technological evolution and market liberalization in , the directive repealed and replaced the prior Directive 97/66/EC of 15 December 1997, which had proven inadequate for new digital environments. Core provisions mandated that and data be erased or anonymized after billing purposes unless users ed to retention for value-added services, and prohibited unsolicited commercial communications without prior or opt-out mechanisms. These measures sought to harmonize protections while accommodating sector-specific needs, such as network operator responsibilities for security. In response to further developments like widespread cookie usage and spam, the directive was amended by Directive 2009/136/EC, adopted on 25 November 2009 and entering into force on 26 December 2009, with key provisions applicable from 25 May 2011. The amendment introduced requirements for before storing or accessing information on users' terminal equipment (e.g., ), except for essential technical purposes, alongside data breach notification obligations for electronic communication service providers. This update aimed to enhance user rights in an era of increasing online tracking but retained the directive's transposition into national law, leading to implementation divergences across Member States. The ePrivacy Directive's framework directly informed the origins of the ePrivacy Regulation, proposed by the on 10 January 2017 (COM/2017/010 final), as its successor to address obsolescence from over-the-top (OTT) services like messaging apps and evolving technologies not fully covered by telecom-centric rules. As a directive requiring national transposition, it resulted in inconsistent application and compliance burdens, prompting the shift to a directly applicable regulation aligned with the General Data Protection Regulation (EU) 2016/679 for uniform enforcement and to close gaps in and tracking protections. Evaluations under the Regulatory Fitness and Performance Programme (REFIT) and Strategy highlighted these limitations, basing the regulation's rationale on the directive's foundational principles while expanding scope to machine-to-machine communications and challenges.

Drivers for Replacement

The (2002/58/EC), originally adopted in 2002 and amended in 2009, became increasingly obsolete as it failed to address rapid technological advancements in electronic communications, such as the rise of over-the-top (OTT) services including , applications, and web-based providers. These developments created gaps in protection for communications confidentiality, as the Directive was primarily designed for traditional "" services rather than data-rich, internet-based platforms that track user behavior and handle extensively. For instance, emerging techniques like device fingerprinting and machine-to-machine communications for the () fell outside its scope, leaving users vulnerable to unauthorized access and exploitation of sensitive information such as location data or social connections. A core driver for replacement was the Directive's status as a directive, which required into national law by EU Member States, resulting in fragmented implementation and inconsistent enforcement across borders. This divergence hindered the for electronic communications services, imposing compliance burdens on cross-border operators and creating uncertainty, particularly for smaller providers. Transitioning to a would ensure direct applicability and uniform rules EU-wide, promoting and a level playing field between traditional operators—already bound by stringent obligations—and unregulated OTT providers. Alignment with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), adopted in 2016, further necessitated reform, as the GDPR addressed general data protection but deferred to sector-specific rules like the ePrivacy framework for electronic communications confidentiality under Article 7 of the EU Charter of Fundamental Rights. The Directive's overlaps with GDPR provisions, such as security requirements, risked redundancy and conflicts, while its narrower scope left and inadequately safeguarded in modern contexts. Proponents argued that without updating to a complementary regulation, fundamental rights would erode amid pervasive tracking and data exploitation by information society services, which often bypassed consent requirements applicable to telecoms.

Proposal and Development

Commission's 2017 Initiative

The European Commission adopted its proposal for a regulation concerning the respect for private life and the protection of personal data in electronic communications on 10 January 2017, documented as COM(2017) 10 final under procedure 2017/0003(COD). This initiative sought to repeal and replace Directive 2002/58/EC (the ePrivacy Directive) with a directly applicable regulation to achieve uniform application across EU member states and address gaps arising from technological evolution, such as the rise of over-the-top (OTT) services like messaging apps. The proposal formed part of the broader Digital Single Market Strategy, aiming to foster trust in digital services by modernizing rules originally designed for traditional telephony. The primary rationale emphasized protecting the confidentiality of electronic communications content and , while extending safeguards to emerging communication forms including machine-to-machine interactions and interpersonal services beyond mere voice or . Scope covered providers of electronic communications services, publicly available directories, and software placed on the market in the , applying extraterritorially to services used by end-users located in the Union regardless of provider establishment. Objectives included simplifying compliance for businesses, enhancing user control through privacy-friendly defaults, and aligning with the GDPR's entry into force on 25 May 2018, positioning the ePrivacy rules as for sector-specific electronic communications data not fully addressed by the general data protection framework. Central provisions prohibited unauthorized access to or interference with communications data, mandating end-user for processing beyond necessities like billing, interconnection, or (Article 5 for ; Article 6 for ). For tracking technologies, including and device fingerprinting, the required prior before accessing or storing information on terminal , with exceptions for essential functionalities but innovations allowing software providers to set privacy-protective defaults and browser-based signals (Articles 8-10). mirrored GDPR mechanisms, with fines up to 4% of global annual turnover, and oversight by data protection authorities to ensure consistent application. These elements aimed to balance privacy reinforcement against the Directive's limitations in handling data-intensive digital ecosystems.

Core Objectives and Rationale

The ePrivacy Regulation proposal, presented by the European Commission on January 10, 2017, sought to establish uniform rules protecting the privacy of electronic communications across the European Union, serving as a specific complement to the General Data Protection Regulation (GDPR). Its core objectives included safeguarding the confidentiality of communications content and metadata for both traditional telecommunications providers and over-the-top (OTT) services, such as messaging apps and email, by prohibiting unauthorized access or processing without consent. The regulation aimed to extend protections to terminal equipment, regulating access to information stored on devices like cookies and trackers, with requirements for explicit user consent or other legal bases for processing. Additional goals encompassed curbing unsolicited direct marketing communications, including across machine-to-machine interactions in the Internet of Things (IoT), and ensuring a level playing field between service providers by harmonizing enforcement.608661_EN.pdf) The rationale for the proposal stemmed from the obsolescence of the 2002 (2002/58/EC), which failed to address technological evolutions like the rise of OTT platforms and data-intensive services, resulting in protection gaps and inconsistent national implementations due to its directive nature requiring transposition into member state law. These divergences undermined the internal market's efficiency and user trust, particularly as the GDPR—adopted in 2016—imposed stricter, uniform standards that the directive's framework could not seamlessly integrate, such as aligned consent mechanisms and data minimization principles. By proposing a regulation, the intended to achieve direct applicability and uniformity, closing loopholes in handling and tracking that exposed users to risks without adequate safeguards, while fostering innovation in the through clarified rules rather than fragmented compliance burdens.608661_EN.pdf) This approach prioritized empirical alignment with evolving digital realities over preserving outdated sectoral distinctions between public networks and software-based services.

Legislative Journey

Trilogues and Negotiations

Following the European Commission's proposal in January 2017, the adopted its position on the ePrivacy Regulation in October 2017, advocating for stringent protections on electronic communications and tracking technologies. The , after extended internal deliberations, endorsed its general approach on February 10, 2021, which introduced more flexibility for service providers in processing for purposes like while maintaining of communications. This alignment enabled the initiation of interinstitutional trilogues on May 20, 2021, under the Portuguese Presidency of the Council, aimed at forging a compromise text. Trilogue discussions spanned multiple informal rounds through 2021 and into 2022, focusing on reconciling divergences between the 's emphasis on user consent for any access—extending GDPR-like requirements to —and the Council's preference for targeted exceptions to support cybersecurity and fraud prevention without blanket consent mandates. Central contention arose over tracking mechanisms, including cookies and device fingerprinting, where the Parliament sought to prohibit undetectable surveillance and mandate explicit opt-in consent, while the Council proposed softer rules allowing in certain low-risk scenarios to preserve ecosystems. Negotiators also debated the regulation's scope, particularly the treatment of over-the-top (OTT) services like messaging apps, with disagreements on whether should preclude metadata processing for legitimate interests, potentially impacting service innovation. Further sticking points included unsolicited commercial communications and exemptions for , where the pushed for opt-in models aligned with priorities, contrasting the 's balanced approach incorporating needs. Despite preparatory compromises, such as draft texts circulated by successive Council presidencies, no provisional agreement emerged by mid-2022, as fundamental gaps persisted on balancing against economic . The protracted talks highlighted institutional tensions, with the viewing Council positions as overly permissive toward lobbying, while member states prioritized regulatory coherence with the GDPR without stifling growth.

Stalemate and 2025 Withdrawal

Negotiations on the ePrivacy Regulation entered a prolonged stalemate following the European Council's general approach in October 2019 and the European Parliament's first reading position in January 2020, as trilogue discussions between the EU institutions repeatedly failed to reconcile fundamental divergences on provisions such as metadata processing, tracking technologies, and exceptions for electronic communications services. Disagreements centered on balancing stringent privacy protections with industry concerns over restrictions on online advertising and data-driven business models, with the Council favoring looser rules to support competitiveness while the Parliament pushed for stronger safeguards aligned with GDPR principles. This impasse persisted through multiple informal trilogues, halting substantive progress despite ongoing technical meetings, as no consensus emerged on core elements like consent mechanisms for cookies and web tracking. The stalemate reflected broader tensions in EU digital policy, including the prioritization of emerging frameworks like the and , which addressed overlapping issues such as platform accountability and data access for AI development, reducing urgency for ePrivacy reform. advocates criticized the deadlock as yielding to from tech and advertising sectors, potentially weakening protections against surveillance capitalism, while business groups viewed the proposal's rigidity as incompatible with needs. By late 2024, with no breakthrough in sight, the signaled intent to reassess the file amid shifting legislative priorities toward economic competitiveness. On February 11, 2025, the Commission announced in its 2025 Work Programme the withdrawal of the ePrivacy Regulation proposal, citing a lack of foreseeable agreement among co-legislators and the evolution of complementary EU laws rendering the text obsolete in its current form. The formal withdrawal process, allowing six months for potential last-minute resolution, concluded without revival, effectively ending the eight-year legislative effort initiated in 2017. This decision preserves the 2002 ePrivacy Directive and its national transpositions indefinitely, maintaining fragmented implementation across member states while deferring comprehensive updates to electronic communications privacy. Critics from civil society argued the move undermines user rights in an era of pervasive data collection, whereas stakeholders in publishing and online advertising welcomed the outcome as averting overly burdensome compliance.

Proposed Provisions

Confidentiality and Metadata Rules

The proposed ePrivacy Regulation, in Article 5, mandated the confidentiality of communications , encompassing both the substantive of communications (such as messages or calls) and associated , prohibiting any —including listening, tapping, intercepting, storing, monitoring, or other forms of processing—by persons other than the end-users involved, absent explicit exceptions. This rule extended to all communications services, including traditional telephony, , , and over-the-top (OTT) platforms like messaging apps, thereby broadening protections beyond the scope of the 2002 , which primarily targeted operators. Exceptions permitted processing for the transmission of communications, technical storage strictly necessary for transmission, or with the free, informed, and revocable consent of all end-users, aligned with GDPR standards under Regulation (EU) 2016/679; additional allowances existed for or under separate legal frameworks. Metadata—defined as data processed to transmit communications, such as identifiers of source and destination, geographic location, date, time, duration, volume, and protocol type—was subject to heightened restrictions under Article 6, where processing by providers was forbidden unless essential for core functions like ensuring transmission, billing, fraud detection, or and . For non-essential uses, such as , traffic management, or value-added services, end-user consent was required, with mandatory safeguards including of metadata where feasible, erasure or anonymization immediately after the purpose was fulfilled, and retention limited to what was strictly necessary to prevent indefinite storage. Unlike the ePrivacy Directive's traffic data rules, which allowed storage for billing with user notification but lacked uniform safeguards, the Regulation imposed GDPR-equivalent proportionality and minimization principles, aiming to curb metadata's potential for pervasive while enabling legitimate provider operations. Providers were obligated to implement technical and organizational measures, such as where appropriate, to enforce by default, with violations subject to fines up to 4% of global annual turnover or €20 million, whichever was higher, as harmonized with GDPR enforcement. These provisions sought to address evolving threats from digital intermediaries but drew criticism for potentially over-regulating uses vital for service optimization, as noted in stakeholder analyses during trilogue negotiations.

Tracking and Consent Mechanisms

The proposed ePrivacy Regulation sought to regulate tracking technologies by prohibiting the storage of information or access to information already stored on an end-user's terminal equipment—encompassing devices like computers, smartphones, and connected objects—without the end-user's prior consent, unless specific exceptions applied. This provision, outlined in Article 8, extended beyond traditional cookies to include device fingerprinting, tracking pixels, and other identifiers used for online behavioral advertising or analytics, aiming to address the proliferation of invasive tracking methods that collect data across websites and apps. The rule applied to both providers of electronic communications services and third parties, ensuring that any interference with terminal equipment triggered consent obligations independent of broader data processing under the GDPR. Consent mechanisms were harmonized with the GDPR's definition under Article 4(11), requiring it to be freely given, specific, informed, and an unambiguous indication of the end-user's wishes through a statement or clear affirmative action, such as ticking a box that was not pre-selected. End-users had the right to withdraw consent at any time with the same ease as granting it, and providers were obligated to provide reminders every six months for ongoing tracking activities. Where technically feasible, consent could be expressed or refused via browser or application settings, with software providers required to offer configurable privacy options during installation, including defaults that block third-party access to terminal equipment data. This technical enforcement aimed to reduce reliance on repetitive pop-up banners, potentially integrating with mechanisms like Do Not Track signals, though implementation details were left to delegated acts by the Commission. Exceptions to the consent requirement were narrowly defined to permit only minimal intrusions essential for functionality. These included storage or access strictly necessary for the transmission of electronic communications over a network, or for providing an information society service explicitly requested by the end-user, such as maintaining a shopping basket across pages. Additional exemptions covered web audience measuring by the service provider itself (subject to anonymization and GDPR compliance), cybersecurity measures, software updates with user notification, and location data for emergency services. Non-intrusive cookies improving user experience, like those remembering language preferences without tracking, were also exempt, provided they did not enable profiling or cross-site identification. For metadata generated by tracking—such as IP addresses or timestamps—processing for non-service purposes required separate consent, reinforcing the regulation's focus on preventing unconsented surveillance via communications logs. The proposal's approach to tracking consent drew from empirical evidence of user fatigue with current cookie banners under the , which had led to low-quality, non-granular consents often invalidated by courts like the CJEU in cases such as Planet49 (C-673/17), where pre-ticked boxes were deemed insufficient. By mandating GDPR-level validity and technical defaults against tracking, the regulation intended to enhance enforceability, with national authorities empowered to impose fines up to the GDPR's maximums (4% of global turnover) for violations. However, later drafts, including versions up to 2021, expanded exceptions slightly for prevention and updates, reflecting negotiations over balancing privacy with operational needs.

Marketing and Exceptions

The proposed ePrivacy Regulation sought to prohibit the use of electronic communications services, including , , , and machine-driven calls, for sending communications to end-users without their prior . This rule applied uniformly across the , aiming to replace the varying national implementations under the ePrivacy Directive's Article 13, which had led to inconsistencies such as differing regimes. Providers were required to identify themselves clearly and provide a valid for requests in all such communications. Exceptions to the consent requirement included a "soft opt-in" mechanism, permitting marketers to contact existing customers using details obtained during a prior sale of a product or service, provided the communications offered similar products or services and the customer had been given a clear opportunity to at the time of and in each subsequent message. Member States retained flexibility to enact national exceptions for (B2B) communications, allowing unsolicited marketing where the recipient's details were from public directories or professional s, subject to rights and identification requirements. For voice-to-voice marketing calls, Member States could opt for an system instead of prior , provided recipients could publicly accessible do-not-call lists. The proposal also addressed tracking technologies used for purposes, such as or device fingerprinting for behavioral , by subjecting them to the same standards as other forms of processing or access to terminal equipment under Articles 9 and 10. Exceptions were limited to cases deemed "strictly necessary" for service provision, such as or prevention, but excluded or , requiring granular, user-friendly mechanisms like settings. Non-compliance could result in fines up to €10 million or 2% of global annual turnover, harmonized with GDPR enforcement but administered by national communications authorities. These provisions reflected the Commission's intent to curb intrusive while accommodating legitimate commercial interests, though subsequent and drafts introduced debates over broadening B2B exceptions and integrating legitimate interest grounds from GDPR.

Integration with GDPR

The proposed ePrivacy Regulation positioned itself as a complement to the General Data Protection Regulation (GDPR), functioning as lex specialis by establishing targeted rules for the confidentiality and processing of electronic communications data, including both personal and non-personal data, while deferring to the GDPR's broader framework for general personal data protection. This integration aimed to extend GDPR protections to over-the-top (OTT) services like messaging apps and machine-to-machine communications, ensuring uniform application across the EU digital single market without duplicating obligations, such as by repealing redundant security provisions from the existing ePrivacy Directive that overlapped with GDPR Article 32 requirements. Consent mechanisms under the proposal harmonized directly with GDPR definitions and standards, requiring freely given, specific, informed, and unambiguous consent for accessing terminal equipment or storing information on devices, with options for expression via browser settings and mandatory withdrawal every six months. Processing of communications content and metadata was restricted to end-to-end transmission, billing, or security purposes unless end-users consented otherwise, thereby particularizing GDPR's lawfulness bases (e.g., Article 6) for scenarios involving electronic communications metadata that qualifies as personal data. Enforcement integrated seamlessly with GDPR structures, assigning primary responsibility to national data protection authorities (DPAs) for oversight, investigations, and penalties up to €20 million or 4% of global annual turnover—mirroring GDPR fines—with the facilitating consistency across member states. The emphasized that ePrivacy rules take precedence in specialized areas like traffic data and , allowing DPAs to assess holistically under GDPR principles while applying ePrivacy-specific prohibitions where national competence permits, thus avoiding fragmented . Remedies and provisions further aligned with GDPR Articles 77–82, ensuring end-users' to judicial redress for violations in electronic communications.

Comparison to ePrivacy Directive

Structural Differences

The proposed ePrivacy Regulation differs from the (Directive 2002/58/EC, as amended by Directive 2009/136/EC) primarily in its legal form and binding nature. As a directive, the existing framework requires member states to transpose its provisions into national law, resulting in divergent implementations and enforcement across jurisdictions due to varying interpretations and additional domestic rules. In contrast, the 2017 ePrivacy Regulation proposal (COM(2017) 10 final) adopts the form of a regulation, which would be directly applicable and uniformly enforceable in all member states without transposition, aiming to eliminate fragmentation and enhance harmonization with the General Data Protection Regulation (GDPR). This shift addresses longstanding criticisms of the directive's inconsistent application, particularly in areas like cookie consent and tracking, where national variations have created compliance challenges for cross-border services. Another key structural distinction lies in the scope of application. The targets privacy in electronic communications primarily through obligations on traditional telecommunications operators, focusing on services like fixed and under a narrow definition of "publicly available electronic communications services." The Regulation proposal expands this to encompass all electronic communications service providers (ECSPs), including over-the-top (OTT) platforms such as messaging apps (e.g., ) and email services, regardless of whether they qualify as " services" under the broader framework. This broader remit also explicitly includes machine-to-machine communications and applies protections to both and non-personal data in electronic contexts, positioning the Regulation as a lex specialis that overrides general GDPR rules in specific communications scenarios without fully subsuming under it. The Regulation's structure further integrates tighter linkages to the GDPR's architecture, such as aligned definitions of , notifications, and enforcement mechanisms involving data protection authorities. Unlike the Directive's sector-specific focus enforced mainly by national telecom regulators (e.g., via bodies like the Body of European Regulators for Electronic Communications, or BEREC), the proposal envisions a more centralized oversight compatible with GDPR's one-stop-shop principle, where lead supervisory authorities handle cross-border issues. It also structures exceptions and derogations more rigidly at the EU level, reducing national flexibility compared to the Directive's allowance for member state adaptations in areas like unsolicited communications. These structural changes reflect an intent to modernize the framework for digital ecosystems dominated by non-traditional providers, though the proposal's stalled progress since 2017 trilogues has left the Directive's fragmented structure intact as of 2025.

Substantive Enhancements and Gaps

The proposed ePrivacy Regulation sought to extend the scope of protections beyond the ePrivacy Directive's focus on traditional providers and natural persons, incorporating over-the-top (OTT) services such as messaging apps like and , as well as machine-to-machine communications and legal entities like businesses. This broadening aimed to address gaps in the Directive, which predated widespread OTT adoption and primarily targeted public electronic communications networks. Additionally, the Regulation introduced explicit rules prohibiting interference with the of electronic communications content and metadata without end-user consent or narrowly defined exceptions, such as for service transmission or billing, thereby strengthening safeguards against unauthorized access compared to the Directive's more general confidentiality provisions. Further enhancements included refined consent requirements for tracking technologies, mandating prior opt-in for storing or accessing information on terminal equipment (e.g., or device fingerprinting) unless strictly necessary for delivery, with proposals for browser-based settings to simplify and reduce consent fatigue—advances over the Directive's cookie rules, which allowed greater flexibility and led to inconsistent national implementations. Metadata processing was delimited to quality-of-service optimization or with anonymization or deletion post-use, aligning more closely with GDPR standards for minimization and purpose limitation, unlike the Directive's looser framework that permitted broader retention. Rules on unsolicited communications were tightened to ban direct marketing via , , or automated calls without explicit prior , extending protections against and beyond the Directive's opt-out reliance, which proved ineffective due to enforcement variances. Despite these improvements, the Regulation exhibited gaps in balancing protections with practical application, notably its overreliance on as the primary legal basis for and tracking, excluding GDPR's legitimate interests ground and potentially hindering in service or features without viable alternatives. Ambiguities persisted in obtaining from legal entities or their employees, risking uneven application similar to Directive issues, and broad exceptions for "essential" tracking (e.g., prevention) could enable tracking walls—coercive mechanisms that the European Data Protection Supervisor (EDPS) urged to ban explicitly, as the proposal inadequately addressed them. received comparatively weaker safeguards than content, with processing thresholds lower than recommended by the EDPS for parity, potentially allowing indirect inferences of user behavior without equivalent stringency. Overall, while aiming for GDPR harmonization, the proposal offered marginal added value in some areas, overlapping heavily and failing to fully resolve Directive-era loopholes like insufficient mandates or collective redress for violations.

Reception Across Stakeholders

Privacy Advocacy Perspectives

Privacy advocacy organizations, including European Digital Rights (EDRi), have consistently supported the development of a robust to update and strengthen safeguards for the confidentiality of electronic communications, viewing it as essential to complement the General Data Protection Regulation (GDPR) by addressing sector-specific threats like unauthorized tracking and processing. In their 2017 , EDRi endorsed the European Commission's proposal for additional rules to foster trust and security in digital services, emphasizing the need for explicit protections against indiscriminate and by service providers. However, they critiqued early drafts for inadequate enforcement of high privacy standards, particularly in consent requirements for and , arguing that exemptions and vague exceptions risked perpetuating fragmented national implementations under the existing . Groups such as highlighted the regulation's potential to curb , unsolicited communications, and invasive collection, recommending that member states prioritize finalization of a general approach to avoid diluting core protections amid competing interests from industry stakeholders. In joint advocacy efforts, EDRi collaborated with entities like and to propose amendments strengthening mandates and limiting exceptions for access, underscoring that without such measures, the regulation would fail to counter evolving risks from over-the-top services and behavioral advertising. These advocates stressed that harmonized EU-wide rules were preferable to the directive's transposition variances, which have led to inconsistent enforcement and loopholes exploited by trackers. The European Data Protection Supervisor (EDPS), while institutionally aligned with advocacy goals, welcomed the 2017 proposal as a vital instrument for upholding communication secrecy but urged refinements to align rules more tightly with GDPR's principles, warning against broad derogations that could enable disproportionate . advocates expressed frustration over the regulation's protracted negotiations, which stalled progress on addressing modern challenges like machine-to-machine communications and data flows. Following the European Commission's withdrawal of the proposal on February 11, 2025, as announced in its 2025 Work Programme due to lack of foreseeable agreement among co-legislators, EDRi described the move as revealing systemic flaws in privacy lawmaking, including undue influence from business lobbies and failure to prioritize user rights over facilitation. Advocates warned that reverting to the 2002 perpetuates obsolescence, leaving users vulnerable to unaddressed tracking practices and calling for targeted reforms or alternative instruments to enforce confidentiality without further delay.

Industry and Business Critiques

Industry representatives, including BusinessEurope, have criticized the proposed ePrivacy Regulation for duplicating and contradicting provisions in the General Data Protection Regulation (GDPR), arguing that such overlaps would create legal uncertainty without enhancing privacy protections. This misalignment, they contended, would impose redundant compliance obligations on businesses already adapting to GDPR, potentially fragmenting the rather than harmonizing rules across electronic communications. Tech and associations, such as Ecommerce Europe, warned that the Parliament's 2017 report on the proposal failed to reflect business realities, risking harm to online merchants' models by mandating granular consent for non-essential and tracking technologies. They highlighted that stringent requirements could degrade through consent banners, leading to reduced site traffic and conversion rates, with European firms estimating severe revenue losses from curtailed behavioral . DIGITALEUROPE advocated for closer alignment of the ePrivacy rules with GDPR to permit legitimate processing of communication for purposes like and , critiquing the proposal's broader scope as overly prescriptive and detrimental to in connected devices and digital services. Business groups further emphasized that the regulation's inflexible framework would extend negative effects across sectors, from to , by prohibiting metadata use without explicit , thereby raising operational costs and stifling EU competitiveness against less regulated markets. Compliance burdens were a recurring concern, with analyses indicating that the proposal's emphasis on user-centric controls, such as opt-in for tracking walls, could exacerbate "" and disproportionately affect small and medium-sized enterprises unable to absorb expenses estimated in the millions for larger firms adapting similar GDPR measures. Overall, these critiques framed the regulation as prioritizing theoretical gains over practical economic viability, potentially undermining the Digital Single Market's growth objectives outlined in the 2017 proposal.

Governmental and Regulatory Views

The , representing member states' governments, adopted its general approach to the ePrivacy Regulation proposal on 10 February 2021, securing a mandate for interinstitutional negotiations focused on safeguarding the confidentiality of electronic communications content and . This stance permits processing of such data without user consent in narrowly defined cases, including network and service integrity, detection, prevention, and compliance with legal obligations like criminal prosecutions. The Council's position broadens the scope beyond the Commission's draft by applying rules to legal persons and machine-to-machine communications transmitted via publicly available networks, while introducing mechanisms to mitigate consent fatigue, such as user whitelisting of trusted providers for cookies and similar trackers. It positions the regulation as to the GDPR, aiming to harmonize protections across over-the-top services, web-based , messaging, and devices without unduly burdening innovation. The European Data Protection Supervisor (EDPS), an independent advisory body, welcomed the proposal's intent to modernize rules for electronic communications but urged enhancements in its opinion of 24 April 2017, including standalone definitions for content and metadata protections, bans on tracking walls that coerce consent, and explicit prohibitions on decrypting end-to-end encrypted communications or mandating backdoors. The EDPS stressed alignment with GDPR principles to avoid loopholes, such as restricting further to ePrivacy-specific legal bases and ensuring equivalent protections for over-the-top providers and stored data in cloud services. National data protection authorities, coordinated via the (EDPB), view the ePrivacy Regulation as essential for particularizing GDPR rules in electronic communications, providing additional safeguards like competence clarifications for supervisory tasks and powers over metadata handling. In a 19 2020 statement, the EDPB advocated for the regulation to establish clear frameworks among authorities to enforce uniformly, emphasizing its role in addressing gaps in the existing amid digital evolution. Persistent divergences—governments prioritizing practical exceptions for security and economic viability, regulators insisting on stringent, rights-based limits—contributed to stalemates, culminating in the European Commission's of the on 5 2025 under its work programme, which cited lack of foreseeable agreement and shifts toward targeted Directive amendments or alternative instruments like the .

Controversies and Debates

Encryption vs Scanning Conflicts

The ePrivacy Regulation proposal of January 10, 2017, emphasizes the confidentiality of electronic communications under Article 5, prohibiting unauthorized interference such as scanning, monitoring, or decryption of content and metadata without user consent or narrowly defined exceptions for network security or legal obligations. This framework explicitly protects end-to-end encryption (E2EE) as a core mechanism for ensuring private communications remain inaccessible to third parties, including service providers, aligning with Article 7 of the Charter of Fundamental Rights of the European Union. However, these protections have generated conflicts with parallel EU initiatives to mandate detection of child sexual abuse material (CSAM) in private messages, where scanning requirements could necessitate bypassing or undermining E2EE to access plaintext content. Proponents of detection, including law enforcement advocates, have pushed for derogations or separate regulations allowing providers to implement scanning technologies, such as scanning (CSS), which analyzes content on user devices before . The 2022 for a to prevent and combat explicitly includes detection orders under Article 50, potentially requiring E2EE services to facilitate scanning for known hashes or patterns, even if it discourages adoption of strong by creating compliance burdens or security vulnerabilities. The (EDPB) and European Data Protection Supervisor (EDPS) have warned in their July 28, 2022, joint opinion that such measures risk weakening without prohibiting it outright, as Recital 26 of the proposal implies technologies must enable detection, conflicting with ePrivacy's non-interference principle and potentially limiting rights under Articles 5(1) and 15(1) of the ePrivacy by analogy. Critics, including privacy organizations like the European Digital Rights (EDRi), argue that CSS or server-side scanning violates the essence of ePrivacy confidentiality by introducing systemic vulnerabilities, enabling false positives, and risking to other content categories beyond , as encrypted communications cannot be reliably scanned without either decrypting traffic or embedding detection flaws in endpoint software. For instance, CSS operates by matching content against databases like those from the , but studies and expert analyses indicate it compromises device integrity, as modified client software could be exploited by attackers or governments for broader surveillance, contradicting first-principles security where E2EE relies on no trusted intermediaries accessing plaintext. The has resisted mandatory scanning in ePrivacy negotiations, stalling the regulation since December 2020 amid concerns that derogations for illegal content detection—intended to extend the ePrivacy Directive's voluntary allowances—would erode trust in digital communications and expose users to risks from non-state actors. This tension has broader implications, as weakening E2EE could affect billions of users on platforms like and Signal, where global reports reached 725,000 in 2019, yet empirical evidence from voluntary scanning under existing exceptions shows limited efficacy against encrypted channels without invasive measures. Governmental views, such as those from member states favoring , prioritize detection obligations, while the EDPB recommends targeted, judicially warranted interventions over generalized scanning to preserve encryption's role in preventing unauthorized access. The unresolved debate contributed to the ePrivacy Regulation's legislative impasse, with trilogue talks halting over proportionality issues, leaving the 2002 in place but highlighting causal trade-offs: enhanced detection via scanning reduces immediate harms but erodes long-term privacy and security architectures essential for democratic societies.

Burden on Innovation and Compliance Costs

Industry representatives, including associations such as IAB Europe and DigitalEurope, have contended that the proposed ePrivacy Regulation, introduced by the European Commission on January 10, 2017, would elevate compliance costs through mandates for explicit opt-in consent before accessing user terminal equipment or processing electronic communications metadata, requiring investments in sophisticated consent interfaces and privacy-enhancing technologies. These obligations extend to non-personal data like metadata used for analytics, imposing administrative burdens such as recurring consent prompts for tools like web analytics cookies, which a 2017 economic impact assessment described as generating persistent operational expenses and legal uncertainties due to overlaps and deviations from GDPR principles. Small and medium-sized enterprises (SMEs), which often lack the resources of larger firms, would bear a disproportionate share of these costs, as fixed expenses for implementing granular mechanisms and auditing processing could strain limited budgets and divert funds from core activities. The assessment highlighted how such rules, applied to machine-to-machine communications in () devices, would complicate innovation in emerging sectors like wearables and connected vehicles by mandating user consents for routine flows essential to functionality and service optimization, potentially slowing market entry for startups. Critics, including EU member state governments, have warned that the regulation's stringent tracking and metadata provisions could undermine digital business models, particularly behavioral advertising that sustains free online content, with projections indicating contraction in the web analytics market—valued at $1.3 billion in 2015 and forecasted to reach $4.9 billion by 2022 without such constraints—due to reduced data accessibility and heightened user opt-out rates. This framework, by prioritizing consent over alternatives like legitimate interests, risks entrenching incumbents with established compliance infrastructures while impeding agile innovators, as evidenced by stalled trilogue negotiations since 2019 amid concerns over economic drag on the .

Harmonization vs National Flexibility

The ePrivacy Regulation proposal of January 10, 2017, sought to achieve full harmonization by establishing directly applicable rules across the , replacing the of 2002, which permitted member states significant flexibility in transposition and implementation. This shift aimed to eliminate fragmentation arising from divergent national laws—such as varying cookie consent requirements, spam rules, and obligations—thereby facilitating the and reducing compliance burdens for cross-border providers. Proponents, including the , argued that uniform rules would ensure equivalent protection of communications confidentiality under Article 7 of the EU Charter of Fundamental Rights while enabling free data flows, with the Regulation's lex specialis status complementing the GDPR's general framework. However, the proposal's emphasis on sparked debates over insufficient national flexibility, particularly for and needs. Article 11 permitted member states to derogate from certain obligations—such as —for proportionate reasons including , , or , but required such measures to be notified to the and justified under necessity principles akin to GDPR Article 23. Critics, including some governments, contended that these derogations were too narrowly circumscribed, potentially constraining responses to country-specific threats like or child sexual abuse material (), where broader scanning or retention mandates might be deemed essential. For instance, in March 2021, spearheaded efforts to amend the draft to exempt national security agencies from key provisions, highlighting tensions between EU-wide uniformity and sovereign prerogatives. Stakeholders diverged sharply: privacy advocates like the European Digital Rights (EDRi) group favored stricter to prevent a "" of protections undermined by national overreach, warning that excessive flexibility could erode and enable surveillance creep. Conversely, security-oriented member states and telecom operators expressed concerns that rigid EU rules might hinder innovation in threat detection or conflict with domestic laws, as evidenced by parallel proposals for temporary derogations from ePrivacy rules to enable detection in encrypted services. Industry analyses noted that while promised predictability—potentially lowering costs estimated at billions annually from Directive-induced divergences—it risked stifling tailored national adaptations, contributing to the proposal's legislative impasse. These frictions persisted through trilogue negotiations, where Council positions often pushed for expanded derogations, contrasting Parliament's emphasis on robust safeguards, ultimately leading to the Commission's withdrawal of the proposal on February 12, 2025. The debate underscored a core trade-off: harmonization's efficiency for economic integration versus the perceived need for flexibility to accommodate heterogeneous national priorities, with ongoing implications for alternatives like targeted Directive amendments under the framework.

Current Status and Implications

Post-Withdrawal Landscape

Following the European Commission's announcement on February 11, 2025, in its 2025 Work Programme, the proposed ePrivacy Regulation—intended to replace the 2002 —was formally withdrawn due to a lack of foreseeable agreement among institutions after eight years of stalled trilogue negotiations. The decision reflected broader priorities shifting toward enhancing competitiveness, fostering data access for AI development, and addressing outdated elements in the original proposal that failed to adapt to evolving technologies like and over-the-top services. This withdrawal halted ambitions for a unified, regulation-level framework that would have harmonized rules on confidential electronic communications, processing, and tracking technologies across the . The (2002/58/EC), as transposed into national laws by member states, remains the governing instrument for privacy protections in electronic communications, requiring prior consent for the storage or access of information on users' terminal equipment—such as and similar trackers—while permitting exceptions for strictly necessary functionalities like or . Enforcement continues through national data protection authorities (DPAs), with fines up to €20 million or 4% of global annual turnover under aligned GDPR mechanisms, though application varies: for instance, Belgium's DPA issued guidance in 2023 emphasizing opt-in consent for non-essential , while Germany's courts have upheld broader exceptions for analytics in certain contexts. The Directive primarily targets traditional providers but intersects with the GDPR for non- entities handling in communications, creating overlaps where the more specific Directive prevails, yet exposing gaps in coverage for modern apps like messaging services not classified as public electronic communications providers. This post-withdrawal status quo perpetuates fragmentation, as member states retain flexibility in implementation, leading to divergent rules on issues like unsolicited communications and metadata retention; for example, enforces stricter opt-in regimes for marketing emails under its CNIL oversight, contrasting with more lenient approaches in some Eastern European states. Businesses face ongoing compliance burdens, including cookie consent banners and tracking walls, amid heightened DPA scrutiny—evidenced by the DPC's 2024 investigations into ad-tech firms for Directive violations yielding multimillion-euro fines—without the anticipated regulatory modernization to streamline cross-border operations. Privacy advocates, such as the European Digital Rights (EDRi) group, have decried the withdrawal as a , arguing it entrenches an outdated framework ill-equipped for pervasive data collection in environments, potentially undermining user protections against surveillance capitalism. In the broader digital ecosystem, the Directive's persistence complements emerging rules like the , which imposes transparency on recommender systems but defers to ePrivacy for terminal equipment access, while the Data Act's 2025 applicability introduces obligations that indirectly affect communications without supplanting core requirements. National courts and DPAs continue adjudicating disputes, with a 2025 ruling clarifying that the Directive's scope extends to IP addresses in tracking scenarios, reinforcing its relevance despite criticisms of technological obsolescence. Overall, the landscape underscores a reliance on directive-level flexibility amid calls from industry for targeted amendments to reduce administrative costs estimated at €2-5 billion annually EU-wide for compliance, though no comprehensive overhaul has materialized by late 2025.

Targeted Directive Reforms and Alternatives

Following the European Commission's withdrawal of the ePrivacy Regulation proposal on February 12, 2025, as announced in its 2025 Work Programme, attention shifted to targeted amendments of the existing ePrivacy Directive (Directive 2002/58/EC). The Directive, originally implemented in July 2002, governs privacy in electronic communications, including rules on cookies, unsolicited communications, and confidentiality of communications, but has been criticized for outdated provisions that fail to address modern technologies like over-the-top services and machine-to-machine communications. This pivot aims to modernize specific elements without the full harmonization of a regulation, preserving national transposition flexibility while aligning with the General Data Protection Regulation (GDPR). Proposed reforms focus on narrow updates, such as refining consent mechanisms to reduce user friction and improve compliance, including clearer opt-in requirements and restrictions on manipulative designs. The initiated a consultation on digital simplification in September 2025, incorporating the alongside the AI Act, to identify "outdated rules" for targeted revisions that harmonize terminology with GDPR (e.g., definitions of "" and "") and adjust sector-specific exemptions. Denmark's , in a non-paper dated July 4, 2025, advocated for such a revision to streamline enforcement and reduce administrative burdens, emphasizing empirical alignment with GDPR's data minimization principles over broad regulatory overhauls. Alternatives to comprehensive Directive amendments include partial integration of ePrivacy rules into the GDPR framework, as suggested in prior analyses, to avoid dual regimes, though this risks diluting sector-specific protections for electronic communications. Industry stakeholders have pushed for reforms prioritizing innovation, such as exempting non-personal from strict rules, citing evidence from studies showing the Directive's current imposes disproportionate burdens on small firms (estimated at €2-5 billion annually EU-wide pre-GDPR ). advocates, however, argue that targeted changes insufficiently address scanning conflicts, warning that without regulation-level enforcement, national divergences could undermine user trust, as evidenced by varying rejection rates across member states (e.g., 10-30% variance in 2024 enforcement data). These reforms remain in consultative stages as of October , with no binding timeline, reflecting a pragmatic response to trilogue deadlocks driven by debates and competitiveness priorities.

References

  1. [1]
    Proposal for an ePrivacy Regulation | Shaping Europe's digital future
    The European Commission's proposal for a Regulation on ePrivacy aims at reinforcing trust and security in the digital world.
  2. [2]
    EUR-Lex - 52017PC0010 - EN - EUR-Lex
    Summary of each segment:
  3. [3]
    Council of the EU Adopts Its Text on the ePrivacy Regulation
    Mar 5, 2021 · The new ePrivacy Regulation will directly regulate telecom operators, providers of voice over IP, messaging and web-based email services, as ...
  4. [4]
    ePrivacy Regulation - IAB Europe
    IAB Europe released its first position paper on the proposal for an ePrivacy Regulation on 13 July 2017 and its latest in April 2021. As a matter of EU law, ...
  5. [5]
    The urgent case for a new ePrivacy law
    Oct 19, 2018 · A swarm of misinformation and misunderstanding surrounds the case for revising our rules on the confidentiality of electronic communications ...Missing: key | Show results with:key
  6. [6]
    [PDF] Review of the ePrivacy Directive - European Parliament
    Jan 10, 2017 · 35 In particular, some of the key provisions of the directive have not been fully effective in delivering the intended levels of ...Missing: controversies | Show results with:controversies
  7. [7]
    The European ePrivacy Regulation
    11 February 2025 - The European Commission Withdraws the ePrivacy Regulation. · 10 February 2021 - Council agrees its position on ePrivacy rules.Eprivacy Regulation Links · Eprivacy Regulation Training
  8. [8]
    ePrivacy Newsletter February 2025 - CMS LawNow
    Feb 14, 2025 · The EU's plan to introduce the ePrivacy Regulation has failed. On 12 February 2025, the European Commission presented its 2025 work programme.<|separator|>
  9. [9]
    ePrivacy Directive - European Data Protection Supervisor
    The ePrivacy Directive is a legal instrument for privacy in the digital age, specifically regarding communication confidentiality and tracking/monitoring rules.
  10. [10]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058
  11. [11]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31997L0066
  12. [12]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017SC0003
  13. [13]
    Next-gen privacy: Examining the EU's ePrivacy Regulation - IAPP
    Feb 17, 2021 · Just as the EU General Data Protection Regulation replaced Directive 95/46/EC, the ePrivacy Regulation will soon replace the ePrivacy Directive, ...<|control11|><|separator|>
  14. [14]
    Legislative train: the e-Privacy regulation - European Parliament
    A proposal for a regulation on the respect for private life and the protection of personal data in electronic communications
  15. [15]
    EU trilogue on ePrivacy regulation kicks off - PONT Data&Privacy
    The 'Trilogue' negotiations on the ePrivacy Regulation started yesterday (May 20). So reports the President of the Council of the European Union (Portugal).
  16. [16]
    EU: The ePrivacy Regulation - Let the trilogue begin! - Linklaters
    Feb 12, 2021 · The ePrivacy Regulation was first proposed by the EU Commission in January 2017, and the EU Parliament quickly adopted an opinion on it in July ...Missing: origins | Show results with:origins
  17. [17]
    E-Privacy Regulation: EU Council Finally Adopts Its Position, and ...
    Apr 1, 2021 · Like the GDPR, the draft text of the ePrivacy Regulation proposes a transition period of two years, starting twenty days after the ePrivacy ...
  18. [18]
    ePrivacy Regulation Trilogue Negotiations Pushed back to Fall 2018
    Jan 11, 2018 · The purpose of trilogue negotiations will be for the three European institutions to agree on a finalized text that can be passed by the European ...
  19. [19]
    EU ePrivacy Regulation takes a big leap forward to adoption
    Feb 10, 2021 · The process now is that the ePrivacy Regulation will be negotiated in trilogue negotiations between the Council of the EU and the European ...
  20. [20]
    [PDF] ePrivacy Regulation – chronological overview - CMS law
    Oct 19, 2022 · Regulation. (open). Trilogue negotiations start. Draft by Council of the EU. Draft by Portuguese. Council Presidency. 2022/2023. Ongoing ...
  21. [21]
    The EU's Work Programme 2025 – ePrivacy Reg and AI Liability ...
    May 9, 2025 · The 2025 Work Programme has dropped the ePrivacy Regulation and AI Liability Directive due to a lack of agreement and evolving legislation.Missing: stalemate | Show results with:stalemate
  22. [22]
    EU abandons ePrivacy, AI liability reforms as bloc shifts focus to AI ...
    Feb 12, 2025 · EU abandons ePrivacy, AI liability reforms as bloc shifts focus to AI competitiveness · The glaring security risks with AI browser agents.
  23. [23]
    Publishers, platforms, advertisers to see EU e-Privacy bill pulled ...
    (February 5, 2025, 9:16 PM GMT) -- Publishers, platforms and online advertisers are set to see the EU e-Privacy Regulation proposal killed off by the European ...
  24. [24]
    Long awaited ePrivacy Regulation is finally.... Dead - Lewis Silkin LLP
    Feb 19, 2025 · The ePrivacy Regulation's fate is sealed, as the European Commission withdrew it in its work programme for 2025, noting that there is no foreseeable agreement.
  25. [25]
    ePrivacy Regulation, but the fight for your privacy is far from over
    Feb 19, 2025 · This was the problem with the now cancelled Data Retention Directive, which weakened the privacy rights guaranteed by the ePrivacy Directive.
  26. [26]
    European Commission Withdraws ePrivacy Regulation and AI ...
    Feb 14, 2025 · The European Commission announced that it plans to withdraw its proposals for a new ePrivacy Regulation (aimed at replacing the current ePrivacy Directive) and ...
  27. [27]
    The European ePrivacy Regulation - Links
    On February 11, 2025, the European Commission disclosed in the "2025 Work Programme" that it will withdraw the proposal for a new ePrivacy Regulation (replacing ...
  28. [28]
    ePrivacy Regulation and AI Liability Directive - Arthur Cox
    The European Commission published its 2025 work programme and announced plans to withdraw several legislative proposals, including the ePrivacy Regulation ...
  29. [29]
    The ePrivacy Directive And The Future of EU Data Privacy - Cookiebot
    Apr 17, 2025 · The ePrivacy Regulation proposal was withdrawn in February 2025. It will not be coming into effect and has not been explicitly replaced by ...
  30. [30]
    [PDF] EUROPEAN COMMISSION Brussels, 10.1.2017 COM(2017) 10 final ...
    Jan 10, 2017 · This proposal reviews the ePrivacy Directive, foreseeing in the DSM Strategy objectives and ensuring consistency with the GDPR. The ePrivacy ...
  31. [31]
    Council of the EU Released a (New) Draft of the ePrivacy Regulation
    Jan 6, 2021 · The regulation aims to safeguard the privacy of the end-users, the confidentiality of their communications, and the integrity of their devices.
  32. [32]
    Status Update on the EU e-Privacy Regulation Proposal Discussions
    Sep 1, 2017 · The Proposal will impose new, more rigorous privacy regulatory obligations on nearly all companies doing business in the EU over the Internet.Missing: details | Show results with:details<|separator|>
  33. [33]
    https://curia.europa.eu/juris/document/document.jsf?text=&docid=219836&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=149614
  34. [34]
    Article 8 ePrivacy Regulation -Protection of end-users' terminal ...
    Art. 8 Sec. 2 ePrivacy Regulation restricts third-party-collection of information that is emitted by terminal equipment while trying to connect to networks or ...
  35. [35]
    [PDF] Opinion 5/2019 on the interplay between the ePrivacy Directive and ...
    Mar 12, 2019 · The ePrivacy Directive particularises and complements the GDPR and moreover refers to the latter's provisions on judicial remedies ...
  36. [36]
    Overview of Privacy & Data Protection Laws: Europe
    The ePrivacy Directive refers to Directive 2002/58/EC on Privacy and Electronic Communications, as amended by Directive 2009/136/EC. The ePrivacy Directive ...
  37. [37]
    [PDF] EDPS Opinion on the Proposal for a Regulation on Privacy and ...
    Apr 24, 2017 · The EDPS welcomes the intention to define the material scope of the ePrivacy Regulation based on its objective to ensure consistent and ...
  38. [38]
    EU Law | ePrivacy Regulation | Data Protection - Secure Privacy
    Nov 4, 2021 · Compared to the pre-existing ePrivacy Directive, which was commonly described as the 'Cookie Law,' the ePrivacy Regulation has a wider scope.
  39. [39]
    ePrivacy Regulation vs GDPR: 4 Key Differences - Secure Privacy
    May 12, 2021 · 1. Legal Basis. One of the core differences in the ePrivacy v GDPR discussion is the legal contexts of both regulations. · 2. Scope. If the ...
  40. [40]
    ePrivacy Regulation: What Is It & How Does It Affect Cookies?
    Jun 2, 2025 · The ePrivacy Regulation will set data protection standards for all electronic communications such as text messages, emails, WhatsApp messages, and any other ...
  41. [41]
    [PDF] EPR vis-à-vis GDPR A comparative analysis of the ePrivacy ...
    Jul 19, 2018 · On 10 January 2017, the Commission adopted its proposal for a new ePrivacy. Regulation1 (“ePR”) to replace the existing Directive 2002/58/EC ...
  42. [42]
    [PDF] EDRi's position on the proposal of an e-Privacy Regulation
    Mar 9, 2017 · eDri agrees with the commission that additional rules are necessary to ensure trust in and the security of all types of electronic and digital ...
  43. [43]
    The top five contested issues in the EU's developing ePrivacy ... - IAPP
    Jan 3, 2018 · The EC first addressed the need to update the ePrivacy Directive in 2015, and on January 10, 2017, adopted aproposal for an ePrivacy Regulation ...Missing: drivers | Show results with:drivers
  44. [44]
    Between Scylla and Charybdis – the fate of the e-privacy regulation
    Jun 4, 2018 · Privacy International recommends that governments steer clear of Scylla and Charybdis by: Finalise their 'General Approach' so that ...
  45. [45]
    [PDF] Proposal for a Regulation of the European Parliament ... - Access Now
    The following organisations also provided inputs to the proposed amendments and expressed support: EDRi, IT-Pol, and Privacy International. ... with the existing ...
  46. [46]
    Modernised ePrivacy legislation must protect fundamental rights
    Apr 24, 2024 · If the EU aims to enhance fundamental freedoms and ensure a functional Digital Single Market, updating the ePrivacy Directive is imperative.Missing: perspectives | Show results with:perspectives
  47. [47]
    The digital single market: mid-term review - BusinessEurope
    May 4, 2017 · The recently proposed ePrivacy Regulation will duplicate and contradict the General Data Protection Regulation (GDPR) and will not enhance ...Missing: critique | Show results with:critique
  48. [48]
    Business and Tech Groups Call For More Review of ePrivacy ...
    May 31, 2018 · The considerable negative impact of an inflexible ePR will extend to all sectors of the EU digital economy – from digital media to connected ...Missing: critiques | Show results with:critiques
  49. [49]
    European Parliament's Report on ePrivacy not in line with business ...
    Oct 19, 2017 · The Report may negatively impact European online merchants' business models and consumers' online shopping experience significantly.Missing: critique | Show results with:critique
  50. [50]
    European media companies warn ePrivacy law proposals ... - Digiday
    Mar 7, 2018 · European media companies are mad about the current version of the ePrivacy Regulation, which would block the use of cookies without consumer ...Missing: critique | Show results with:critique
  51. [51]
    [PDF] DIGITALEUROPE's consolidated position on ePrivacy Regulation
    Feb 5, 2018 · DIGITALEUROPE supports bringing the ePR legislation in line with the GDPR so as to allow for further processing of electronic communication data ...
  52. [52]
    What will Europe's e-privacy regulation mean for your business?
    Sep 27, 2019 · The new ePrivacy Regulation will repeal and replace the EU's current e-privacy directive (exhibit). The new provisions will cover electronic- ...Missing: critiques | Show results with:critiques
  53. [53]
    Council agrees its position on ePrivacy rules - consilium.europa.eu
    Feb 10, 2021 · Member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic ...
  54. [54]
    [PDF] Statement on the ePrivacy Regulation and the future role of ...
    Nov 19, 2020 · The EDPB recalls that the scope of the proposed Regulation aims at ensuring its uniform application across every Member State and every type ...
  55. [55]
    Confidentiality of electronic communications
    Electronic communications data shall be confidential. Any interference with electronic communications data, including listening, tapping, storing, ...
  56. [56]
    The Encryption Debate in the European Union: 2021 Update
    Mar 31, 2021 · The encryption debate in the European Union (EU) continues to evolve, with new drivers, stronger tools, and increasingly higher stakes.
  57. [57]
    The EU Wants Big Tech to Scan Your Private Chats for Child Abuse
    May 11, 2022 · Europe's proposed child protection laws could undermine end-to-end encryption for billions of people.Missing: conflicts | Show results with:conflicts
  58. [58]
    [PDF] EDPB-EDPS Joint Opinion 04/2022 on the Proposal for a ...
    Jul 28, 2022 · Regulation should be interpreted as prohibiting or weakening encryption. ... ePrivacy Directive and its proposed revision currently in ...
  59. [59]
    [PDF] Scanning private communications in the EU
    Feb 9, 2022 · CSAM must, therefore, respect encryption as a vital security measure and refrain from undermining its development, availability or use in ...
  60. [60]
    Why client-side scanning isn't the answer - Proton
    Jan 10, 2023 · Authorities claim that client-side scanning is an alternative to encryption backdoors. In reality, it could be even worse for your privacy.<|separator|>
  61. [61]
    [PDF] Study on the Impact of the Proposed ePrivacy Regulation
    Oct 19, 2017 · Executive Summary. General effects of the ePR. 1. The ePR and the GDPR overlap substantially. In many cases, the ePR rules deviate from the.
  62. [62]
    https://www.wiseguyreports.com/reports/1184370-web-analytics-global-market-outlook-2016-2022
  63. [63]
    temporary derogation - Carriages preview | Legislative Train Schedule
    Proposal for a Regulation on a temporary derogation from certain provisions of the e-Privacy Directive for the purpose of combating child sexual abuse online.
  64. [64]
    ePrivacy Regulation - Wikipedia
    The history of the regulation goes back to January 2017 when the European Commission proposed the ePrivacy Regulation. ... The intention was that it would sit ...
  65. [65]
    https://www.lexisnexis.co.uk/legal/guidance/eu-eprivacy-regulation-tracker
  66. [66]
    EU ePrivacy Directive—tracker | Legal Guidance - LexisNexis
    It covers critical aspects such as confidentiality of communications, data retention, and rules on unsolicited communications, including direct marketing. By ...
  67. [67]
    EU Cookie Consent: What's Changing and How to Stay Ahead
    May 15, 2025 · Under the ePrivacy Directive: You must obtain prior consent before deploying non-essential cookies or other trackers. Under the GDPR: That ...
  68. [68]
    Data Protection Laws and Regulations The Rapid Evolution of Data ...
    Jul 21, 2025 · The Data Act entered into force on 11 January 2024 and, following a 20-month grace period, will be applicable from September 2025. On the topic ...Missing: post- | Show results with:post-
  69. [69]
    https://eprivacycompany.com/the-current-status-of-the-eprivacy-regulation-what-you-need-to-know/
  70. [70]
    The Status of the ePrivacy Regulation - E-Privacy Company
    Oct 17, 2025 · The ePrivacy Regulation status remains uncertain: the long-awaited proposal has been officially withdrawn, leaving the older ePrivacy Directive ...
  71. [71]
    EU Commission Withdraws e-Privacy Regulation Proposal
    On 12 February 2025, the European Commission officially withdrew its proposal for a new E-Privacy Regulation, concluding years of debate over new rules on ...<|separator|>
  72. [72]
    AI Act, ePrivacy Directive included in European Commission's ... - IAPP
    Sep 16, 2025 · The European Commission has its sights set on easing certain digital regulatory burdens on businesses, and the landmark Artificial Intelligence ...
  73. [73]
    Denmark Proposes GDPR and ePrivacy Directive Revision
    Jul 14, 2025 · On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive.
  74. [74]
    GDPR Cookie Consent Requirements for 2025: What's Changed
    Jun 23, 2025 · The European Commission's formal withdrawal of the long-awaited ePrivacy Regulation in February 2025 means the existing ePrivacy Directive ...<|control11|><|separator|>
  75. [75]
    EU Seeks Feedback on Proposed Digital Package To Simplify and ...
    Sep 19, 2025 · The review will likely align terminology with existing EU law, adjust for sector-specific rules, and introduce targeted reforms. Cookies and ...Missing: alternatives | Show results with:alternatives
  76. [76]
    [PDF] Reform of the e-Privacy Directive - European Parliament
    The main objectives of the review are: enhancing security and communications confidentiality; defining clearer rules on tracking technologies such as cookies; ...Missing: controversies | Show results with:controversies
  77. [77]
    Study of proposal for an ePrivacy Regulation - DigitalEurope
    Nov 25, 2019 · On 10 January 2017, the European Commission issued a proposal for a new ePrivacy Regulation (ePR) triggering a legislative process that is ...
  78. [78]
    A view from Brussels: What's the word on the GDPR and e-privacy
    Oct 2, 2025 · Following the February announcement that the proposal for a Regulation on ePrivacy would be withdrawn after years of deadlock, the debate ...