The European Parliament has approved the latest draft of the European ePrivacy Regulation, which will update rules on the confidentiality of electronic communications and how organisations can track and contact people via digital channels.


The European Parliament met at the end of October and narrowly approved the draft regulation. This includes the requirement for organisations to gain explicit consent to use cookies and provide clear opt-outs to users. The law will replace the existing e-Privacy Directive, and will align with the GDPR when it comes into effect next May across Europe.


Key amendments


The approved draft includes a number of amendments to the previous version and clarifies the regulation’s scope in covering the different techniques used for direct marketing. This is now defined in the amended version as ‘any form of advertising, whether in written, audio, video, oral or any other format, sent, broadcast, served or presented to one or more identified or identifiable end-users of electronic communications services’. It also clarifies the need for prior consent to contact people with unsolicited communications for direct marketing purposes.


While the text proposed by the Commission read, at recital 4: ‘Electronic communications data may include personal data as defined in Regulation (EU) 2016/679’, the amended version states that all electronic communications data will generally be labelled as personal data, now reading: ‘Electronic communications data are generally personal data as defined in Regulation (EU) 2016/679’.


On the processing of communications data, the new version is also amended to state that any further processing of metadata for any purposes other than those for which it was initially collected should only be allowed where this new processing is compatible with the initial purpose for which consent was obtained. It is also subject to specific safeguards, especially pseudonymisation.


The latest draft of the regulation also adds in a new paragraph in Article 6 of the regulation, stating that electronic communications data may be processed ‘solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users’.


The MEPs also voted in favour of the Commission’s proposal to extend the new regulation to include digital services provided by newer players such as WhatsApp, Facebook Messenger and Skype. As a result, the new rules will apply not only to SMS and telephone services but also to internet-enabled services. The proposed regulation also bans any unsolicited electronic communications by emails, SMS and automated calling machines.