HomeInsightsArticle 29 Data Protection Working Party publishes Opinion on European Commission’s evaluation and review of the e-Privacy Directive (2002/58/EC).


+44 (0)20 7612 9612

The Working Party says that it supports the Commission’s recognition of the need to have specific rules for electronic communications in the EU.  The new legal instrument must also “supplement and complement the obligations of the GDPR” in order to “specifically protect the security of electronic communications”.

The Working Party notes that the rules in the GDPR are always applicable to the processing of personal data, regardless of the nature of the data or the service provider(s).  However, under Article 95, the GDPR may not “impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC”.  The purpose of this provision, the Working Party says, is to ensure that the GDPR does not apply in cases where the e-Privacy Directive contains specific obligations with the same objective.  However, in all other cases, the GDPR should apply.

The current e-Privacy Directive already sets a high level of protection, by requiring the prior consent of users, before the collection of content from communications, traffic or location data, except in a limited number of cases, the Working Party says.  This consent requirement thus limits the possible legal grounds that can be used to justify the collection of personal data in the GDPR.

In order to ensure consistency with Article 95 of the GDPR, the new e-Privacy instrument should at least maintain and reinforce its current principles to guarantee the confidentiality of electronic communications.  It should be clear that the consent requirement prevails over the other legal grounds (such as the legitimate interest of the data controller) set out in Article 6 of the GDPR.  Therefore, under the renewed e-Privacy instrument, service providers should only process information when legislation permits it or when the recipient of the service has given his prior consent.

New e-Privacy legislation should also provide additional rules to protect the security of electronic communications, the Working Party says.  This includes data generated by electronic communications networks or systems that are not, or are no longer, personal data, and data processed by parties that cannot be considered data controllers or data processors.

Further, the Working Party says, since traffic, communication and location data are in most cases personal data, some overlap between the e-Privacy instrument and the GDPR is inevitable.  In such cases, the Commission must ensure that, besides a high level of confidentiality, the level of personal data protection in the GDPR is not undermined.  The revised e-Privacy instrument should “keep the substance of existing provisions, but make them more effective and workable in practice, by extending the scope of the rules on geolocation and traffic data to all parties, while simultaneously introducing more precisely defined conditions that take the intrusiveness of the processing of communication data to the private life of users thoroughly into account”.

The Working Party notes that the scope of the current e-Privacy Directive is mostly limited to traditional electronic communication services (such as internet service providers and telcos).  Many of its provisions do not apply, for example, to Internet telephony (VoIP) or e-mail and instant messaging providers.  The new legal instrument should, it says, seek to protect the confidentiality of “functionally equivalent electronic communication services” (such as WhatsApp, Google GMail, Skype and Facebook Messenger), especially when it concerns messages exchanged by and between individuals and private user groups.

Finally, the Commission should, the Working Party says, aim to create a consistent legal regime across the EU, to ensure a level playing field for all.  As long as the revised e-Privacy instrument is “clear and unambiguous” in its definitions and requirements, then this aim could be met by either a Regulation or a Directive, as long as Member States have “very little margin of discretion” in developing national legislation.  To access the Opinion, click here.