The ePrivacy Regulation (also known as ePrivacy Regulation or ePVO) is intended to regulate the protection of fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services in the European Union. The ePVO is designed as a special law within EU data protection law. The legislative process for the ePVO has not yet been completed.
What is the ePrivacy Regulation?
The E-Privacy Regulation (Regulation on respect for privacy and protection of personal data in the electronic communications sector and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications)) is an EU regulation currently in the legislative process and stems from an initiative of the EU Commission in January 2017.
Once the legislative process has been completed and entered into force, the ePrivacy Regulation will replace the ePrivacy Directive, which was largely implemented in Germany in the Telecommunications Act (TKG) and Telemedia Act (TMG).
As an EU regulation, the ePrivacy Directive applies directly in every EU member state from the date specified in the regulation and does not require national implementation. Within the scope of the opening clauses, national adaptations are possible in individual areas.
The ePVO represents a special law to the General Data Protection Regulation (DSGVO / GDPR) and is intended to specify and supplement it with regard to electronic communication data that is to be classified as personal data. All issues relating to the processing of personal data that are not specifically regulated in the GDPR are covered by the GDPR.
Whether the provisions of the TMG relevant for tracking user activities on the Internet (tracking) will continue to apply in Germany until the GDPR applies, or whether until then the provisions for tracking are to be derived solely from the GDPR, is a matter of legal dispute.
Electronic communications and data stored in the terminal equipment
The ePVO is intended to close regulatory gaps and define new specifications, as the previous e-privacy directive has not fully kept pace with the development of technology and markets and the protection of privacy and confidentiality in the context of electronic communications is inconsistent or not effective enough.
As examples, the Commission’s draft ePrivacy Directive cites the entry into the market of electronic communications services that, from the consumer’s perspective, replace traditional services but are not subject to the same rules. Another such development is the emergence of new techniques for tracking end users’ online behavior that is not covered by the existing directive.
In particular, the ePrivacy Regulation is intended to apply to the processing of electronic communications data carried out in connection with the provision and use of electronic communications services and to information relating to end users’ terminal equipment.
The GDPR is not intended to apply to electronic communications services that are not publicly available.
The ePrivacy Regulation establishes the confidentiality of electronic communications data and regulates the conditions under which the processing of electronic communications data by providers of electronic communications networks and providers of electronic communications services should be allowed.
It also contains requirements for the storage and deletion of electronic communications data and for the protection of information stored in or relating to end-users’ terminal equipment, for legally valid consent to the processing, and for the information to be provided and privacy settings for electronic communications.
It also covers telecommunication requirements such as caller and recipient identification, caller blocking and exceptions, incoming call barring, publicly available directories (public directories of end-users of electronic communications services in printed or electronic form and directory inquiry services), unsolicited communications, and direct marketing of electronic communications services to end-users, and information requirements on identified security risks.
Finally, the tasks of the supervisory authorities and the possibilities for sanctions are described.
Status of the legislation
Originally, the GDPR was to be applied simultaneously with the GDPR on May 25, 2018. The legislative process has been delayed. Individual member states have expressed requests for changes, as have numerous trade associations. The ePVO is not expected to enter into force before the end of 2018.