Giulia Checcacci

Information Privacy Law

Professor Ira Rubinstein

March 6, 2017

The European Commission proposes a new set of rules for protecting all electronic communications

On January 10, 2017 the Commission of the European Union has presented a proposal for a regulation concerning the protection of personal data in all electronic communications. The new rules are in line with the latest European legislation adopted within the Digital Market Strategy to increase the security and confidence in digital services.

As clarified in the explanatory memorandum, the proposal aim to complement the General Data Protection Regulation (Regulation EU 2016/679) with specific regard to electronic communications, such as e-mails or instant messaging. In fact, these services are generally not subject to the current Union legal framework on electronic communications, including the ePrivacy Directive (Directive 2002/58/EC).

The Proposal provides for the protection of both data and metadata (e.g. location), requiring their anonymization and deletion if end-users have not given their consent and as soon as their collection is not more necessary. This way the Commission wants to ensure the confidentiality of all electronic communications.

The main innovations, though, concern cookies and spam.

As for cookies, the proposal simplifies the way the user can give his consent to the tracking of cookies and other identifiers. Instead of requiring the consent for every website visited, as it is now under the current ePrivacy directive, the user will be able to set the privacy settings of his browser in order to accept (or refuse) the tracking of cookies once for all. This consent rule, though, does not apply to all types of cookies. Non-privacy intrusive cookies (e.g. cookies to count the number of visitors to the website) or the ones necessary to provide information or a service requested by the user (e.g. cookies that allow the website to remember the shopping cart history) do not require consent anymore.

Moreover, the Proposal forbids any type of unsolicited electronic communication. Number-based interpersonal communications services providers should give users the possibility to easily block marketing calls. The proposed rules also ban anonymous marketing calls, requiring marketers to show their numbers or to use a special pre-fix for marketing calls (articles 12-14).  Stricter requirements are set up also for e-mail. In particular, electronic contact details can be used for marketing purpose only if customers have given the possibility – easily and free of charge – to refuse such use (articles 15-16).

The Regulation will have to be fully aligned with the General Data Protection Regulation. The choice of using regulations – over directives, which are not directly applicable – will lower the risk of dissimilarities in the application of the legislation in the Member States. This proposal seems to confirm the main goal of the European legislator: the creation of a system of rules more and more uniform for the protection of privacy rights.

While the scope of the actual ePrivacy Directive is limited to traditional telecoms companies, the proposed Regulation should apply to all the providers of electronic communications, WhatsApp, Facebook, Skype, Gmail included.

However, the Proposal has been criticized by ETNO (European Telecommunications Network Operators) and GSMA (a trade association that represents the interests of mobile operators worldwide). Their main concern is that the new rules combined with the General Data Protection Regulation could result in a “double regime with blurred boundaries”, impairing their ability to process big data analytics in the interest of customers or to provide mapping services that compete with those already provided by other players.

The Regulation should apply from 25 may 2018. However, we need to wait to see if the Regulation will be adopted and, if so, it will embed all the requirements included in the proposal or if there will be some changes.


Related documents

  1. Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications


  1. General Data Protection Regulation


  1. ePrivacy Directive


For more information