e-Privacy Regulation: A first step towards the protection of privacy?

This post is also available in: frFrançais (French)

The e-Privacy regulation, on the electronic protection of privacy, under revision since 2016 following the adoption of the GDPR (General Data Protection Regulation) was voted on 19 October 2017 in LIBE committee of the European Parliament. Despite strong lobbyists’ efforts, the Commission finally voted in favor of measures that defend privacy, security and competition for phone and internet services[1]. However, some ‘exceptions’ in the text remain, which AEDH regrets.

Indeed, one week before the vote, eight associations representing the European publishing, media and advertising industry, sent an open letter to Members of Parliament to warn them that some amendments to the e-Privacy Regulation are a threat to those industries. The focus has been put on the free access to certain online content by internet users, which could be threatened by such a regulation. Specifically, lobbyists have requested that the e-Privacy Regulation supports the right of online services, meaning that publishers have the right to restrict full access to their services to users who have not given consented to the process of their data, deemed necessary to monetize a service. This practice is based on the ‘data-driven advertising’ principle, i.e. an advertising method based on consumers personal data[2].

As a reminder, the e-privacy regulation is the revision of Directive 2002/58 / EC of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications and electronic communications sector “) already revised in 2009. This directive, which is less restrictive than a regulation, was created to ensure the confidentiality and the protection of personal data in the electronic communications sector by “supplementing and particularizing” the issues treated in a general way by the legal instrument Directive 95/46 / EC, which will be replaced in May 2018 by the GDPR. Confidentiality of communications covers the right to privacy and data protection, but also freedom of communication and expression. Thus, the e-privacy regulation covers two fundamental rights enshrined in the EU Charter of Fundamental Rights: the right to confidentiality of communications, enshrined in Article 7 and the right to the protection of personal data and to freedom of expression, enshrined in Articles 8 and 11 of the Charter[3].

The 31 members of parliament that voted in favor of the regulation mainly belong to left-wing groups.  It is therefore the left wing, representing “pro-privacy”, that “won” this first round, saying “no” to anti-privacy lobbying[4]. Parliament’s approach thus protects citizens, but also competition and innovation and the protection of the confidentiality of communications. For example, MPs voted in favor of end-to-end encryption protecting the content of communications between the sender and receiver, and “backdoors” that allow reading encrypted messages have been categorically excluded[5]. Regarding the “cookie” question, the aim is to simplify the rules and streamline the consent of cookies, i.e. EU websites and websites with EU visitors will no longer need to display cookie consent pop-ups. However, there are some shadows on the board which, according to AEDH, prevent from speaking of first victory; With few exceptions, Internet companies and communication providers should be able to use users’ data only with their consent. (…) Exceptions apply only to statistical measures of user behavior and to the software security of communication providers[6]“. AEDH regrets the existence of these” few exceptions “, which is also the case of the Quadrature du Net (France) which denounces the possibility for the websites to measure web audiences without our consent[7], as well as the possibility for companies to “trace our phones and other devices anywhere, without our consent.” Finally, the approved text does not result in an extension of the legal basis for data processing; trust will be based on consent, according to the GDPR, which is debatable according to Hunton Privacy, “The transfer of corporate responsibility towards individual consumers cannot be considered as an improvement of the protection of privacy[8]“.

AEDH welcomes the fact that a majority of LIBE parliamentarians have not yielded to lobbyist pressure but regrets the “gray areas” and “some exceptions” that remain in this text. Moreover, this is only a first step since a vote must be held in plenary session, that is to say by all members of parliament, and the European People’s Party informed that it was planning to oppose this text. Finally, once the text has been approved by Parliament as a whole, the next step will be negotiations with the European Council.


[1] EDRi, Euro-parliamentarians say a clear “no” to the anti-privacy lobby”, 19th October 2017 –

[2] i-scoop, “The new EU ePrivacy Regulation: what you need to know”, 2017 –

[3] Journal officiel de l’UE, Charte des droits fondamentaux de l’UE, 2016 –

[4] EDRi, Euro-parliamentarians say a clear “no” to the anti-privacy lobby”, 19th October 2017 –

[5] iapp, “LIBE votes to push Lauristin’s ePrivacy Regulationforward”, October 2017 –

[6] iapp, “LIBE votes to push Lauristin’s ePrivacy Regulationforward”, October 2017 –                                         

[7] La Quadrature du Net, “le parlement européen échoue à protéger notre vie privée”, 19th October 2017 –

[8] Hunton & Williams, “European Parliament LIBE Committee approves amended ePrivacy regulation”, 19th October 2017 –