ePrivacy Regulation: new study for possible changes to EC Proposal

Brussels, 21 March 2018 – On January 10th, 2017, the European Commission published its proposed Regulation on Privacy and Electronic Communications (ePrivacy Regulation, hereinafter “ePR” or “Proposal”)[1] which, once approved, will repeal and replace the current Directive 2002/58/EC (the so-called “ePrivacy Directive”).

One of the biggest changes introduced by the Proposal is to extend the scope of application of the ePrivacy Directive to so-called “Over-The-Top” service providers (hereinafter, “OTTs”). Considering the evolution of digital communications services, the European Commission wants to harmonize the regulation of these services with the regulation initially reserved to “traditional” communications services.

The first part of the IIP’s study takes into consideration Art. 2(4) of the Proposed European Electronic Communications Code (hereinafter, the “EECC”) that includes a definition of “electronic communications service”.[2]  OTTs offer communications services based on the use of the Internet, though with no ownership of the communication infrastructures. OTTs provide applications and content directly to end-users using the so-called Internet Protocols and the connection supplied by the traditional operators.

Ø  The Proposal seems to overlap the legal framework introduced by the GDPR and the lex specialis for the electronic communications sector extended to OTTs. It ends up creating some unjustified differences and “multiple layers” in the regulation of personal data processing. In the Authors’ view, the current formulation of the Proposal does not effectively identify and resolve the complexities deriving from the nature of OTT services, which end up being subject to rules that are not consistent with the provisions and objectives of the GDPR and assimilated to electronic communications services whose definition is now obsolete in light of the innovations introduced by Internet-based services.

The second part of this study aims to highlight the centrality of electronic communications services in the digital economy and society, and in the broader process of digital innovation with regard to the data associated with them (content and metadata). The provision of digital services is increasingly characterized by the processing of data, of which (electronic) communication is only an example. This could raise, among other issues, the question about the possible “legitimate interest” of the data controller as a legitimate basis of processing. It seems appropriate, in the Authors’ opinion, to take into account the survival needs of digital service providers  without triggering risks for the users concerned. Actually, in an economy in which digital services are based on the availability of data, including personal information, the stipulation of a preventive consent mechanism for the processing of such data (opt-in) appears to be less and less relevant and likely to introduce an element of alteration of the normal functioning of the market, requiring, for this reason, a new vision of the balancing of interests that can take into account the needs for financial stability for digital service providers, elevating them to the rank of “legitimate interest”.

Ø  While the objective of the Proposal to protect the confidentiality of electronic communications remains desirable and necessary, it appears problematic that the legal basis for the processing of electronic communications data is only based (except for rare exceptions under Art. 6 of the ePR) on the consent of the user to whom the service is provided. In this sense, if the extension of the ePrivacy regulation to OTTs is maintained, it would be advisable to consider an extension of the legal bases for the processing of electronic communications data by these and other suppliers, as already provided for by Art. 6(1) and (4) of the GDPR. For instance, the request for the service by a user should bring to consider his/her consent to the processing of data as implicit, if this constitutes an inseparable component of such service. From this point of view, the dynamics of the digital economy (multi-sided markets and remuneration of providers, functionality of processing for the core activities of companies) lead to a reflection on the balancing of markets and data protection. Otherwise, the risk would be that of a reduction in Internet services or the introduction of paid solutions for Internet users. With regard to this last aspect, it would be useful to question the repercussions of the decision of search engines and social networks to establish prices for access to its services.

The complete Study is available here:


[1] Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), Brussels, January 10, 2017, COM(2017) 10 final, in https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications

[2] Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (recast), COM/2016/0590 final – 2016/0288 (COD), http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=comnat:COM_2016_0590_FIN