Skip to content

You can find the Update below.

This agreement marks the beginning of the final negotiations with the European Commission and the European Parliament. If the three parties were to reach an agreement in the course of this year, the ePrivacy Regulation could enter into force in 2023 at the earliest – after a transition period of two years.

The ePrivacy Regulation, which is to replace the existing ePrivacy Directive of 2002, aims to regulate the conditions under which service providers may process electronic communications data or have access to data stored on end-users’ devices. Communications data is understood to mean the data transmitted when using online services, such as messages on WhatsApp or video calls on Skype. These renewals take into account new technological and market developments as well as new techniques for tracking users’ online behaviour.

In addition to the various topics such as electronic communication data, metadata, Internet of Things, caller identification, public directories, cookies are also a topic that the regulation wants to regulate. End-users should be offered a real choice to accept cookies or similar identifiers. Access to a website may be made conditional on consent to the use of cookies for additional purposes if the user can choose between this offer and an equivalent offer that does not involve consent to cookies. In order to prevent users from having to repeatedly accept cookies in order to visit a website, they can give their consent to the use of certain types of cookies by including one or more providers in a positive list in their browser settings. Providers will be required to provide users with the ability to facilitate the creation and modification of positive lists and the withdrawal of their consent.

Update ePrivacy Regulation (March 2022):

Originally, the ePrivacy Regulation was to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). However, unlike with the GDPR, the EU states have not yet been able to agree on a joint draft law in the case of the ePrivacy Regulation. Negotiations on the ePrivacy Regulation are still ongoing. Informal (trilogy) negotiations are currently taking place between representatives of the three bodies involved in the EU legislative process, the EU Commission, the Parliament and the Council of Ministers. The ePrivacy Regulation is not expected to enter into force before 2023. The transition period is expected to last until 2025 (24 months).


  • The ePrivacy Regulation is primarily aimed at companies in the digital economy and imposes further requirements on them in connection with the processing of personal data.
  • As a special law, the ePrivacy Regulation takes precedence over the GDPR. Its provisions supplement and clarify the GDPR with more specific regulations.
  • Risk in the event of inadequate implementation analogous to DSGVO fines of up to 20 million EUR or in the case of a company of up to 4 percent of the total worldwide turnover achieved (fines refer to DSGVO Art. 83).

The biggest point of contention is the processing of data on the basis of legitimate interest. So far, it was foreseen that the collection and processing of user data on end devices (especially cookies, use of tracking technologies for one’s own website or advertising measures) is prohibited unless consent is given (so-called “prohibition with reservation of consent” – Art. 8(1) of the draft).

There is the possibility of obtaining consent by means of appropriate browser default settings (Art. 9 para. 2 of the draft), but only under the condition that every six months there is a reminder that this consent can be revoked. Nevertheless, data processing on the basis of legitimate interest (analogous to the GDPR) is not provided for and would only be possible if the data in question also fall under the GDPR.


Pressemitteilung des Rates: