The ePrivacy Regulation on Privacy and Electronic Communications (also known as the EU PECR, ePrivacy Regulation or ePR) has officially been withdrawn. I would’ve been the new law on electronic communications in the EU. Together with the GDPR, it would’ve form the two pillars of data protection law in the EU. The European Commission intended for the ePrivacy Regulation, to significantly change how electronic communications are regulated in the EU. It would’ve replace the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (also known as the ePrivacy Directive or ePD) that is currently in place, and become law across all the EU’s member states. This raises important questions for anyone involved in the electronic communications space in the EU and the rest of the world. In this article, we are not talking about the Privacy and Electronic Communications (EC Directive) Regulations 2003 (UK PECR) in the United Kingdom. Those are something different. The United Kingdom enacted those regulations to comply with the ePrivacy Directive.

  • Who would this regulation have applied to?
  • How would it have applied?
  • What would have been the consequences for non-compliance?

Who would the ePrivacy Regulation (EU PECR or ePR) have applied to?

The EU PECR would have applied to all controllers and processors who process electronic communications data to provide electronic communications services to end-users in the EU. It wouldn’t have made a difference whether the controllers and processors were processing the data in the EU or outside it. Electronic communications services providers that the Regulation would have applied to include the following persons:

  • providers of messaging services like WhatsApp, Facebook and Skype;
  • website owners;
  • app owners whose applications have electronic communication as a component;
  • natural and legal persons sending commercial direct marketing communications;
  • political parties sending messages electronically to promote their parties;
  • telecommunications companies; and
  • Internet access services providers, like persons providing WiFi connections.

The EU PECR would have applied to both natural and legal persons. Legal persons have largely the same rights as natural persons, including the right to lay a complaint with a supervisory authority about the use of their data. The EU PECR provided that consent, as defined in the General Data Protection Regulation (GDPR), includes consent that legal persons may give for the processing of their data.

What data would the EU PECR have applied to?

The EU PECR would’ve widened the net of electronic communications data that it applies to. It would’ve covered future means of electronic communication, including calls, internet access, instant messaging applications, email, internet phone calls and personal messaging provided through social media.

What is the status of the ePrivacy Regulation?

The European Commission has officially withdrawn the ePrivacy Regulation proposal. This decision follows years of resistance from powerful industry players and some EU governments, who prioritised commercial interests and national security concerns over individuals’ privacy rights. Despite this setback, European Digital Rights (EDRi) remains committed to advocating for strong privacy protections. They are pushing for new laws that ban manipulative tracking practices, protect electronic communications, preserve anonymity and encryption, and limit both commercial and state surveillance. EDRi stresses that privacy is a fundamental right—not a luxury—and vows to keep fighting for legislation that ensures a safer, rights-respecting digital environment for everyone.You can read the latest developments on the ePrivacy Regulation by looking on the EUR-Lex website.

Actions you can take

  • Increase your awareness by reading the full text of the draft Regulation and accessing a fact sheet or infographic on it.
  • Comply with data protection law by joining a programme.
  • Find out if the ePrivacy Regulation applies to you by asking us to guide you.
  • Know the impact of the Regulation on your processing by asking us your questions.
  • Understand when and how to legally obtain the consent of your end-users by asking us to guide you.
  • Inform your end-users about what you will do with their data by instructing us to draft you a privacy policy or review your current one.
  • Learn more about direct marketing by asking us all your questions on advertising law.
  • Be alerted to any new developments by subscribing to our newsletter.

Did the EU PECR require consent for all processing?

Consent plays a major role but is not required in all instances. For example, where the processing is for a legitimate purpose of properly providing a service that the consumer genuinely asked for. Another purpose for which the PECR didn’t require the end user’s consent is the storing of cookies that keep track of the end user’s inputs when filling in online forms over several pages during a session on a website. Consent is also not a requirement where the cookies only measure web traffic to a website and don’t store any personal information.

Generally, end-users must be able to withdraw their consent with relative ease at any time.

For this purpose, unsolicited marketing communications must be recognisable, and contain the sender’s proper identities and return addresses or numbers. An example of an end-user finding it easy to withdraw their consent is when the end-user gives consent to cookies, and the website uses the settings of the browser or other application to help with the withdrawal of the consent.

Direct marketers who market for commercial purposes must also obtain the consent of end-users before sending communications.

Useful resources

  • The EDPB’s Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) – wp247