Privacy 'over the horizon'

ePrivacy - decision makers - european court of justice - privacy future

Privacy 'over the horizon'

The 60-second ‘intro/primer’

The ePrivacy Regulation is the EU-wide replacement legislation for the Directive on Privacy and Electronic Communications (DPEC 2002/58/EC), which is considered no longer fit-for-purpose (digital and social media has ‘moved on’ in the last sixteen years!).

It’s intended to ‘sit’ alongside the GDPR, protecting people’s use of ‘electronic communications services’ and ‘interpersonal communications’ services such as Facebook, Google and mobile and fixed telephony (European Commision, 2016). Crucially, the law recognises that electronic communications consist of BOTH content and metadata. More on this below.

The new Regulation is currently in draft and struggling to make progress through the EU ‘trilogue’ process which will eventually ratify the new law. Numerous amendments have been suggested, the latest from the Bulgarian EU Parliament Presidency.

As a marketer, it will be a crucial piece of legislation affecting strategic and tactical thinking on many of the channels in common use i.e. email, telephone and programmatic marketing and some more emerging channels e.g. In-App marketing.

Perhaps the biggest challenge we have is redressing the balance between privacy and AdTech. The ‘revelations’ surrounding the use of data by Facebook and Cambridge Analytica (Information Commissioner, 2018) have helped to fuel/inform the debate on what it means to keep electronic communications data and content private and not assume it’s ‘fair game’ for the marketer.

CMOs, WebDev teams, and Digital Marketing would be advised to keep a close watch on the evolution of this legislation and guidance from Regulators.

The details

The current legal position (as of publication of this article) requires the data controller to consider the application of both GDPR and the EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications or DPEC). The future legal position will require the consideration of GDPR and ePrivacy Regulation (and any UK post-Brexit legislation).

There is no proposed date for entry in to force for the ePrivacy Regulation. Best estimates indicate it could be as late as 2021 given the probability of a two-year transition period once the final text is approved. To stay ‘in-the-loop’ it’s best to get an understanding of who the key players are.

Key Players: Who to follow


Figure 1: The EU institutions

Broadly, the Commission presents a proposal to Parliament and the Council. Following its first reading the Parliament may propose amendments. If the Council accepts these amendments, then the legislation is approved.


The EU Parliament has twenty-five committees; importantly the ePrivacy Regulation was ‘given’ to the Civil Liberties, Justice and Home Affairs (LIBE) committee. The rapporteur for this committee is Birgit Sippel, @BirgitSipelMEP.

The Council of the European Union (the Council) is composed of twenty-eight national ministers (one per state) and has a six-month rotating country-based presidency. Three countries ‘club together’ to form a trio which work closely on the development of EU legislation. The current trio includes Estonia, Bulgaria and Austria. Austria has the current presidency (July -December 2018) and we have had ePrivacy Regulation amendments from the Bulgarian presidency. It’s worth noting that the Austrian presidency programme is focused on asylum and migration issues, not the digital single market.

The Council is a single entity, but it is in practice divided into several different council configurations or (con)formations. The Transport, Telco and Energy (TTE) Conformation is responsible for ePrivacy Regulation.

Staying up-to-date is therefore about following the machinations of the LIBE Committee, its rapporteurs, and the TTE.

Common Marketing scenarios; what can marketers expect

How could ePrivacy Regulation impact my marketing campaigns?

Telephone Marketing

In short there’s not a lot of change in the draft, particularly if member states (and the UK) use their derogations or opportunities in law to opt-out of certain provisions. The headlines are;

  1. Calling party to provide CLI information for the called party to contact and object,
  2. Possibility of having to present specific codes/prefixes. This could be a big one if telephone systems must change, and
  3. Right to object shall be clear, easy, free of charge AND presented at the point of collection.

Email Marketing

The (potential) big change here is in the UK’s position on B2B marketing. Under the Privacy and Electronic Communications (EC Directive) Regulations 200, the UK has permitted the use of email for unsolicited direct marketing on an opt-out basis to corporate subscribers (B2B). The new language of ePrivacy Regulation does not recognise the term ‘subscribers’ (used in current UK legislation), but instead uses the term ‘end-users’. Natural person end users (or people at work!) will be protected by the same opt-in (consent) requirements that consumers are today. In other words, you will need to have a GDPR compliant opt-in from everyone if you want to send unsolicited email direct marketing.

Why do I say ‘potential’ change? There is the wording of ePrivacy Regulation § 16(5) which states;

5. Member States shall ensure, in the framework of Union law and applicable national law, that the legitimate interest of end-users that are legal persons with regard to unsolicited direct marketing communications [sent or presented] by means set forth under paragraph 1 are sufficiently protected.

Could this be read as an opportunity for the UK (or others) to maintain a B2B opt-out regime for email direct marketing? The wording suggests this is unlikely. In my opinion, an end user that is a legal person would most likely be or and not


These are problematic. Firstly, there is the interplay between GDPR and existing legislation. PEC Regs require consent to ‘drop’ cookies. Consent is more rigorously defined in GDPR. PEC Regs takes its definition of consent from GDPR! So we should be seeing changes in the way cookie banners are configured. And we are, I am noticing many more sites providing far more granular options to manage cookies, but some high-profile sites are still sticking to ‘implied consent’. This is not incorrect, but it is an aggressive stance. Imagine if your email data capture forms said, ‘By completing this form you agree to unsolicited email marketing’. No tick box there! The UK Information Commissioner has exactly this form of (GDPR compliant) consent mechanism on their website.  However not everyone considers this to be a compliant mechanism. ‘Any individual controllers who intend to process data for their own unique purposes will need further granular opt-ins for these purposes’ (Ryan, 2017). Now with Brave Inc, Mr Ryan’s ongoing commentary accurately highlights the technical difficulties of maintaining the current AdTech status quo considering GDPR and ePrivacy Regulation.

Profiling, programmatic, Facebook and LinkedIn marketing are all top of our agenda when it comes to staying compliant. Do not assume current methods will remain compliant. A recent case at the CJEU (European Court of Justice, 2018) shows how even running a Facebook fan page can put you in to a joint data controller relationship with Facebook, with implications for sharing any penalties with your fellow data controller.

iCompli training and Keynote speaking

We follow the legislation closely, we think through solutions with pragmatism and imagination, we train organisations in a language they can understand.

If you would like us to assess your compliance with marketing law, GDPR or ePrivacy Regulation/Privacy and Electronic Communications (EC Directive) Regulations 2003 or improve your staff knowledge and compliance, please contact us on (that’s a legal person go ahead and do your worst!) to enquire about our training, consultancy and Data Protection Officer (DPO) services.




Competitions & Markets Authority. (19th June 2015). Online reviews and endorsements. Report on the CMA’s call for information. CMA41. Crown.

European Commision. (2016, 09 14). DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL establishing the European Electronic Communications Code. Retrieved 2018, from

European Court of Justice. (2018, June 5). Case C‑210/16. Retrieved from InfoCuria:

Friends of Europe. (2017, June). Policy Choices for a Digital Age: Taking a whole economy, whole society approach. Geert Carni.

Information Commissioner. (2018, July 10). Findings, recommendations and actions from ICO investigation into data analytics in political campaigns. Retrieved September 2018, from

Ryan, J. (2017). GDPR consent design: how granular must adtech opt-ins be? Retrieved from PageFair: