The ePrivacy Regulation: update on legislation and outlook

30 October, 2018

Companies have incurred considerable costs as a result of the implementation of the EU’s General Data Protection Regulation (GDPR), which has been in force since May 2018. Under the EU’s legislative procedures, the Regulation is due to be followed by a second – large – regulatory text on privacy: the ePrivacy Regulation (ePR) that will supersede Directive 2002/58/EC (ePD). According to Art. 29 Section 2 of the Commission’s original proposal, the ePR was actually intended to become applicable at the same time as the GDPR, but this did not happen. The legal uncertainty over which regulations apply to them is causing companies considerable difficulties.

Update on legislative process


The ePR is currently the subject of intense discussion in the Council. This has re-ignited the prolonged debate in Brussels that preceded the GDPR’s own implementation. For many people, depending on their interpretation, the ePR is seen as an existential threat to the online advertising business, which has an annual global turnover of hundreds of billions of euros: The rules on consent and the use of tracking technologies, particularly third party cookies, are crucial for user- and behaviour-based advertising. The ePR is also expected to contain additional guidelines on direct advertising and the information that should be provided as well as the configuration options that must be available to the end user. Deliberations in the Council are dragging on; the latest surprise was the Council Draft of July 10th 2018 which stated that the requirement on privacy settings (Art. 10 of the Commission Draft) had been deleted and not replaced.

Impact after ePR enters into force

The ePR will be directly effective as soon as it comes into application without the need for national implementation laws. It repeals the ePD as well as any conflicting national regulations (those based on the ePD in particular). The ePD and ePR are lex specialis to the GDPR, meaning that they provide special privacy provisions on electronic communications data, which override the general rules of the GDPR. 

Second Data Protection Amendment and Implementation Act

German legislators are currently in the planning stages of the draft Second EU Data Protection Amendment and Implementation Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU, or DSAnpUG-EU) which is intended to bring clarity to the complex nexus of national legislation on data protection and the GDPR. The draft of the 2nd DSAnpUG-EU will apparently harmonise existing legislation on data protection with the GDPR and, where possible and desirable in the legislators’ view, use the opening clauses in the GDPR to implement specifically German regulatory approaches. However the current draft of the 2nd DSAnpUG-EU does not provide for any reform of the data protection provisions of the Telecommunications Act (Telekommunikationsgesetz, or TKG) or the Telemedia Act (Telemediengesetz, or TMG). So the uncertainties around the implementation of the ePD appear likely to remain until the ePR comes into force.

Summary and outlook

No agreement is likely in the Council under the Austrian presidency. And when it is finally reached, the Trilogue would have to convene. If we assume that approval would take as long after the Trilogue convenes as it did for the GDPR, the regulation is unlikely to come into force before 2020. And since a one-year transition period is contained both in the EU Parliament’s Opinion and the Council’s Draft Opinion, the most likely date for the ePR to come into force is 2021.

The confusion over the precedence of national or EU legislation on privacy legislation overall and in specific areas is causing considerable legal uncertainty for companies, particularly in relation to the use of cookies. They must assess on a case-by-case basis the extent to which national regulations are based on the current ePD and whether these regulations are pursuing the same aims as the GDPR, in which case the legislation intends them to remain applicable.

This article is part of the quarterly newsletter IT Security & Data Protection. Register here for free.

Contact us

Dr. Alexander Golland

Senior Consultant, PwC Germany

Tel: +49 211 981-2007

Dr. Jan-Peter Ohrtmann

Partner, PwC Germany

Tel: +49 211 981-2572