Client Alert Client Alert

Status update on the e-privacy regulation –The next key regulatory initiative after GDPR

The Regulation is part of the Digital Single Market strategy that aims "to open up digital opportunities for people and business and enhance Europe’s position as a world leader in the digital economy"1.

The e-Privacy Regulation is in connection with the data privacy requirements ensured by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), which aims to increase the level of personal data protection particularly in the electronic communications field.

Recently, rapporteur Lauristin prepared a Report on the e-Privacy Regulation proposal ("Report") that was voted and approved on 19 October 2017 by The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament.

The Report brings a series of amendments/completions to the e-Privacy Regulation proposal, aimed at aligning the requirements in the proposal with the provisions of the GDPR or to ensure an increased level of protection for personal data processed in the electronic communications field.

Among the changes proposed in the Report (Recital 15), is the reinforcement of the consent of all the parties to any electronic communication when it comes to the possibility of any interference to such communication, irrespective of any "human intervention or through the intermediation of automated" means. Also, the Report expressly mentions the "additional consent for any new processing operations", including in those cases where the initial interference was permitted by any exception provided under the law or for any personal data processing set forth in article 6 of GDPR.

Additionally, a new recital to the e-Privacy Regulation was proposed (no. 26 (a)), regarding the use of "end-to-end encryption". Such encryption should be used to ensure the "security and integrity of network and services", including for the encryption provider, in accordance with the "principles of security and privacy by design". However, such solutions should not weaken the security of the network or the services, "by creation or facilitation of backdoors".

Sweeping amendments were brought to Article 8 from the e-Privacy Regulation (regarding the protection of information stored in and related to users’ terminal equipment (Article 8)), which are deemed to increase the level of security for the information stored in such terminals and to enhance protection of data subjects’ rights in relation to the personal data stored on terminals.

In this context, the proposal provides for specific guidelines in case of employment relationships, establishing that "the use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the user concerned shall be prohibited, except when such interference would be "strictly technically necessary for the execution of an employee’s task, where: (i) the employer provides and/or is the user of the terminal equipment; (ii) the employee is the user of the terminal equipment; and (iii) it is not further used for monitoring the employee".

Also, a reinforcement of the necessity to implement "appropriate technical and organizational measures to ensure a level of security appropriate to the risks", in accordance with Article 32 of GDPR, is expressly provided for in the proposal for the new text of Article 8 paragraph 2 (b).

For details on the above, you may consult the full content of the Report at

Read the full text

Download PDF