The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

E-Privacy Regulation

The E-Privacy Regulation focuses on regulating the confidentiality of communications (secrecy of telecommunications), the processing of communication data (previously traffic data) and the storage and reading of information on terminal equipment (e.g. cookies). This regulation is also intended to regulate the protection of privacy in connection with the display of telephone numbers and end-user directories, direct marketing by electronic communication and supervision. The controversial legislative process, which has been going on for more than four years, is now entering the final round.

blue glowing lock and next to it are digital lines
Source: Andriy Onufriyenko via Getty Images

The European legislator has decided to replace the Data Protection Directive for Electronic Communications (so-called E-Privacy Directive) with an e-Privacy Regulation. After the German legislator recently implemented on 1st December 2021 the European requirements from the E-Privacy Directive into German law by means of the amended Telecommunications Act (TKG) and the Telecommunications Telemedia Data Protection Act (TTDSG), the future E-Privacy Regulation will apply directly in the Member States.

The Regulation aims at approximating the rules on electronic communications to the General Data Protection Regulation (GDPR), without exceeding the provisions of the GDPR. As already regulated in the Electronic Communications Code (Directive (EU) 2018/1972) and in the amended TKG as of 1st December 2021 in Germany, one of the Regulation’s major objectives is the extension of the data protection rules to so-called over-the-top (OTT) communication services. These include, for example, Voice over IP (VoIP) services such as WhatsApp and Skype, which in their function correspond to the “classic” voice telephony and SMS services. The BfDI welcomes the inclusion of these services in the new Regulation because this guarantees confidentiality of communication also for OTT services which by now constitute the major part of daily communications. The Regulation is also intended to regulate in greater detail the setting and use of cookies on websites and the tracking of users.

At the beginning of the legislative process, it was envisaged that the e-Privacy Regulation would enter into force with the GDPR on 25 May 2018. The European Commission presented a draft e-Privacy Regulation on 10 January 2017 and the European Parliament’s lead LIBE Committee adopted its position on the proposed Regulation on 26 October 2017. However, negotiations in the Council of the EU have not progressed decisively since mid-January 2017. Even under the German Presidency, no agreement was reached in the Council in the second half of 2020. However, the positions of the Council and Parliament differ widely, so that in the year 2021 it has only been possible to achieve little progress concerning detailed regulations. Since then, unfortunately, very little has happened. At the moment it is unclear when the Regulation can be expected to be passed. According to current plans, there will be a 24-month transition period after the Regulation comes into force before it can be applied.

The BfDI had initially successfully campaigned against the Federal Ministry for Economic Affairs and Climate Action to ensure that regulations on data retention and on the further processing of communication metadata other than for the intended purpose and without the end-users’ consent were deleted in the Draft Regulation. Unfortunately, both points were reintroduced in the text of the Regulation under the Portuguese Presidency and adopted by the Council on 10 February 2021. The BfDI’s concerns about the general reduction of the level of data protection remained unheeded. The same was true for his request to entrust in an obligatory manner the data protection authorities with the data protection supervision on compliance with the e-Privacy Regulation, which is in accordance with the Commission’s draft. Thus, in some Member States, there is a risk of fragmentation of the supervisory landscape and of additional, unnecessarily complex coordination mechanisms between the various supervisory authorities in the European Data Protection Board (EDPB). This will make it more difficult to enforce data subjects’ rights.

The BfDI now hopes that the draft regulation will finally make further progress and the European Parliament will be able to push in the trialogue negotiations for deleting the regulations introduced by the Council again, which are hostile to data protection, or at least for making them more data protection friendly. He will continue to advocate this objective in the context of his participation in the respective votes on the German position within the Council of the EU.