IDC Names Securiti a Worldwide Leader in Data Privacy


The New EU e-Privacy Regulation Draft

By Securiti Research Team
Published January 25, 2021 / Updated September 26, 2023

On January 5, 2021, the Council of the European Union under the Portuguese Presidency released the new draft, draft 14th of the e-Privacy Regulation which is meant to replace the e-Privacy Directive. The latest draft of the e-Privacy Regulation attempts to align with the European Union’s General Data Protection Regulation (GDPR) and applies to both current and future means of communications, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media. This article aims to provide an overview of the new draft of the e-Privacy Regulation, highlighting its key principles.

The e-Privacy Regulation regulates the processing of electronic communications data including the electronic communications content and electronic communications metadata in connection with the provision and the use of publicly available electronic communications services in the European Union, irrespective of the technologies used.

Electronic Communications Data

Electronic Communications Content Electronic Communications Metadata
The content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound. Data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content, including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.


The underlying theme of the e-Privacy Regulation is that the electronic communications data shall always be held confidential keeping in consideration an individual’s fundamental right to data privacy. Any interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing of electronic communications data by anyone other than the end-users concerned is permitted only in limited circumstances:

  • where it is necessary to provide an electronic communications service,
  • where it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors and/or security risks and/or attacks in the transmission of electronic communications,
  • where it is necessary to detect or prevent security risks or attacks on terminal equipment of end-users,
  • where it is necessary for compliance with a legal obligation to which the electronic communications service provider is subject.


Processing of Electronic Communications Content:

Providers of electronic communications networks and services can process electronic communications content in any of the following circumstances:

  • for the purpose of the provision of a service requested by an end-user for purely individual use if the requesting end-user has given consent and where such requested processing does not adversely affect fundamental rights and interests of another person concerned,
  • if all end-users concerned have given their consent to the processing for one or more specified purposes.


Processing of Electronic Communications Metadata:

Providers of electronic communications networks and services can process electronic communications metadata in any of the following circumstances:

  • if it is necessary for the purposes of network management or network optimisation or to meet the technical quality of service requirements,
  • if it is necessary for the performance of an electronic communications service contract to which the end-user is a party,
  • if the end-user has given consent to the processing for one or more specified purposes
  • if it is necessary to protect the vital interest of a natural person,
  • if it is necessary for statistical purposes of electronic communications metadata or other than based on electronic communications metadata that constitute location data or for scientific research purposes, provided certain conditions are met.

Where the processing of electronic communications metadata is done for scientific research or statistical purposes, end-users should be given the right to object to such processing. Moreover, such processing should only result in aggregated data and such data should not be used for any other purpose such as profiling or drawing conclusions concerning the private life of an end-user.


Processing and storage capabilities from end-user’s terminal equipment:

End-user’s consent is required prior to the processing and storage capabilities and the collection of information from the terminal equipment. This means that the user’s consent must be obtained before processing cookies or other tracking technologies.

However, consent is not required where the processing is necessary and proportionate for the purpose of carrying out the transmission of electronic communication over an electronic communication network or for the provision of the service specifically requested by the end-user. For example, consent is not required for cookies stored for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages, authentication session cookies that are used to verify the identity of end-users engaged in online transactions, and cookies that are used to remember items selected by the end-user and placed in the shopping basket.

To enable the data subject to provide consent via transparent and user-friendly mechanisms, the e-Privacy Regulation encourages service providers to implement suitable technical means in electronic communications software. One way of ensuring that valid consent has been obtained from the end-user is by offering him/her a genuine choice between a service that includes consenting to the use of data being processed for additional purposes on the one hand, and an equivalent service offered by the same data controller that does not involve consenting to data use for additional purposes, on the other hand. In such a case, both the services offered to the data subject should be genuinely equivalent.

Rules governing direct marketing communications:

Direct marketing communications refers to any form of advertising sent by a natural or legal person directly to one or more specific end-users using publicly available electronic communications services. It is allowed only with the consent of the concerned end-user. Besides, end-users should be provided the right to object at the time of collection of their contact details and they should be able to withdraw their consent at any time, free-of-charge, in an easy and effective manner.


Key Changes in the new draft of the e-Privacy Regulation

Some of the notable changes introduced in the new draft of the e-Privacy Regulation from previous versions are set out below:

Widening the territorial scope The new draft clarifies that the e-Privacy Regulation applies to data controllers that are not established in the EEA but are established in a place where member state law applies by virtue of public international law.
Definition of Location Data The new draft introduces the definition of location data. According to which, location data means data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.
Processing for purposes compatible with initial purposes The new draft allows the processing of electronic communications data including electronic communications metadata for purposes compatible with the initial purpose for which the data was collected.
Processing for the performance of a contract The new draft reaffirms the GDPR’s standard for the “performance of a contract” as one of the lawful basis of data processing. Accordingly, service providers can process electronic communications data where it is necessary for the provision of an electronic communications service based on a contract with the end-user.
Requirement of a Data Protection Impact Assessment The new draft requires service providers that share anonymized statistical metadata to conduct a data protection impact assessment (DPIA), consult the supervisory authority as the case may be, and inform the concerned data subjects of the envisaged processing operations. This should take place in accordance with Articles 35 and 36 of the GDPR even though the GDPR does not consider anonymized data as personal data. Moreover, where the processing of electronic communications metadata is likely to result in a high risk to the rights and freedoms of natural persons or using new technologies, service providers must conduct a DPIA and consult the supervisory authority as the case may be, prior to such processing.
Clarification on consent Consent that is directly given by an end-user to a service always prevails over software settings which must be updated and implemented without further delay.


How Securiti can help?

The e-Privacy Regulation once made into law, will have potentially significant effects on organizations especially those that use metadata or tracking tools to monitor online behavior. By aligning with the principles of the GDPR, the e-Privacy Regulation aims to create more uniformity and certainty for organizations as to what compliance actions need to be taken.

Failing to comply with the provisions of the e-Privacy Regulation may lead organizations to pay administrative fines up to 20 million euros or four percent of the company’s total worldwide annual revenue, whichever is greater. Considering such exorbitant fines, it is highly important for organizations to proactively manage electronic communications data as per the applicable requirements.

Read The e-Privacy Directive and the e-Privacy Regulation - What to Expect and learn how e-Privacy Regulation will change the e-Privacy Directive.

Securiti with its PrivacyOps methodology and automation enables organizations to discover data over a web of internal and external systems, stitch a data graph to link personal data with each individual, conduct an automated internal assessment of policies and third-party vendors, and effectively manage consent, revocation of consent, and consent in relation to cookies and other tracking technologies.

Ask for DEMO today to understand how Securiti can help you prepare for compliance with the upcoming e-Privacy Regulation as well as comply with GDPR, e-Privacy Directive, and a whole host of global privacy regulations, with ease.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend