Hubbry Logo
EPrivacy RegulationEPrivacy RegulationMain
Open search
EPrivacy Regulation
Community hub
EPrivacy Regulation
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
EPrivacy Regulation
EPrivacy Regulation
EPrivacy Regulation
View on Wikipedia
from Wikipedia

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)." It would repeal the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive) and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The history of the regulation goes back to January 2017 when the European Commission proposed the ePrivacy Regulation.[1] The intention was that it would sit alongside the EU GDPR (General Data Protection Regulation) when it was introduced on 25 May 2018.[1] The scope is still under discussion.[2] According to some proposals, it would apply to any business that processes data in relation to any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing.[3]

The proposed penalties for noncompliance would be up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover, whichever is higher.[4] The ePrivacy Regulation originally was intended to come in effect on 25 May 2018, together with the GDPR, but has still not been adopted.

Difference between Regulation and Directive

[edit]

The (new) ePrivacy Regulation will repeal the (current) ePrivacy Directive.

In contrast to an EU Directive, an EU Regulation is a legal act of the European Union that becomes immediately effective as law in all member states simultaneously.

The current ePrivacy Directive is a legal act of the European Union that requires member states to achieve a particular result without dictating the means of achieving that result. It has therefore been implemented into national laws and regulations. If the proposed ePrivacy Regulation became effective, these laws would be superseded and will (for reasons of clarity) likely be repealed. The ePrivacy Regulation would be self-executing and not require many implementing measures.

Key points of Commission's proposal

[edit]

According to the EU Commission, the proposal includes the following key changes:[3]

  • New players: Privacy rules will also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger, and Skype. That will ensure that the popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.
  • Stronger rules: All people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
  • Communications content and metadata: Privacy is guaranteed for communications like the time and the location of a call. Metadata have a high privacy component and must be anonymised or deleted if users did not give their consent unless the data is needed for billing.
  • New business opportunities: Once consent is given for communications data (content and/or metadata) to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals, which could help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies: The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly, as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy-intrusive cookies improving internet experience (like to remember shopping cart history) or cookies used by a website to count the number of visitors.
  • Protection against spam: The proposal bans unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on national law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement: The enforcement of the confidentiality rules in the regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.

Reception

[edit]

In February 2021, the German Federal Commissioner for Data Protection and Freedom of Information saw multiple red lines being crossed. Data retention had again become part of the proposal, despite the fact that it had been ruled unlawful by many courts. The regulations concerning the Internet constituted a step back in that cookie walls would be again allowed. Important consumer rights such as the "right to object" and "data protection impact assessment" would be voided. Personal data could be processed for purposes different from the original ones without the person's consent. The "pay-or-allow-to-be-tracked" question to access a website would henceforth be permitted. The directive of 2001 required in its art 15(1) that data might be retained for an important public interest. The proposal now in 17a does not have such a reference to the public interest anymore.[5][6][7][8]

In March 2021, France was reported to be leading an effort to modify the ePrivacy initiative to exempt national security agencies from some provisions.[9]

On July 6, 2021, the European Parliament approved a derogation to the ePrivacy regulation that enables providers of electronic communication services to scan and report private online messages containing material depicting child sex abuse, and allow companies to apply approved technologies to detect grooming techniques.[10]

Three-way negotiations are currently underway between the EU Commission, the Parliament and the Council of the European Union to reach agreement on the final text of the regulation.[11] It is expected to be finalized and come into effect in 2024[12]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

EPrivacy Regulation

View on Grokipedia
from Grokipedia
The ePrivacy Regulation was a proposed European Union legislative instrument, formally introduced by the European Commission on 10 January 2017 as Regulation (EU) 2017/XXX concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (ePrivacy Directive). Intended to modernize rules on confidentiality in electronic communications amid technological advancements like over-the-top services and widespread tracking, it sought to harmonize protections across member states by establishing uniform requirements for consent in accessing terminal equipment, processing metadata, and handling unsolicited communications, while aligning with the General Data Protection Regulation (GDPR). Despite initial aims to enhance user trust in digital services through stricter safeguards against unauthorized surveillance and data repurposing, the proposal encountered persistent deadlock in trilogue negotiations between the Commission, Parliament, and Council, particularly over provisions permitting scanning of encrypted communications for child sexual abuse material (CSAM) detection, which privacy advocates argued undermined end-to-end encryption without sufficient empirical justification for efficacy or proportionality. Key elements included mandatory opt-in consent for non-essential and trackers—extending beyond websites to apps and machine-to-machine communications—and prohibitions on electronic communications without explicit user permission, except for limited or network integrity purposes. The regulation would have applied directly to electronic communications services (ECS) providers, including VoIP and messaging platforms, imposing fines up to 4% of global annual turnover for violations, akin to GDPR enforcement. Controversies arose from tensions between bolstering fundamentals, such as the inviolability of communications content and metadata derived from first principles of informational , and demands from for access mechanisms, which empirical analyses have shown often fail to deliver promised gains while eroding causal trust in digital infrastructure. Business stakeholders, including advertisers, criticized the consent burdens as potentially stifling innovation, while empirical on compliance costs under the existing highlighted uneven transposition and enforcement across member states, exacerbating fragmentation. Progress stalled after the Council's general approach in February 2021, with no final agreement reached amid shifting political priorities. On 12 February 2025, the announced in its 2025 Work Programme the withdrawal of the proposal, citing lack of consensus and integration of core elements into other digital frameworks like the , leaving the 2002 ePrivacy Directive in force despite its acknowledged inadequacies in addressing modern threats such as pervasive metadata collection. This outcome underscores broader challenges in EU lawmaking, where source-credible assessments from bodies like the European Data Protection Supervisor have repeatedly emphasized the need for evidence-based rules prioritizing causal privacy protections over speculative interventions, yet institutional inertia and competing interests prevailed.

Historical Context

Origins in ePrivacy Directive

The , formally known as Directive 2002/58/EC, was adopted by the and the Council on 12 July 2002 to establish targeted protections for privacy and personal data in the electronic communications sector, serving as a complement to the general rules under Directive 95/46/EC. Its primary aims included safeguarding the confidentiality of communications against unauthorized interception and ensuring the security of public communications networks, while promoting the free movement of related data and services across the European Community. The directive applied specifically to the processing of personal data in publicly available electronic communications services, addressing risks from advanced digital technologies such as internet-based services that had emerged since earlier frameworks. Originating from the need to update privacy rules amid technological evolution and market liberalization in , the directive repealed and replaced the prior Directive 97/66/EC of 15 December 1997, which had proven inadequate for new digital environments. Core provisions mandated that and data be erased or anonymized after billing purposes unless users ed to retention for value-added services, and prohibited unsolicited commercial communications without prior or opt-out mechanisms. These measures sought to harmonize protections while accommodating sector-specific needs, such as network operator responsibilities for security. In response to further developments like widespread cookie usage and spam, the directive was amended by Directive 2009/136/EC, adopted on 25 November 2009 and entering into force on 26 December 2009, with key provisions applicable from 25 May 2011. The amendment introduced requirements for before storing or accessing information on users' terminal equipment (e.g., ), except for essential technical purposes, alongside data breach notification obligations for electronic communication service providers. This update aimed to enhance user rights in an era of increasing online tracking but retained the directive's transposition into national law, leading to implementation divergences across Member States. The ePrivacy Directive's framework directly informed the origins of the ePrivacy Regulation, proposed by the on 10 January 2017 (COM/2017/010 final), as its successor to address obsolescence from over-the-top (OTT) services like messaging apps and evolving technologies not fully covered by telecom-centric rules. As a directive requiring national transposition, it resulted in inconsistent application and compliance burdens, prompting the shift to a directly applicable regulation aligned with the General Data Protection Regulation (EU) 2016/679 for uniform enforcement and to close gaps in metadata and tracking protections. Evaluations under the Regulatory Fitness and Performance Programme (REFIT) and Strategy highlighted these limitations, basing the regulation's rationale on the directive's foundational principles while expanding scope to machine-to-machine communications and challenges.

Drivers for Replacement

The (2002/58/EC), originally adopted in 2002 and amended in 2009, became increasingly obsolete as it failed to address rapid technological advancements in electronic communications, such as the rise of over-the-top (OTT) services including , applications, and web-based providers. These developments created gaps in protection for communications confidentiality, as the Directive was primarily designed for traditional "" services rather than data-rich, internet-based platforms that track user behavior and handle metadata extensively. For instance, emerging techniques like device fingerprinting and machine-to-machine communications for the (IoT) fell outside its scope, leaving users vulnerable to unauthorized access and exploitation of sensitive information such as location data or social connections. A core driver for replacement was the Directive's status as a directive, which required transposition into national law by EU Member States, resulting in fragmented implementation and inconsistent enforcement across borders. This divergence hindered the for electronic communications services, imposing compliance burdens on cross-border operators and creating uncertainty, particularly for smaller providers. Transitioning to a would ensure direct applicability and uniform rules EU-wide, promoting and a level playing field between traditional telecom operators—already bound by stringent obligations—and unregulated OTT providers. Alignment with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), adopted in 2016, further necessitated reform, as the GDPR addressed general data protection but deferred to sector-specific rules like the ePrivacy framework for electronic communications confidentiality under Article 7 of the EU Charter of Fundamental Rights. The Directive's overlaps with GDPR provisions, such as security requirements, risked redundancy and conflicts, while its narrower scope left metadata and inadequately safeguarded in modern contexts. Proponents argued that without updating to a complementary regulation, fundamental rights would erode amid pervasive tracking and data exploitation by information society services, which often bypassed consent requirements applicable to telecoms.

Proposal and Development

Commission's 2017 Initiative

The European Commission adopted its proposal for a regulation concerning the respect for private life and the protection of personal data in electronic communications on 10 January 2017, documented as COM(2017) 10 final under procedure 2017/0003(COD). This initiative sought to repeal and replace Directive 2002/58/EC (the ePrivacy Directive) with a directly applicable regulation to achieve uniform application across EU member states and address gaps arising from technological evolution, such as the rise of over-the-top (OTT) services like messaging apps. The proposal formed part of the broader Digital Single Market Strategy, aiming to foster trust in digital services by modernizing rules originally designed for traditional telephony. The primary rationale emphasized protecting the confidentiality of electronic communications content and metadata, while extending safeguards to emerging communication forms including machine-to-machine interactions and interpersonal services beyond mere voice or . Scope covered providers of electronic communications services, publicly available directories, and software placed on the market in the , applying extraterritorially to services used by end-users located in the Union regardless of provider establishment. Objectives included simplifying compliance for businesses, enhancing user control through privacy-friendly defaults, and aligning with the GDPR's entry into force on 25 May 2018, positioning the ePrivacy rules as for sector-specific electronic communications data not fully addressed by the general data protection framework. Central provisions prohibited unauthorized access to or interference with communications data, mandating end-user for processing metadata beyond necessities like billing, interconnection, or (Article 5 for ; Article 6 for metadata). For tracking technologies, including and device fingerprinting, the proposal required prior before accessing or storing information on terminal , with exceptions for essential functionalities but innovations allowing software providers to set privacy-protective defaults and browser-based signals (Articles 8-10). mirrored GDPR mechanisms, with fines up to 4% of global annual turnover, and oversight by data protection authorities to ensure consistent application. These elements aimed to balance privacy reinforcement against the Directive's limitations in handling data-intensive digital ecosystems.

Core Objectives and Rationale

The ePrivacy Regulation proposal, presented by the European Commission on January 10, 2017, sought to establish uniform rules protecting the privacy of electronic communications across the European Union, serving as a specific complement to the General Data Protection Regulation (GDPR). Its core objectives included safeguarding the confidentiality of communications content and metadata for both traditional telecommunications providers and over-the-top (OTT) services, such as messaging apps and email, by prohibiting unauthorized access or processing without consent. The regulation aimed to extend protections to terminal equipment, regulating access to information stored on devices like cookies and trackers, with requirements for explicit user consent or other legal bases for processing. Additional goals encompassed curbing unsolicited direct marketing communications, including across machine-to-machine interactions in the Internet of Things (IoT), and ensuring a level playing field between service providers by harmonizing enforcement.608661_EN.pdf) The rationale for the proposal stemmed from the obsolescence of the 2002 (2002/58/EC), which failed to address technological evolutions like the rise of OTT platforms and data-intensive services, resulting in protection gaps and inconsistent national implementations due to its directive nature requiring transposition into member state law. These divergences undermined the internal market's efficiency and user trust, particularly as the GDPR—adopted in 2016—imposed stricter, uniform standards that the directive's framework could not seamlessly integrate, such as aligned consent mechanisms and data minimization principles. By proposing a regulation, the Commission intended to achieve direct applicability and uniformity, closing loopholes in metadata handling and tracking that exposed users to risks without adequate safeguards, while fostering innovation in the through clarified rules rather than fragmented compliance burdens.608661_EN.pdf) This approach prioritized empirical alignment with evolving digital realities over preserving outdated sectoral distinctions between public networks and software-based services.

Legislative Journey

Trilogues and Negotiations

Following the European Commission's proposal in January 2017, the adopted its position on the ePrivacy Regulation in October 2017, advocating for stringent protections on electronic communications metadata and tracking technologies. The , after extended internal deliberations, endorsed its general approach on February 10, 2021, which introduced more flexibility for service providers in processing metadata for purposes like while maintaining of communications. This alignment enabled the initiation of interinstitutional trilogues on May 20, 2021, under the Portuguese Presidency of the Council, aimed at forging a compromise text. Trilogue discussions spanned multiple informal rounds through 2021 and into 2022, focusing on reconciling divergences between the 's emphasis on user consent for any metadata access—extending GDPR-like requirements to —and the Council's preference for targeted exceptions to support cybersecurity and fraud prevention without blanket consent mandates. Central contention arose over tracking mechanisms, including cookies and device fingerprinting, where the Parliament sought to prohibit undetectable surveillance and mandate explicit opt-in consent, while the Council proposed softer rules allowing in certain low-risk scenarios to preserve ecosystems. Negotiators also debated the regulation's scope, particularly the treatment of over-the-top (OTT) services like messaging apps, with disagreements on whether should preclude metadata processing for legitimate interests, potentially impacting service innovation. Further sticking points included unsolicited commercial communications and exemptions for , where the pushed for opt-in models aligned with priorities, contrasting the 's balanced approach incorporating needs. Despite preparatory compromises, such as draft texts circulated by successive Council presidencies, no provisional agreement emerged by mid-2022, as fundamental gaps persisted on balancing absolutism against economic . The protracted talks highlighted institutional tensions, with the viewing Council positions as overly permissive toward industry lobbying, while member states prioritized regulatory coherence with the GDPR without stifling growth.

Stalemate and 2025 Withdrawal

Negotiations on the ePrivacy Regulation entered a prolonged stalemate following the European Council's general approach in October 2019 and the European Parliament's first reading position in January 2020, as trilogue discussions between the EU institutions repeatedly failed to reconcile fundamental divergences on provisions such as metadata processing, tracking technologies, and exceptions for electronic communications services. Disagreements centered on balancing stringent privacy protections with industry concerns over restrictions on online advertising and data-driven business models, with the Council favoring looser rules to support competitiveness while the Parliament pushed for stronger safeguards aligned with GDPR principles. This impasse persisted through multiple informal trilogues, halting substantive progress despite ongoing technical meetings, as no consensus emerged on core elements like consent mechanisms for cookies and web tracking. The stalemate reflected broader tensions in EU digital policy, including the prioritization of emerging frameworks like the and , which addressed overlapping issues such as platform accountability and data access for AI development, reducing urgency for ePrivacy reform. advocates criticized the deadlock as yielding to from tech and advertising sectors, potentially weakening protections against surveillance capitalism, while business groups viewed the proposal's rigidity as incompatible with needs. By late 2024, with no breakthrough in sight, the signaled intent to reassess the file amid shifting legislative priorities toward economic competitiveness. On February 11, 2025, the Commission announced in its 2025 Work Programme the withdrawal of the ePrivacy Regulation proposal, citing a lack of foreseeable agreement among co-legislators and the evolution of complementary EU laws rendering the text obsolete in its current form. The formal withdrawal process, allowing six months for potential last-minute resolution, concluded without revival, effectively ending the eight-year legislative effort initiated in 2017. This decision preserves the 2002 ePrivacy Directive and its national transpositions indefinitely, maintaining fragmented implementation across member states while deferring comprehensive updates to electronic communications privacy. Critics from civil society argued the move undermines user rights in an era of pervasive data collection, whereas stakeholders in publishing and online advertising welcomed the outcome as averting overly burdensome compliance.

Proposed Provisions

Confidentiality and Metadata Rules

The proposed ePrivacy Regulation, in Article 5, mandated the confidentiality of electronic communications , encompassing both the substantive content of communications (such as messages or calls) and associated metadata, prohibiting any interference—including listening, tapping, intercepting, storing, monitoring, or other forms of processing—by persons other than the end-users involved, absent explicit exceptions. This rule extended to all electronic communications services, including traditional telephony, , , and over-the-top (OTT) platforms like messaging apps, thereby broadening protections beyond the scope of the 2002 , which primarily targeted telecom operators. Exceptions permitted processing for the transmission of communications, technical storage strictly necessary for transmission, or with the free, informed, and revocable consent of all end-users, aligned with GDPR standards under Regulation (EU) 2016/679; additional allowances existed for or under separate legal frameworks. Metadata—defined as data processed to transmit communications, such as identifiers of source and destination, geographic location, date, time, duration, volume, and protocol type—was subject to heightened restrictions under Article 6, where processing by providers was forbidden unless essential for core functions like ensuring transmission, billing, fraud detection, or and . For non-essential uses, such as , traffic management, or value-added services, end-user consent was required, with mandatory safeguards including of metadata where feasible, erasure or anonymization immediately after the purpose was fulfilled, and retention limited to what was strictly necessary to prevent indefinite storage. Unlike the ePrivacy Directive's traffic data rules, which allowed storage for billing with user notification but lacked uniform safeguards, the Regulation imposed GDPR-equivalent proportionality and minimization principles, aiming to curb metadata's potential for pervasive while enabling legitimate provider operations. Providers were obligated to implement technical and organizational measures, such as where appropriate, to enforce by default, with violations subject to fines up to 4% of global annual turnover or €20 million, whichever was higher, as harmonized with GDPR enforcement. These provisions sought to address evolving threats from digital intermediaries but drew criticism for potentially over-regulating metadata uses vital for service optimization, as noted in stakeholder analyses during trilogue negotiations. The proposed ePrivacy Regulation sought to regulate tracking technologies by prohibiting the storage of information or access to information already stored on an end-user's terminal equipment—encompassing devices like computers, smartphones, and connected objects—without the end-user's prior consent, unless specific exceptions applied. This provision, outlined in Article 8, extended beyond traditional cookies to include device fingerprinting, tracking pixels, and other identifiers used for online behavioral advertising or analytics, aiming to address the proliferation of invasive tracking methods that collect data across websites and apps. The rule applied to both providers of electronic communications services and third parties, ensuring that any interference with terminal equipment triggered consent obligations independent of broader data processing under the GDPR. Consent mechanisms were harmonized with the GDPR's definition under Article 4(11), requiring it to be freely given, specific, informed, and an unambiguous indication of the end-user's wishes through a statement or clear affirmative action, such as ticking a box that was not pre-selected. End-users had the right to withdraw consent at any time with the same ease as granting it, and providers were obligated to provide reminders every six months for ongoing tracking activities. Where technically feasible, consent could be expressed or refused via browser or application settings, with software providers required to offer configurable privacy options during installation, including defaults that block third-party access to terminal equipment data. This technical enforcement aimed to reduce reliance on repetitive pop-up banners, potentially integrating with mechanisms like Do Not Track signals, though implementation details were left to delegated acts by the Commission. Exceptions to the consent requirement were narrowly defined to permit only minimal intrusions essential for functionality. These included storage or access strictly necessary for the transmission of electronic communications over a network, or for providing an information society service explicitly requested by the end-user, such as maintaining a shopping basket across pages. Additional exemptions covered web audience measuring by the service provider itself (subject to anonymization and GDPR compliance), cybersecurity measures, software updates with user notification, and location data for emergency services. Non-intrusive cookies improving user experience, like those remembering language preferences without tracking, were also exempt, provided they did not enable profiling or cross-site identification. For metadata generated by tracking—such as IP addresses or timestamps—processing for non-service purposes required separate consent, reinforcing the regulation's focus on preventing unconsented surveillance via communications logs. The proposal's approach to tracking consent drew from empirical evidence of user fatigue with current cookie banners under the , which had led to low-quality, non-granular consents often invalidated by courts like the CJEU in cases such as Planet49 (C-673/17), where pre-ticked boxes were deemed insufficient. By mandating GDPR-level validity and technical defaults against tracking, the regulation intended to enhance enforceability, with national authorities empowered to impose fines up to the GDPR's maximums (4% of global turnover) for violations. However, later drafts, including versions up to 2021, expanded exceptions slightly for prevention and updates, reflecting negotiations over balancing privacy with operational needs.

Marketing and Exceptions

The proposed ePrivacy Regulation sought to prohibit the use of electronic communications services, including , , MMS, and machine-driven calls, for sending communications to end-users without their prior . This rule applied uniformly across the , aiming to replace the varying national implementations under the ePrivacy Directive's Article 13, which had led to inconsistencies such as differing regimes. Providers were required to identify themselves clearly and provide a valid for requests in all such communications. Exceptions to the consent requirement included a "soft opt-in" mechanism, permitting marketers to contact existing customers using details obtained during a prior sale of a product or service, provided the communications offered similar products or services and the customer had been given a clear opportunity to at the time of and in each subsequent message. Member States retained flexibility to enact national exceptions for (B2B) communications, allowing unsolicited marketing where the recipient's details were from public directories or professional registers, subject to rights and identification requirements. For voice-to-voice marketing calls, Member States could opt for an system instead of prior , provided recipients could register publicly accessible do-not-call lists. The proposal also addressed tracking technologies used for purposes, such as or device fingerprinting for behavioral , by subjecting them to the same standards as other forms of metadata processing or access to terminal equipment under Articles 9 and 10. Exceptions were limited to cases deemed "strictly necessary" for service provision, such as or prevention, but excluded or profiling, requiring granular, user-friendly mechanisms like browser settings. Non-compliance could result in fines up to €10 million or 2% of global annual turnover, harmonized with GDPR enforcement but administered by national communications authorities. These provisions reflected the Commission's intent to curb intrusive while accommodating legitimate commercial interests, though subsequent and drafts introduced debates over broadening B2B exceptions and integrating legitimate interest grounds from GDPR.

Integration with GDPR

The proposed ePrivacy Regulation positioned itself as a complement to the General Data Protection Regulation (GDPR), functioning as lex specialis by establishing targeted rules for the confidentiality and processing of electronic communications data, including both personal and non-personal data, while deferring to the GDPR's broader framework for general personal data protection. This integration aimed to extend GDPR protections to over-the-top (OTT) services like messaging apps and machine-to-machine communications, ensuring uniform application across the EU digital single market without duplicating obligations, such as by repealing redundant security provisions from the existing ePrivacy Directive that overlapped with GDPR Article 32 requirements. Consent mechanisms under the proposal harmonized directly with GDPR definitions and standards, requiring freely given, specific, informed, and unambiguous consent for accessing terminal equipment or storing information on devices, with options for expression via browser settings and mandatory withdrawal every six months. Processing of communications content and metadata was restricted to end-to-end transmission, billing, or security purposes unless end-users consented otherwise, thereby particularizing GDPR's lawfulness bases (e.g., Article 6) for scenarios involving electronic communications metadata that qualifies as personal data. Enforcement integrated seamlessly with GDPR structures, assigning primary responsibility to national data protection authorities (DPAs) for oversight, investigations, and penalties up to €20 million or 4% of global annual turnover—mirroring GDPR fines—with the facilitating consistency across member states. The emphasized that ePrivacy rules take precedence in specialized areas like traffic data and , allowing DPAs to assess compliance holistically under GDPR principles while applying ePrivacy-specific prohibitions where national competence permits, thus avoiding fragmented . Remedies and liability provisions further aligned with GDPR Articles 77–82, ensuring end-users' to judicial redress for violations in electronic communications.

Comparison to ePrivacy Directive

Structural Differences

The proposed ePrivacy Regulation differs from the (Directive 2002/58/EC, as amended by Directive 2009/136/EC) primarily in its legal form and binding nature. As a directive, the existing framework requires member states to transpose its provisions into national law, resulting in divergent implementations and enforcement across jurisdictions due to varying interpretations and additional domestic rules. In contrast, the 2017 ePrivacy Regulation proposal (COM(2017) 10 final) adopts the form of a regulation, which would be directly applicable and uniformly enforceable in all member states without transposition, aiming to eliminate fragmentation and enhance harmonization with the General Data Protection Regulation (GDPR). This shift addresses longstanding criticisms of the directive's inconsistent application, particularly in areas like cookie consent and tracking, where national variations have created compliance challenges for cross-border services. Another key structural distinction lies in the scope of application. The targets privacy in electronic communications primarily through obligations on traditional telecommunications operators, focusing on services like fixed and under a narrow definition of "publicly available electronic communications services." The Regulation proposal expands this to encompass all electronic communications service providers (ECSPs), including over-the-top (OTT) platforms such as messaging apps (e.g., ) and email services, regardless of whether they qualify as " services" under the broader framework. This broader remit also explicitly includes machine-to-machine communications and applies protections to both personal and non-personal data in electronic contexts, positioning the Regulation as a lex specialis that overrides general GDPR rules in specific communications scenarios without fully subsuming under it. The Regulation's structure further integrates tighter linkages to the GDPR's architecture, such as aligned definitions of , notifications, and enforcement mechanisms involving data protection authorities. Unlike the Directive's sector-specific focus enforced mainly by national telecom regulators (e.g., via bodies like the Body of European Regulators for Electronic Communications, or BEREC), the proposal envisions a more centralized oversight compatible with GDPR's one-stop-shop principle, where lead supervisory authorities handle cross-border issues. It also structures exceptions and derogations more rigidly at the EU level, reducing national flexibility compared to the Directive's allowance for member state adaptations in areas like unsolicited communications. These structural changes reflect an intent to modernize the framework for digital ecosystems dominated by non-traditional providers, though the proposal's stalled progress since 2017 trilogues has left the Directive's fragmented structure intact as of 2025.

Substantive Enhancements and Gaps

The proposed ePrivacy Regulation sought to extend the scope of protections beyond the ePrivacy Directive's focus on traditional providers and natural persons, incorporating over-the-top (OTT) services such as messaging apps like and , as well as machine-to-machine communications and legal entities like businesses. This broadening aimed to address gaps in the Directive, which predated widespread OTT adoption and primarily targeted public electronic communications networks. Additionally, the Regulation introduced explicit rules prohibiting interference with the of electronic communications content and metadata without end-user consent or narrowly defined exceptions, such as for service transmission or billing, thereby strengthening safeguards against unauthorized access compared to the Directive's more general confidentiality provisions. Further enhancements included refined consent requirements for tracking technologies, mandating prior opt-in for storing or accessing information on terminal equipment (e.g., or device fingerprinting) unless strictly necessary for service delivery, with proposals for browser-based settings to simplify compliance and reduce consent fatigue—advances over the Directive's cookie rules, which allowed greater flexibility and led to inconsistent national implementations. Metadata processing was delimited to quality-of-service optimization or with anonymization or deletion post-use, aligning more closely with GDPR standards for minimization and purpose limitation, unlike the Directive's looser framework that permitted broader retention. Rules on unsolicited communications were tightened to ban direct marketing via , , or automated calls without explicit prior , extending protections against spam and beyond the Directive's opt-out reliance, which proved ineffective due to enforcement variances. Despite these improvements, the Regulation exhibited gaps in balancing protections with practical application, notably its overreliance on as the primary legal basis for metadata and tracking, excluding GDPR's legitimate interests ground and potentially hindering in service or features without viable alternatives. Ambiguities persisted in obtaining from legal entities or their employees, risking uneven application similar to Directive transposition issues, and broad exceptions for "essential" tracking (e.g., prevention) could enable tracking walls—coercive mechanisms that the European Data Protection Supervisor (EDPS) urged to ban explicitly, as the proposal inadequately addressed them. Metadata received comparatively weaker safeguards than content, with processing thresholds lower than recommended by the EDPS for parity, potentially allowing indirect inferences of user behavior without equivalent stringency. Overall, while aiming for GDPR harmonization, the proposal offered marginal added value in some areas, overlapping heavily and failing to fully resolve Directive-era loopholes like insufficient mandates or collective redress for violations.

Reception Across Stakeholders

Privacy Advocacy Perspectives

Privacy advocacy organizations, including European Digital Rights (EDRi), have consistently supported the development of a robust ePrivacy Regulation to update and strengthen safeguards for the confidentiality of electronic communications, viewing it as essential to complement the General Data Protection Regulation (GDPR) by addressing sector-specific threats like unauthorized tracking and metadata processing. In their 2017 , EDRi endorsed the European Commission's proposal for additional rules to foster trust and security in digital services, emphasizing the need for explicit protections against indiscriminate and by service providers. However, they critiqued early drafts for inadequate enforcement of high privacy standards, particularly in consent requirements for and , arguing that exemptions and vague exceptions risked perpetuating fragmented national implementations under the existing . Groups such as highlighted the regulation's potential to curb spam, unsolicited communications, and invasive metadata collection, recommending that member states prioritize finalization of a general approach to avoid diluting core protections amid competing interests from industry stakeholders. In joint advocacy efforts, EDRi collaborated with entities like and to propose amendments strengthening mandates and limiting exceptions for access, underscoring that without such measures, the regulation would fail to counter evolving risks from over-the-top services and behavioral advertising. These advocates stressed that harmonized EU-wide rules were preferable to the directive's transposition variances, which have led to inconsistent enforcement and loopholes exploited by trackers. The European Data Protection Supervisor (EDPS), while institutionally aligned with advocacy goals, welcomed the 2017 proposal as a vital instrument for upholding communication secrecy but urged refinements to align metadata rules more tightly with GDPR's proportionality principles, warning against broad derogations that could enable disproportionate . advocates expressed frustration over the regulation's protracted negotiations, which stalled progress on addressing modern challenges like machine-to-machine communications and IoT data flows. Following the European Commission's withdrawal of the proposal on February 11, 2025, as announced in its 2025 Work Programme due to lack of foreseeable agreement among co-legislators, EDRi described the move as revealing systemic flaws in privacy lawmaking, including undue influence from business lobbies and failure to prioritize user rights over market facilitation. Advocates warned that reverting to the 2002 perpetuates obsolescence, leaving users vulnerable to unaddressed tracking practices and calling for targeted reforms or alternative instruments to enforce confidentiality without further delay.

Industry and Business Critiques

Industry representatives, including BusinessEurope, have criticized the proposed ePrivacy Regulation for duplicating and contradicting provisions in the General Data Protection Regulation (GDPR), arguing that such overlaps would create legal uncertainty without enhancing privacy protections. This misalignment, they contended, would impose redundant compliance obligations on businesses already adapting to GDPR, potentially fragmenting the rather than harmonizing rules across electronic communications. Tech and associations, such as Ecommerce Europe, warned that the Parliament's 2017 report on the proposal failed to reflect business realities, risking harm to online merchants' models by mandating granular consent for non-essential and tracking technologies. They highlighted that stringent requirements could degrade through consent banners, leading to reduced site traffic and conversion rates, with European media firms estimating severe revenue losses from curtailed behavioral . DIGITALEUROPE advocated for closer alignment of the ePrivacy rules with GDPR to permit legitimate processing of communication metadata for purposes like and , critiquing the proposal's broader scope as overly prescriptive and detrimental to in connected devices and digital services. Business groups further emphasized that the regulation's inflexible framework would extend negative effects across sectors, from to IoT, by prohibiting metadata use without explicit , thereby raising operational costs and stifling EU competitiveness against less regulated markets. Compliance burdens were a recurring concern, with analyses indicating that the proposal's emphasis on user-centric controls, such as opt-in for tracking walls, could exacerbate "" and disproportionately affect small and medium-sized enterprises unable to absorb expenses estimated in the millions for larger firms adapting similar GDPR measures. Overall, these critiques framed the regulation as prioritizing theoretical gains over practical economic viability, potentially undermining the Digital Single Market's growth objectives outlined in the 2017 proposal.

Governmental and Regulatory Views

The , representing member states' governments, adopted its general approach to the ePrivacy Regulation proposal on 10 February 2021, securing a mandate for interinstitutional negotiations focused on safeguarding the confidentiality of electronic communications content and metadata. This stance permits processing of such data without user consent in narrowly defined cases, including network and service integrity, detection, prevention, and compliance with legal obligations like criminal prosecutions. The Council's position broadens the scope beyond the Commission's draft by applying rules to legal persons and machine-to-machine communications transmitted via publicly available networks, while introducing mechanisms to mitigate consent fatigue, such as user whitelisting of trusted providers for cookies and similar trackers. It positions the regulation as to the GDPR, aiming to harmonize protections across over-the-top services, web-based , messaging, and devices without unduly burdening innovation. The European Data Protection Supervisor (EDPS), an independent advisory body, welcomed the proposal's intent to modernize rules for electronic communications but urged enhancements in its opinion of 24 April 2017, including standalone definitions for content and metadata protections, bans on tracking walls that coerce consent, and explicit prohibitions on decrypting end-to-end encrypted communications or mandating backdoors. The EDPS stressed alignment with GDPR principles to avoid loopholes, such as restricting further to ePrivacy-specific legal bases and ensuring equivalent protections for over-the-top providers and stored data in cloud services. National data protection authorities, coordinated via the (EDPB), view the ePrivacy Regulation as essential for particularizing GDPR rules in electronic communications, providing additional safeguards like competence clarifications for supervisory tasks and powers over metadata handling. In a 19 2020 statement, the EDPB advocated for the regulation to establish clear frameworks among authorities to enforce uniformly, emphasizing its role in addressing gaps in the existing amid digital evolution. Persistent divergences—governments prioritizing practical exceptions for security and economic viability, regulators insisting on stringent, rights-based limits—contributed to stalemates, culminating in the European Commission's withdrawal of the proposal on 5 2025 under its work programme, which cited lack of foreseeable agreement and shifts toward targeted Directive amendments or alternative instruments like the .

Controversies and Debates

Encryption vs Scanning Conflicts

The ePrivacy Regulation proposal of January 10, 2017, emphasizes the confidentiality of electronic communications under Article 5, prohibiting unauthorized interference such as scanning, monitoring, or decryption of content and metadata without user consent or narrowly defined exceptions for network security or legal obligations. This framework explicitly protects end-to-end encryption (E2EE) as a core mechanism for ensuring private communications remain inaccessible to third parties, including service providers, aligning with Article 7 of the Charter of Fundamental Rights of the European Union. However, these protections have generated conflicts with parallel EU initiatives to mandate detection of child sexual abuse material (CSAM) in private messages, where scanning requirements could necessitate bypassing or undermining E2EE to access plaintext content. Proponents of CSAM detection, including law enforcement advocates, have pushed for derogations or separate regulations allowing providers to implement scanning technologies, such as client-side scanning (CSS), which analyzes content on user devices before . The 2022 Proposal for a to prevent and combat explicitly includes detection orders under Article 50, potentially requiring E2EE services to facilitate scanning for known CSAM hashes or patterns, even if it discourages adoption of strong by creating compliance burdens or security vulnerabilities. The (EDPB) and European Data Protection Supervisor (EDPS) have warned in their July 28, 2022, joint opinion that such measures risk weakening without prohibiting it outright, as Recital 26 of the CSAM proposal implies technologies must enable detection, conflicting with ePrivacy's non-interference principle and potentially limiting rights under Articles 5(1) and 15(1) of the ePrivacy by analogy. Critics, including privacy organizations like the European Digital Rights (EDRi), argue that CSS or server-side scanning violates the essence of ePrivacy confidentiality by introducing systemic vulnerabilities, enabling false positives, and risking to other content categories beyond CSAM, as encrypted communications cannot be reliably scanned without either decrypting traffic or embedding detection flaws in endpoint software. For instance, CSS operates by matching content against databases like those from the , but studies and expert analyses indicate it compromises device integrity, as modified client software could be exploited by attackers or governments for broader surveillance, contradicting first-principles security where E2EE relies on no trusted intermediaries accessing plaintext. The has resisted mandatory scanning in ePrivacy negotiations, stalling the regulation since December 2020 amid concerns that derogations for illegal content detection—intended to extend the ePrivacy Directive's voluntary CSAM allowances—would erode trust in digital communications and expose users to risks from non-state actors. This tension has broader implications, as weakening E2EE could affect billions of users on platforms like and Signal, where global CSAM reports reached 725,000 in 2019, yet empirical evidence from voluntary scanning under existing exceptions shows limited efficacy against encrypted channels without invasive measures. Governmental views, such as those from member states favoring , prioritize detection obligations, while the EDPB recommends targeted, judicially warranted interventions over generalized scanning to preserve encryption's role in preventing unauthorized access. The unresolved debate contributed to the ePrivacy Regulation's legislative impasse, with trilogue talks halting over proportionality issues, leaving the 2002 in place but highlighting causal trade-offs: enhanced CSAM detection via scanning reduces immediate harms but erodes long-term privacy and security architectures essential for democratic societies.

Burden on Innovation and Compliance Costs

Industry representatives, including associations such as IAB Europe and DigitalEurope, have contended that the proposed ePrivacy Regulation, introduced by the European Commission on January 10, 2017, would elevate compliance costs through mandates for explicit opt-in consent before accessing user terminal equipment or processing electronic communications metadata, requiring investments in sophisticated consent interfaces and privacy-enhancing technologies. These obligations extend to non-personal data like metadata used for analytics, imposing administrative burdens such as recurring consent prompts for tools like web analytics cookies, which a 2017 economic impact assessment described as generating persistent operational expenses and legal uncertainties due to overlaps and deviations from GDPR principles. Small and medium-sized enterprises (SMEs), which often lack the resources of larger firms, would bear a disproportionate share of these costs, as fixed expenses for implementing granular mechanisms and auditing metadata processing could strain limited budgets and divert funds from core activities. The assessment highlighted how such rules, applied to machine-to-machine communications in (IoT) devices, would complicate innovation in emerging sectors like wearables and connected vehicles by mandating user consents for routine flows essential to functionality and service optimization, potentially slowing market entry for startups. Critics, including EU member state governments, have warned that the regulation's stringent tracking and metadata provisions could undermine digital business models, particularly behavioral advertising that sustains free online content, with projections indicating contraction in the web analytics market—valued at $1.3 billion in 2015 and forecasted to reach $4.9 billion by 2022 without such constraints—due to reduced data accessibility and heightened user opt-out rates. This framework, by prioritizing consent over alternatives like legitimate interests, risks entrenching incumbents with established compliance infrastructures while impeding agile innovators, as evidenced by stalled trilogue negotiations since 2019 amid concerns over economic drag on the .

Harmonization vs National Flexibility

The ePrivacy Regulation proposal of January 10, 2017, sought to achieve full harmonization by establishing directly applicable rules across the , replacing the of 2002, which permitted member states significant flexibility in transposition and implementation. This shift aimed to eliminate fragmentation arising from divergent national laws—such as varying cookie consent requirements, spam rules, and obligations—thereby facilitating the and reducing compliance burdens for cross-border providers. Proponents, including the , argued that uniform rules would ensure equivalent protection of communications confidentiality under Article 7 of the EU Charter of Fundamental Rights while enabling free data flows, with the Regulation's lex specialis status complementing the GDPR's general framework. However, the proposal's emphasis on sparked debates over insufficient national flexibility, particularly for and needs. Article 11 permitted member states to derogate from certain obligations—such as —for proportionate reasons including , defense, or , but required such measures to be notified to the Commission and justified under necessity principles akin to GDPR Article 23. Critics, including some governments, contended that these derogations were too narrowly circumscribed, potentially constraining responses to country-specific threats like or child sexual abuse material (CSAM), where broader scanning or retention mandates might be deemed essential. For instance, in March 2021, spearheaded efforts to amend the draft to exempt national security agencies from key provisions, highlighting tensions between EU-wide uniformity and sovereign prerogatives. Stakeholders diverged sharply: privacy advocates like the European Digital Rights (EDRi) group favored stricter to prevent a "" of protections undermined by national overreach, warning that excessive flexibility could erode and enable surveillance creep. Conversely, security-oriented member states and telecom operators expressed concerns that rigid EU rules might hinder innovation in threat detection or conflict with domestic laws, as evidenced by parallel proposals for temporary derogations from ePrivacy rules to enable CSAM detection in encrypted services. Industry analyses noted that while promised predictability—potentially lowering costs estimated at billions annually from Directive-induced divergences—it risked stifling tailored national adaptations, contributing to the proposal's legislative impasse. These frictions persisted through trilogue negotiations, where Council positions often pushed for expanded derogations, contrasting Parliament's emphasis on robust safeguards, ultimately leading to the Commission's withdrawal of the proposal on February 12, 2025. The debate underscored a core trade-off: harmonization's efficiency for economic integration versus the perceived need for flexibility to accommodate heterogeneous national priorities, with ongoing implications for alternatives like targeted Directive amendments under the framework.

Current Status and Implications

Post-Withdrawal Landscape

Following the European Commission's announcement on February 11, 2025, in its 2025 Work Programme, the proposed ePrivacy Regulation—intended to replace the 2002 —was formally withdrawn due to a lack of foreseeable agreement among institutions after eight years of stalled trilogue negotiations. The decision reflected broader priorities shifting toward enhancing competitiveness, fostering data access for AI development, and addressing outdated elements in the original proposal that failed to adapt to evolving technologies like and over-the-top services. This withdrawal halted ambitions for a unified, regulation-level framework that would have harmonized rules on confidential electronic communications, metadata processing, and tracking technologies across the . The (2002/58/EC), as transposed into national laws by member states, remains the governing instrument for privacy protections in electronic communications, requiring prior consent for the storage or access of information on users' terminal equipment—such as and similar trackers—while permitting exceptions for strictly necessary functionalities like or . Enforcement continues through national data protection authorities (DPAs), with fines up to €20 million or 4% of global annual turnover under aligned GDPR mechanisms, though application varies: for instance, Belgium's DPA issued guidance in 2023 emphasizing opt-in consent for non-essential , while Germany's courts have upheld broader exceptions for analytics in certain contexts. The Directive primarily targets traditional telecom providers but intersects with the GDPR for non-telecom entities handling in communications, creating overlaps where the more specific Directive prevails, yet exposing gaps in coverage for modern apps like messaging services not classified as public electronic communications providers. This post-withdrawal status quo perpetuates fragmentation, as member states retain flexibility in implementation, leading to divergent rules on issues like unsolicited communications and metadata retention; for example, enforces stricter opt-in regimes for marketing emails under its CNIL oversight, contrasting with more lenient approaches in some Eastern European states. Businesses face ongoing compliance burdens, including cookie consent banners and tracking walls, amid heightened DPA scrutiny—evidenced by the Irish DPC's 2024 investigations into ad-tech firms for Directive violations yielding multimillion-euro fines—without the anticipated regulatory modernization to streamline cross-border operations. Privacy advocates, such as the European Digital Rights (EDRi) group, have decried the withdrawal as a regression, arguing it entrenches an outdated framework ill-equipped for pervasive data collection in Web 3.0 environments, potentially undermining user protections against surveillance capitalism. In the broader digital ecosystem, the Directive's persistence complements emerging rules like the , which imposes transparency on recommender systems but defers to ePrivacy for terminal equipment access, while the Data Act's 2025 applicability introduces obligations that indirectly affect communications metadata without supplanting core requirements. National courts and DPAs continue adjudicating disputes, with a 2025 ruling clarifying that the Directive's scope extends to IP addresses in tracking scenarios, reinforcing its relevance despite criticisms of technological obsolescence. Overall, the landscape underscores a reliance on directive-level flexibility amid calls from industry for targeted amendments to reduce administrative costs estimated at €2-5 billion annually EU-wide for compliance, though no comprehensive overhaul has materialized by late 2025.

Targeted Directive Reforms and Alternatives

Following the European Commission's withdrawal of the ePrivacy Regulation proposal on February 12, 2025, as announced in its 2025 Work Programme, attention shifted to targeted amendments of the existing ePrivacy Directive (Directive 2002/58/EC). The Directive, originally implemented in July 2002, governs privacy in electronic communications, including rules on cookies, unsolicited communications, and confidentiality of communications, but has been criticized for outdated provisions that fail to address modern technologies like over-the-top services and machine-to-machine communications. This pivot aims to modernize specific elements without the full harmonization of a regulation, preserving national transposition flexibility while aligning with the General Data Protection Regulation (GDPR). Proposed reforms focus on narrow updates, such as refining consent mechanisms to reduce user friction and improve compliance, including clearer opt-in requirements and restrictions on manipulative designs. The Commission initiated a consultation on digital simplification in September 2025, incorporating the alongside the AI Act, to identify "outdated rules" for targeted revisions that harmonize terminology with GDPR (e.g., definitions of "" and "") and adjust sector-specific exemptions. Denmark's , in a non-paper dated July 4, 2025, advocated for such a revision to streamline enforcement and reduce administrative burdens, emphasizing empirical alignment with GDPR's data minimization principles over broad regulatory overhauls. Alternatives to comprehensive Directive amendments include partial integration of ePrivacy rules into the GDPR framework, as suggested in prior analyses, to avoid dual compliance regimes, though this risks diluting sector-specific protections for electronic communications. Industry stakeholders have pushed for reforms prioritizing innovation, such as exempting non-personal metadata from strict rules, citing evidence from compliance studies showing the Directive's current imposes disproportionate burdens on small firms (estimated at €2-5 billion annually EU-wide pre-GDPR alignment). advocates, however, argue that targeted changes insufficiently address scanning conflicts, warning that without regulation-level enforcement, national divergences could undermine user trust, as evidenced by varying rejection rates across member states (e.g., 10-30% variance in 2024 enforcement data). These reforms remain in consultative stages as of October , with no binding timeline, reflecting a pragmatic response to trilogue deadlocks driven by debates and competitiveness priorities.

References

  1. https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation
  2. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017PC0010
  3. https://www.wsgr.com/en/insights/council-of-the-eu-adopts-its-text-on-the-eprivacy-regulation.html
  4. https://iabeurope.eu/proposed-eprivacy-regulation/
  5. https://www.edps.europa.eu/press-publications/press-news/blog/urgent-case-new-eprivacy-law
  6. https://www.europarl.europa.eu/RegData/etudes/BRIE/2017/587347/EPRS_BRI%282017%29587347_EN.pdf
  7. https://www.european-eprivacy-regulation.com/
  8. https://cms-lawnow.com/en/ealerts/2025/02/eprivacy-newsletter-february-2025
  9. https://www.edps.europa.eu/data-protection/our-work/subjects/eprivacy-directive_en
  10. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058
  11. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31997L0066
  12. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017SC0003
  13. https://iapp.org/news/a/nextgen-privacy-the-eus-eprivacy-regulation
  14. https://www.europarl.europa.eu/legislative-train/theme-connected-digital-single-market/file-jd-e-privacy-reform
  15. https://privacy-web.nl/en/nieuws/eu-triloog-over-eprivacyverordening-van-start/
  16. https://www.linklaters.com/en-us/insights/blogs/digilinks/2021/february/eu---the-eprivacy-regulation---let-the-trilogue-begin
  17. https://www.gtlaw-dataprivacydish.com/2021/04/e-privacy-regulation-eu-council-finally-adopts-its-position-and-trilogue-begins/
  18. https://www.alstonprivacy.com/eprivacy-regulation-trilogue-negotiations-pushed-back-fall-2018-final-eprivacy-regulation-may-not-place-2020/
  19. https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/eu-eprivacy-regulation-takes-a-big-leap-forward-to-adoption
  20. https://cms.law/en/media/local/cms-hs/files/other/eprivacy-timeline-10-2022
  21. https://www.rpclegal.com/snapshots/technology-digital/spring-2025/the-eus-work-programme-2025-eprivacy-reg-and-ai-liability-directive-dropped/
  22. https://techcrunch.com/2025/02/12/eu-abandons-eprivacy-reform-as-bloc-shifts-focus-to-competitiveness-and-fostering-data-access-for-ai/
  23. https://www.mlex.com/mlex/technology/articles/2293737/publishers-platforms-advertisers-to-see-eu-e-privacy-bill-pulled-after-deadlock
  24. https://www.lewissilkin.com/en/insights/2025/02/19/long-awaited-eprivacy-regulation-is-finally-dead-102k0fn
  25. https://edri.org/our-work/the-eprivacy-regulation-proposal-has-been-withdrawn-but-the-fight-for-your-privacy-is-far-from-over/
  26. https://www.hunton.com/privacy-and-information-security-law/european-commission-withdraws-eprivacy-regulation-and-ai-liability-directive-proposals
  27. https://www.european-eprivacy-regulation.com/Eprivacy_Regulation_Links.html
  28. https://www.arthurcox.com/knowledge/eprivacy-regulation-and-ai-liability-directive/
  29. https://www.cookiebot.com/en/eprivacy-regulation/
  30. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017PC0010
  31. https://www.insideprivacy.com/eu-data-protection/council-of-the-eu-released-a-new-draft-of-the-eprivacy-regulation/
  32. https://www.wsgrdataadvisor.com/2017/09/eu-e-privacy-regulation/
  33. https://curia.europa.eu/juris/document/document.jsf?text=&docid=219836&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=149614
  34. https://eprivacy-regulation.org/articles/chapter-ii/article-8-eprivacy-regulation-protection-of-end-users-terminal-equipment-information
  35. https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf
  36. https://www.privacyworld.blog/privacy-europe/
  37. https://www.edps.europa.eu/sites/default/files/publication/17-04-24_eprivacy_en.pdf
  38. https://secureprivacy.ai/blog/what-is-eprivacy
  39. https://secureprivacy.ai/blog/eprivacy-regulation-vs-gdpr-key-differences
  40. https://www.cookieyes.com/blog/eprivacy-regulation/
  41. https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl-brinkhof_epr_study.pdf
  42. https://edri.org/files/epd-revision/ePR_EDRi_position_20170309.pdf
  43. https://iapp.org/news/a/the-top-5-contested-issues-in-the-eus-developing-eprivacy-regulation
  44. http://privacyinternational.org/news-analysis/2061/between-scylla-and-charybdis-fate-e-privacy-regulation
  45. https://www.accessnow.org/wp-content/uploads/2021/07/ePrivacy-4-column-Access-Now-noyb-EDRi.pdf
  46. https://edri.org/our-work/open-letter-modernised-eprivacy-legislation-must-protect-fundamental-rights/
  47. https://www.businesseurope.eu/publications/the-digital-single-market-mid-term-review/
  48. https://www.itic.org/news-events/news-releases/business-and-tech-groups-call-for-more-review-of-eprivacy-regulation
  49. https://ecommerce-europe.eu/press-item/european-parliaments-report-eprivacy-not-line-business-realities-may-put-eu-businesses-risk-hamper-innovation/
  50. https://digiday.com/media/european-media-companies-warn-eprivacy-law-proposals-cripple-business-models/
  51. https://cdn.digitaleurope.org/uploads/2019/01/DIGITALEUROPE%25E2%2580%2599s%2520consolidated%2520position%2520on%2520ePrivacy%2520Regulation.pdf
  52. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/what-will-europes-eprivacy-regulation-mean-for-your-business
  53. https://www.consilium.europa.eu/en/press/press-releases/2021/02/10/confidentiality-of-electronic-communications-council-agrees-its-position-on-eprivacy-rules/
  54. https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_statement_20201119_eprivacy_regulation_en.pdf
  55. https://eprivacy-regulation.org/articles/chapter-ii/article-5-eprivacy-regulation-confidentiality-of-electronic-communications
  56. https://carnegieendowment.org/posts/2021/03/the-encryption-debate-in-the-european-union-2021-update?lang=en
  57. https://www.wired.com/story/europe-csam-scanning-law-chat-encryption/
  58. https://www.edpb.europa.eu/system/files/2022-07/edpb_edps_jointopinion_202204_csam_en_0.pdf
  59. https://edri.org/wp-content/uploads/2022/02/EDRi-principles-on-CSAM-measures.pdf
  60. https://proton.me/blog/why-client-side-scanning-isnt-the-answer
  61. https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/epr_-_gutachten-final-4.0_3_.pdf
  62. https://www.wiseguyreports.com/reports/1184370-web-analytics-global-market-outlook-2016-2022
  63. https://www.europarl.europa.eu/legislative-train/theme-promoting-our-european-way-of-life/file-temporary-derogation-from-the-e-privacy-directive-for-ott-services
  64. https://www.hoganlovells.com/~/media/hogan-lovells/pdf/2019/2019_11_25_study_eprivacy_regulation.pdf
  65. https://www.lexisnexis.co.uk/legal/guidance/eu-eprivacy-regulation-tracker
  66. https://verasafe.com/blog/eu-cookie-consent-whats-changing-and-how-to-stay-ahead/
  67. https://iclg.com/practice-areas/data-protection-laws-and-regulations/01-the-rapid-evolution-of-data-protection-laws
  68. https://www.wplegalpages.com/blog/eprivacy-directive-vs-gdpr/
  69. https://eprivacycompany.com/the-current-status-of-the-eprivacy-regulation-what-you-need-to-know/
  70. https://digitalcompliance.snellman.com/eu-commission-withdraws-e-privacy-regulation-proposal/
  71. https://iapp.org/news/a/ai-act-eprivacy-directive-included-in-european-commission-s-consultation-on-digital-simplification
  72. https://www.insideprivacy.com/eu-data-protection/denmark-proposes-gdpr-and-eprivacy-directive-revision/
  73. https://secureprivacy.ai/blog/gdpr-cookie-consent-requirements-2025
  74. https://www.privacyworld.blog/2025/09/eu-seeks-feedback-on-proposed-digital-package-to-simplify-and-modernise-regulations/
  75. https://www.europarl.europa.eu/RegData/etudes/BRIE/2017/608661/EPRS_BRI%282017%29608661_EN.pdf
  76. https://www.digitaleurope.org/resources/study-of-proposal-for-an-eprivacy-regulation/
  77. https://iapp.org/news/a/a-view-from-brussels-what-s-the-word-on-gdpr-and-e-privacy
  78. https://.com/2025/02/12/eu-abandons-eprivacy-reform-as-bloc-shifts-focus-to-competitiveness-and-fostering-data-access-for-ai/
Add your contribution
Related Hubs
User Avatar
No comments yet.