On July 14, 2017, the Impact Assessment Institute (“IAI”) (an independent institute committed to impartial impact assessment and scientific evaluation of policy and legislation in the EU) published a study assessing the impact assessment carried out by the European Commission in connection with the Commission’s proposal for a new E-Privacy Regulation (“EPR”).  The IAI study is critical of the Commission’s impact assessment, and – by extension – the Commission’s case for the new EPR itself.

Background on the Impact Assessment and EPR

The EPR is the Commission’s proposed update to the existing EU E-Privacy Directive, and is intended to complement the EU’s broader data protection regime (as set out in the General Data Protection Regulation, “GDPR”).  The EPR would introduce a number of rules, including a provision protecting the confidentiality of communications that would regulate traditional telecoms services, and new “over-the-top” (“OTT”) services such as VoIP, web email, and instant messaging, among others.  The Commission EPR proposal is currently progressing through the legislative process in both the European Parliament and Council.

When formulating new proposals for regulations such as the EPR, the Commission prepares impact assessments in accordance with the Better Regulation Guidelines (detailed guidance intended to improve the quality of the Commission’s law-making).  The Commission duly prepared an impact assessment for the EPR, which was published alongside the text of the EPR legislative proposal on January 10, 2017 (the “Impact Assessment”).
Continue Reading Impact Assessment Institute Releases Report Critical of Commission’s Case for E-Privacy Regulation

On January 10, 2017, the European Commission unveiled the “last major Digital Single Market initiatives” addressing Europe’s digital future.  These initiatives comprise the following:

  • A proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation) ;
  • A Communication on “Building a European Data Economy” (see our post here); and
  • A Communication on exchanging and protecting personal data in a globalized world (see our post here).

(There is also a proposal for a Regulation on data protection rules applying to European institutions which InsidePrivacy is not reporting on.)

This post summarizes the proposal for an E-Privacy Regulation.


The existing E-Privacy Directive 2002/58/EC sets out specific privacy-related rules for telecommunications, marketing, and digital services that “particularise and complement” those in the Data Protection Directive.  However, following the enactment of the General Data Protection Regulation (GDPR), there has been a need to update the E-Privacy Directive. From April to June 2016, the Commission consulted on reform of the E-Privacy Directive and, in August 2016, the Commission published a summary report on the results of that consultation.

The proposed E-Privacy Regulation includes significant changes to the current framework that, if enacted in its current form, would impact a wide range of companies that operate online.  Among other things, the draft introduces new rules in relation to traffic and location data, modifies the controversial “cookie” rule, and aligns fines for breach of the proposed Regulation with the GDPR – meaning a maximum fine of up to 4% of annual worldwide turnover for certain breaches.
Continue Reading European Commission Unveils Data Economy Package: E-Privacy Regulation