ComGlob

Proposal for a Regulation on “ePrivacy” and Directive 2002/58/EC

The proposal for a regulation on “ePrivacy”, which has been under consideration by the Institutions for some time but has not yet been defined, is not a new discipline to be introduced into the European legal system. Indeed, Europe already has Directive 2002/58/EC, currently in force, “relating to the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)”.

Directive 2002/58/EC is also known because the GDPR explicitly refers to it, namely:

  • Whereas(173) - the last one in the GDPR - says:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à- vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council (2), including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation

Article 95, entitled “Relationship with Directive 2002/58/EC”, states that:

This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.

Article 21, entitled “Right to Oppose,” states in paragraph 5 that:

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

That said, the proposed regulation is known as “ePrivacy”, once approved and in force, will repeal Directive 2002/58/EC.

The assessment of the European legislator - consistently with what was done with the GDPR - has led to the choice of the regulation instead of the directive as a tool to achieve a unified regulatory system at the European level.

2. The relationship between the ePrivacy proposal and the GDPR

We have already mentioned the relationship between Directive 2002/58/EC and Regulation 2016/679; there is also a parallel relationship between the ePrivacy proposal and the GDPR in terms of the proposal’s " dependence " on the proposal GDPR.

We should understand the “dependence” in the sense that the GDPR has a primary role in protecting individuals with respect to the processing of personal data;

At the same time, the proposal supports the GDPR concerning electronic communications.

Indeed, Directive 2002/58/EC is consequential to Directive 95/46/EC, which regulated - before the GDPR - the “protection of individuals with regard to the processing of personal data and the free movement of such data”.

The commitment of the European legislator about the proposal for a regulation on “ePrivacy” is aimed at preparing a text that is better suited to the entire current context, also concerning the technological evolution of the last twenty years.

3. The iter of the proposed ePrivacy Regulation up to the current version

It is not easy to illustrate the complex path of the proposed ePrivacy regulation, and so we will describe below the salient points of its journey up to the present day.

The institutional work on the proposal on “ePrivacy” - as you probably know - has been very hard and does not yet see a final text, but only drafts: we will, therefore, have to wait for the completion of the process.

- 2017

It all started formally in 2017 when the European Commission formulated the first version of the Proposal for a Regulation of the European Parliament and of the Council on privacy and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications), dated 10/1/2017.

Subsequently, on 4/24/2017, the EDPB published the “Opinion 6/2017 (Opinion 6/2017) on the proposed Regulation on Privacy and Electronic Communications (ePrivacy Regulation).” That is a lengthy 40-page document, in which the EDPB referred to the need for a dedicated legal instrument for the ePrivacy proposal, highlighting main concerns and recommendations, especially regarding:

  • the definitions in the Proposal must not depend on the separate legislative procedure concerning the Directive establishing the European Electronic Communications Code19 (the EECC Proposal);
  • the provisions on end-user consent need to be strengthened. Consent must be requested from the individuals who are using the services, whether or not they have subscribed for them and from all parties to a communication. In addition, other data subjects who are not parties to the communications must also be protected;
  • it must be ensured that the relationship between the GDPR and the ePrivacy Regulation does not leave loopholes for the protection of personal data. Personal data collected based on end-user consent or another legal ground under the ePrivacy Regulation must not be subsequently further processed outside the scope of such consent or exception on a legal ground which might otherwise be available under the GDPR, but not under the ePrivacy Regulation;
  • the Proposal lacks ambition with regard to the so-called ‘tracking walls’ (also known as ‘cookie walls’). Access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites. In other words, the EDPS calls on the legislators to ensure that consent will be genuinely freely given;
  • the Proposal fails to ensure that browsers (and other software placed on the market permitting electronic communications) will by default be set to prevent tracking individuals’ digital footsteps;
  • the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards;
  • the Proposal includes the possibility for Member States to introduce restrictions. These call for specific safeguards.

On 10/26/2017, the European Parliament published a draft proposal on ePrivacy.

- 2018

Two drafts of the ePrivacy proposal followed in 2018 by the Bulgarian and Austrian Presidencies.

In addition, on 25/5/2018, the EDPB issued its first statement in which it emphasized the following points:

  1. Confidentiality of electronic communications requires specific protection beyond the GDPR.
  2. The ePrivacy Directive is already in force.
  3. The proposed regulation aims to ensure its uniform application across every Member State and every type of data controller.
  4. The new regulation must enforce the consent requirement for cookies and similar technologies and offer services providers technical tools allowing them to obtain that consent.

2018 ends with a draft regulation from the Austrian Presidency dated 19/10/2018.

- 2019

In 2019, two texts were published by the Romanian Presidency (22/2/2019 and the Progress Report of 20/5/2019) and four drafts by the Finnish Presidency (12/7/2019, second draft of 26/7/2019, third draft of 18/9/2019 and fourth draft of 4710/2019).

This production demonstrates the relevance of political intervention, the general interest in a final text, and the severe difficulty of finding a balance toward a final draft.

In addition to the published drafts, we must mention the Declaration 3/2019 on an ePrivacy Regulation, adopted on March 13, 2019, by the EDPB.

The EDPB - sticking to its position - reiterated.

the positions previously adopted by data protection authorities in the EU, including the Opinion 1/2017 of the Article 29 Working Party and the Statement adopted on 25 May 2018.

- 2020

In 2020, there is the draft of the Croatian Presidency (Draft by the Croatian Council Presidency) dated 21/2/2020 and the draft of the German Presidency (Draft by the German Presidency) dated 4/11/2020.

Once again, the EDPB issued its third document, namely the “Statement on the ePrivacy Regulation and the future role of Supervisory Authorities and the EDPB” (EDPB - Statement on the ePrivacy Regulation and the future role of Supervisory Authorities and the EDPB), adopted on November 19, 2020.

The EDPB, briefly, expressed its position primarily in three points:

  1. Firstly, the EDPB wants to stress that this statement is without prejudice to its previous positions, including statement 3/2019 and its statement of 25 May 2018;
  2. Secondly, the EDPB welcomes the aim of the Council Presidency to reach a General Approach in order to begin the negotiations with the European Parliament and to adopt the ePrivacy Regulation as soon as possible;
  3. Thirdly, the EDPB would like to underline that many provisions of the future ePrivacy Regulation concern processing of personal data. For these processing activities, Article 8(3) of the Charter of Fundamental Rights of the European Union requires oversight by an independent authority.

In that statement, the EDPB concluded by inviting

the Member States to support a more effective and consistent ePrivacy Regulation as initially proposed by the European Commission and as amended by the European Parliament.

- 2021

2021 was the most productive year and probably the closest to the final version (at least hopefully).

In fact, on 5/1/2021, the draft by the Portuguese Presidency is published (Draft by the Portuguese Presidency).

The following month, and precisely on 10/2/2021, the draft of the EU Council of Ministers is published (Draft by the EU Council of Ministers). This draft is significant because the member states have agreed on a mandate for negotiations with the European Parliament (so-called “trilogue”, i.e., an informal negotiation in which the Parliament, the Council, and the Commission take part). In this contribution, we refer precisely to this draft, considering it the last valid one before the formal negotiations.

That draft includes numerous changes to the proposed regulation’s text - some are simply of “wording”, and others are significant (some articles are added and others deleted) - compared to the original text published in 2017 by the European Commission.

On 9/3/2021, the EDPB published its fourth statement, namely the “Statement 03/2021 on the ePrivacy Regulation” adopted on March 9, 2021 (EDPB - Statement 03/2021 on the ePrivacy Regulation).

First, it is relevant that the EDPB highlights the following:

the ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive but should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication.

Going into the details of the EDPB’s statement, we highlight the following points:

  1. Concerns regarding processing and retention of electronic communication data for the purposes of law enforcement and safeguarding national security;
  2. Confidentiality of electronic communications requires specific protection (Articles 6, 6a, 6b, 6c);
  3. The new Regulation must enforce the consent requirement for cookies and similar technologies, and offer service providers technical tools allowing them to easily obtain such consent (Article 8);
  4. Further processing for compatible purposes (Article 6c and Article 8(1)(g));
  5. Future role of supervisory authorities, the EDPB and cooperation mechanism (Articles 18 to 20).

On May 20, 2021, the negotiations between the European Commission, the European Parliament, and the Council of the European Union officially begin.

On November 4, 2021, a new text of the proposed regulation on “ePrivacy” is published (New version by the Council partially accessible to the public - 26.11.2021) from which it appears that the Slovenian Presidency of the Council of the EU had invited member states to provide their comments and observations on the proposed “ePrivacy” regulation." Some key points have yet to be discussed by the institutions involved in the negotiations. Even though that document appeared confidential, it was still published on the Internet by mistake.

It turns out that two other drafts were published on the Council of the European Union website in November 2021, namely:

  1. New version by the Council partially accessible to the public (26.11.2021)” dated 8/11/2021; and
  2. New version by the Council partially accessible to the public (30.11.2021)” of 12/11/2021.

It appears that within the negotiations, there was one meeting in November and another in December.

4. The current version and comparative analysis

After having exposed and commented on the chronology of the events that refer to the process of the proposal of regulation on “ePrivacy”, in this contribution we refer to the complete draft of 10/2/2021, although three other versions have followed, but not complete and therefore partially accessible to the public as published on the website of the Council of the European Union.

The draft to which we refer consists of 43 Whereases and 29 articles.

What does the proposed regulation on ePrivacy change from the current Directive 2002/58/EC?

Here are the salient points of the reform.

As we mentioned at the beginning of this contribution, the ePrivacy regulation - although it is complementary to the GDPR - applies not only to natural persons but also to legal persons. That is repeatedly stated in the Whereases and Article 1a (in the draft) entitled “Subject matter”.

4.2 Material scope of application

Article 2(1) describes the scope of the proposed regulation, namely:

  • the processing of the content of electronic communications and related metadata carried out in connection with the provision and use of electronic communications services;
  • the information on end-user terminal equipment;
  • the provision of a publicly available list of end-users of electronic communications services;
  • the sending of direct marketing communications to end-users.

Paragraph 2 also specifies what is excluded from its application by stating:

(a) activities, which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities whether it is a public authority or a private operator acting at the request of a public authority;
(b) activities of the Member States which fall within the scope of Chapter 2 of Title V of the Treaty on European Union;
(c) electronic communications services which are not publicly available;
(d) activities, including data processing activities, of competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) electronic communications data processed after receipt by the end-user concerned.

4.3 Territorial scope of application

According to Article 3, the ePrivacy Regulation will apply subjectively to end-users located in the Union and objectively:1

  • (a) the provision of electronic communications services to end-users who are in the Union;
  • (aa) the processing of electronic communications content and of electronic communications metadata of end-users who are in the Union;
  • (b) - null -;
  • (c) the protection of terminal equipment information of end-users who are in the Union.
  • (cb) the offering of publicly available directories of end-users of electronic communications services who are in the Union;
  • (cc) the sending of direct marketing communications to end-users who are in the Union.

The last paragraph of Art. 3, namely 6, provides that the ePrivacy Regulation applies “to the processing of personal data by a provider not established in the Union, but in a place where Member State law applies by virtue of public international law.”.

The ratio of the European legislator is to offer protection and safeguards to those who are in the Union or in places where its rules apply.

4.4 Obligation to appoint a representative

As provided for in art. 27 of the GDPR, the “ePrivacy” regulation - again in art. 3 - states:

Where the provider of an electronic communications service, the provider of a publicly available directory, or a person using electronic communications services to send direct marketing communications, or a person using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment is not established in the Union it shall designate in writing, within one month from the start of its activities, a representative in the Union and communicate it to the competent Supervisory Authority.”.

All unless the activities are occasional and unlikely to pose a risk to the fundamental rights of end-users, given the nature, context, scope, and purpose of such activities.

The representative - who will be obliged to comply with the ePrivacy Regulation - will have to be established in one of the Member States in which the end-users are located.

4.5.The European Electronic Communications Code (EECC) and definitions.

The ePrivacy Regulation refers to the Electronic Communications Code, specifically Directive (EU) 2018/1972 of 11 December 2018.
In the opinion of the writer, some definitions leave room for doubt.
The proposed Regulation on “ePrivacy” expressly recalls the definitions established by the following normative texts:

  1. GDPR;
  2. Directive (EU) 2018/1972 of 11 December 2018 establishing the European Electronic Communications Code;
  3. Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets for telecommunications terminal equipment;
  4. Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and rules on information society services (codification).

In our perspective, among the above definitions, we cannot disregard those established by the Directive mentioned above (EU) 2018/1972, as recalled by the proposal, and mainly the following five:

  1. electronic communications network”;
  2. electronic communications service”;
  3. interpersonal communication service”;
  4. number-based interpersonal communication service”;
  5. number-independent interpersonal communication service”;

In particular, the definitions of “electronic communication service” and “number-independent interpersonal communication service” have attracted our attention, namely:

  • interpersonal communication service” is defined as follows:

‘interpersonal communications service’ means a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

  • the “number-independent interpersonal communication service” is defined as follow:

‘number-independent interpersonal communications service’ means an interpersonal communications service which does not connect with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which does not enable communication with a number or numbers in national or international numbering plans.

In the light of the above definitions, the question we have asked ourselves is: “What about communication services, generally open-source and provided free of charge to people?” By this question, we intend to refer to well-known resources on the net, among which we can mention architectures based on the open protocols of Matrix and XMPP.

It seems to us that that type of service is not covered.

Article 4a of the ePrivacy Regulation recalls the discipline of consent provided in the GDPR, adding that it will also apply “mutatis mutandis, to legal persons”.

Particularly interesting is what the following paragraphs of the same article establish concerning the manner of expressing consent.

It is specified that “where technically possible and feasible, for the purposes of point (b) of Article 8 (1), consent may be expressed by using the appropriate technical settings of a software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet.”.

It goes on to say that consent expressed in the above manner directly by an end-user “shall prevail over software settings” and shall be directly implemented without further delay.

If then, the provider will not be able to identify the data subject, “the technical protocol showing that consent was given from the terminal equipment shall be sufficient to demonstrate the consent of the end-user according2 Article 8 (1) (b).”.

As is the case with the GDPR, in the ePrivacy Regulation, consent may be withdrawn. There is a requirement to remind end-users to withdraw consent “at periodic intervals of no longer than 12 months, as long as processing continues, unless the end-user requests not to receive such reminders.”.

Regarding consent, there is a step forward from the GDPR, where the ePrivacy Regulation provides that consent (explicit, freely given, and not conditional) can be expressed by software. This clarification, which is not currently the subject of any regulation, goes in the direction of what in some ways already happens in practice when the user makes a choice through his device by clicking on an option or selecting it with a flag.

4.7 Nature of communications data.

Article 5 states that “Electronic communications data shall be confidential. Any interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing of electronic communications data, by anyone other than the end-users concerned, shall be prohibited, except when permitted by this Regulation.”.

Regulatory dignity is given to both the secrecy of electronic communications and the prohibition of interference of any kind.

4.8 Conditions for the Processing of Electronic Communication Data

Article 6 of the ePrivacy Regulation establishes when the processing of electronic communication data by providers of networks and services is permitted, defining four hypotheses of lawfulness, basically for technical and security reasons.

Furthermore, it is also stipulated that the processing of such data is only permitted for the duration necessary for the specified purpose(s) if it is not possible to use anonymized information.

4.9 Processing of the content of electronic communications and metadata

On these topics - as of now - there are three articles (6a, 6b, and 6c).

The processing of content of electronic communications (art. 6a) by electronic communications networks and services providers requires the data subject’s consent (user).

In addition, the last paragraph of Article 6a requires the provider of electronic communications networks and services to conduct an impact assessment according to Article 36 of the GDPR.

The ePrivacy Regulation introduces the discipline of metadata and defines in Article 4 as follows:

electronic communications metadata’ means data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.

The processing of metadata of electronic communications by providers of electronic communications networks and services is permitted only in six hypotheses outlined in the rule (6b), namely for technical needs, billing, detection or termination of fraudulent or abusive use of services, consent of the data subject, protection of vital interests of a natural person, and for location data for scientific or historical research or statistical purposes.

In the latter case (location data for scientific or historical research purposes or statistical purposes), certain conditions must be met, namely:

  • pseudonymization;
  • the processing could not be carried out by processing anonymized information;
  • the location data are not used to profile the user.

In addition, for the processing of metadata other than location data, when necessary for scientific or historical research or statistical purposes, it complies with Union or Member State law. It is subject to appropriate safeguards, including encryption and pseudonymization (the GDPR is recalled).

The text of the rule also specifies that it may also use metadata for the development, production, and dissemination of official national and European statistics.

Finally, there is a prohibition on sharing metadata with third parties unless it has been anonymized.

Article 6c sets out the criteria (five), the burden of which is on the provider of electronic communications networks and services, to ascertain whether processing for another purpose is compatible with the purpose for which the electronic communications metadata are initially collected.

The same article establishes additional safeguards for the processing of metadata.

4.10 Retention period for electronic communication data and metadata

The same criteria as in the GDPR are established; namely, data may be retained for the entire duration of processing or accounting and tax purposes by current regulations.

4.11 Protection of end-users’ terminal equipment information (cookies)

This subject is regulated by article 8 and constitutes one of the central parts of the new discipline.

The term “cookies” is mentioned several times in the Whereases. It is regulated, with a different terminological definition from cookies, in article 8.

In general, according to that provision, the use of the processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminals (cookies), including on software and hardware, outside the end-user concerned are prohibited, except for the following reasons:

  • (a) it is necessary for the sole purpose of providing an electronic communication service; or
  • (b) the end-user has given consent; or
  • (c) it is strictly necessary for providing a service specifically requested by the end- user; or
  • (d) if it is necessary for the sole purpose of audience measuring, provided that such measurement is carried out by the provider of the service requested by the end- user, or by a third party, or by third parties jointly on behalf of or jointly with provider of the service requested provided that, where applicable, the conditions laid down in Articles 26 or 28 of Regulation (EU) 2016/679 are met; or
  • (da)3 it is necessary to maintain or restore the security of information society services or terminal equipment of the end-user, prevent fraud or prevent or detect technical faults for the duration necessary for that purpose; or
  • (e) it is necessary for a software update provided that:
    • (i) such update is necessary for security reasons and does not in any way change the privacy settings chosen by the end-user,
    • (ii) the end-user is informed in advance each time an update is being installed, and
    • (iii) the end-user is given the possibility to postpone or turn off the automatic installation of these updates; or
  • (f) it is necessary to locate terminal equipment when an end-user makes an emergency communication either to the single European emergency number ‘112’ or a national emergency number, in accordance with Article 13(3).
  • (g) where the processing for purpose other than that for which the information has been collected under this paragraph is not based on the end-user’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 11 the person using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the electronic communications data are initially collected, take into account, inter alia:
    • (i) any link between the purposes for which the processing and storage capabilities have been used or the information have been collected and the purposes of the intended further processing;
    • (ii) the context in which the processing and storage capabilities have been used or the information have been collected, in particular regarding the relationship between end-users concerned and the provider;
    • (iii) the nature the processing and storage capabilities or of the collecting of information as well as the modalities of the intended further processing, in particular where such intended further processing could reveal categories of data, pursuant to Article 9 or 10 of Regulation (EU) 2016/679;
    • (iv) the possible consequences of the intended further processing for end-users;
    • (v) the existence of appropriate safeguards, such as encryption and pseudonymisation.
  • (h) Such further processing in accordance with paragraph 1 (g), if considered compatible, may only take place, provided that:
    • (i) the information is erased or made anonymous as soon as it is no longer needed to fulfil the purpose,
    • (ii) the processing is limited to information that is pseudonymised, and
    • (iii) the information is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user.
  • (i) For the purposes of paragraph 1 (g) and (h), data shall not be shared with any third parties unless the conditions laid down in Article 28 of Regulation (EU) 2016/697 are met, or data is made anonymous.

Further clarification is contained on data processing recorded on the end user’s terminal equipment.

However, a clear and conspicuous notice informing at least about the manner of collection, its purpose, the person responsible, and other information required under Article 13 of the GDPR is necessary when personal data are collected.

In any case, the rule provides that the collection of such information is subject to appropriate technical and organizational measures according to Article 32 of the GDPR.

4.12 Chapter III on end-users’ rights to control electronic communications.

Chapter III is entirely subject to negotiations to identify a text shared by the three subjects of the trilogue.

Therefore, a final version will have to wait, as there are disagreements for Articles 12 through 16 (17 was deemed to be deleted).

4.13 The role of independent supervisory authorities

The ePrivacy Regulation in Chapter IV recalls the GDPR’s rules on data protection supervisory authorities, leaving the task of supervision to individual national authorities.

The EDPB will be tasked with helping to enforce the ePrivacy Regulation and Chapters I, II, and III.

4.14 Chapter V - Remedies, Liability, and Penalties

Chapter V, like Chapter III, is also the subject of negotiations. It will be necessary to wait for the final version agreed upon by the participants in the trilogue, given the current disagreement on the text of articles 21-24.

5. An overview of the whole text of the proposed regulation

Reading the full text of the current version of the proposed regulation on “ePrivacy” and comparing it with the version of 10/2/2021, we can see what changes and additions have been made.

In summary, the novelties concern interventions on the following parts:

  1. interventions on some of the 43 Whereases;
  2. the article on consent was originally number 9 and is now number 4a;
  3. article 6 has been deleted, and now there are three articles 6, namely 6a, 6b, and 6c;
  4. article 10 has been deleted, and the content has been revised, expanded, and inserted into other articles;
  5. article 17 was deleted;
  6. articles 12, 13, 14, 15, 16, 21, 23 and 26 are the subject of negotiations.

6. Key Points of the Proposed ePrivacy Regulation

To summarize, the key points of the proposed ePrivacy Regulation are as follows:

  1. It is a lex specialis for the GDPR;
  2. It complements the ecosystem of the Data Protection Regulation (among the texts we mention the Charter of Fundamental Rights of the European Union, the TFEU, the European Convention on Human Rights (ECHR), the 108+ Convention, Soft Law);
  3. Its legal basis is composed of:
  1. It has been considered part of the Digital Single Market Strategy (DSM Strategy);
  2. Applies to both physical persons and legal persons;
  3. Improves security and confidentiality of communications (including content and metadata, e.g., sender, time, location of a communication);
  4. Provides definitions of:
    a. electronic communications data;
    b. content of electronic communications;
    c. metadata of electronic communications
    d. electronic message;
  5. Regulates cookies that are repeatedly mentioned in the Whereases;
  6. regulates security aspects of electronic communications.

In conclusion, all that remains is to follow the negotiations and await their outcome, hoping to have a final version of the proposed regulation on “ePrivacy” shortly.

In any case, it is necessary to wait for a final version, given that the text under consideration will undoubtedly be subject to modification during the negotiations.

Considering what has already been done so far and the further activities that will be subject of the negotiations, we can assume that the final version can reasonably be published in 2023 and enter into force in 2025 (at a distance of two years, as it happened for the GDPR to allow knowledge and allow the necessary adaptation).

An Italian version will be shortly available.

Stay tuned!


  1. you see an ordered list with no sequential letters because it is still a draft. ↩︎

  2. It misses “to” in the official text ↩︎

  3. the ordered letter list is (da) because it is still a draft. ↩︎