The European ePrivacy Regulation



What is the European ePrivacy Regulation?

The European ePrivacy Regulation is an important amendment to the existing ePrivacy directive of 2002. The amendment is needed to cater for new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behaviour.

The European ePrivacy Regulation is “lex specialis” to the General Data Protection Regulation (GDPR). Lex specialis is a Latin phrase that means “law governing a specific matter”. The EU accepts the legal doctrine “lex specialis derogat legi generali” (a special law overrides laws that govern general matters).

According to Article 1, Subject matter, the regulation lays down rules regarding the protection of fundamental rights and freedoms of natural persons in the provision and use of electronic communications services, and in particular, the rights to respect for private life and communications and the protection of natural persons with regard to the processing of personal data.

This Regulation also lays down rules regarding the protection of the fundamental rights and freedoms of legal persons in the provision and use of the electronic communications services, and in particular their rights to respect of communications.

According to Article 2, Material Scope, this Regulation applies to:

(a) the processing of electronic communications content and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services;

(b) end-users' terminal equipment information;

(c) the offering of a publicly available directory of end-users of electronic communications services;

(d) the sending of direct marketing communications to end-users.

11 February 2025 - The European Commission Withdraws the ePrivacy Regulation.

On February 11, 2025, the European Commission disclosed in the "2025 Work Programme" that it will withdraw the proposal for a new ePrivacy Regulation (replacing the current ePrivacy Directive).

The current ePrivacy Directive and its national transposition laws will remain in force.

Which is the reason?

"No foreseeable agreement – no agreement is expected from the colegislators. Furthermore, the proposal is outdated in view of some recent legislation in both the technological and the legislative landscape."

Page 27 / 29, 11 February 2025 - The European Commission Withdraws the ePrivacy Regulation.



13 November 2025 - Court of Justice of the European Union (CJEU) judgment of 13 November 2025, and its significance for the interpretation of the ePrivacy Directive

The Court of Justice of the European Union (CJEU), in its judgment of November 13, 2025 (C-654/23), clarified that an offer of a free user account may amount to a sale of a service under Article 13(2) of the ePrivacy Directive if specific conditions are met.

The decision broadens the soft opt-in exception under ePrivacy directive. It clarifies that even free user accounts (freemium models) can count as a sale of a service for purposes of Article 13(2) of the ePrivacy Directive, provided the free access is part of a business model that leads to a paid service.

That means marketers and digital service providers can potentially send direct marketing emails (promoting similar products or services to those already used) without prior explicit opt in consent, if they satisfy the conditions of Article 13(2):

- The email address must have been obtained in the context of a sale of a service (or product).

- The recipient must be a customer (there is a relationship).

- The marketing must concern the controller’s own similar products or services.

At the time the email address was collected the user must have been given a clear and free opportunity to object (opt-out) the use of their email for direct marketing. Each subsequent message must also clearly allow the user to opt out.

This court decision underscores that the ePrivacy Directive remains the key regime for direct marketing by email. The GDPR is not the default basis once the ePrivacy directive applies. Compliance programs should integrate ePrivacy requirements rather than rely solely on GDPR consent.

The ePrivacy Directive is a lex specialis to the GDPR.

In EU law, a lex specialis is a more specific rule that takes precedence over a more general rule when both apply to the same subject matter.

The ePrivacy Directive (Directive 2002/58/EC) regulates specific situations involving electronic communications networks and services, confidentiality of communications, tracking technologies (cookies), and unsolicited communications (direct marketing by email, SMS, automated calls).

The GDPR (Regulation 2016/679) governs personal data processing across all sectors and contexts. Its scope is broad and horizontal.

Why ePrivacy is lex specialis? Article 95 GDPR explicitly establishes the relationship: "This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC."

The GDPR does not impose additional obligations where processing is already subject to specific obligations set out in the ePrivacy Directive and have the same objective.

Court of Justice of the European Union (CJEU), November 13, 2025 (C-654/23)

10 February 2021 - Council agrees its position on ePrivacy rules.

EU Member States agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services. These updated ‘ePrivacy’ rules will define cases in which service providers are allowed to process electronic communications data, or have access to data stored on end-users’ devices.

Next step: Talks with the European Parliament on the final text.

Under the Council mandate, the regulation will cover electronic communications content transmitted using publicly available services and networks, and metadata related to the communication. Metadata includes, for example, information on location and the time and recipient of communication. It is considered potentially as sensitive as the content.

To ensure full protection of privacy rights and to promote a trusted and secure Internet of Things, the rules will also cover machine-to-machine data transmitted via a public network.

The rules will apply when end-users are in the EU. This also covers cases where the processing takes place outside the EU or the service provider is established or located outside the EU.

As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the ePrivacy regulation.

Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.

Metadata may be processed for instance for billing, or for detecting or stopping fraudulent use. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed. Metadata may also be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters.

In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent or certain provisions on legislative measures under EU or member state law. This processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it.

As the user’s terminal equipment, including both hardware and software, may store highly personal information, such as photos and contact lists, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific transparent purposes laid down in the regulation.

The end-user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.

To avoid cookie consent fatigue, an end-user will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment.

The text also includes rules on line identification, public directories, and unsolicited and direct marketing.

The regulation would enter into force 20 days after its publication in the EU Official Journal, and would start to apply two years later.


Understanding the European ePrivacy Regulation.

The content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment.

Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.

Regulation (EU) 2016/679 regulates the protection of personal data. This Regulation protects in addition the respect for private life and communications. The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679.

The provisions particularise Regulation (EU) 2016/679 as regards personal data by translating its principles into specific rules. If no specific rules are established in this Regulation, Regulation (EU) 2016/679 should apply to any processing of data that qualify as personal data. The provisions complement Regulation (EU) 2016/679 by setting forth rules regarding subject matters that are not within the scope of Regulation (EU) 2016/679, such as the protection of the rights of end-users who are legal persons.

In all the circumstances where electronic communication is taking place between a finite, that is to say not potentially unlimited, number of end-users which is determined by the sender of the communications, (e.g. any messaging application allowing two or more people to connect and communicate), such services constitute interpersonal communications services.

Conversely, a communications channel does not constitute an interpersonal communications service when it does not enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s).

This is for example the case when the entity providing the communications channel is at the same time a communicating party, such as a company that operates a communications channel for customer care that allows customers solely to communicate with the company in question.

Also, where access to an electronic communications is available for anyone, e.g. communications in an electronic communications channel in online games which is open to all persons playing the game, such channel does not constitute an interpersonal communications feature. This reflects the end-users' expectations regarding the confidentiality of a service.

Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication.

Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation.

Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content.

Electronic communications data should be treated as confidential. This means that any interference of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of the communicating parties should be prohibited.

Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned.

George Lekatis

This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.

Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.

Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.

Cyber Risk GmbH, some of our clients