The General Data Protection Regulation (“GDPR”) will enter into force 25 May 2018, and will provide new general data protection standards. In its draft ePrivacy Regulation of 10 January 2017 (“ePrivacy Regulation”), which includes specific provisions for electronic communications, the European Commission sought to ensure that both sets of rules will enter into force at the same time.

Current legislative status of the ePrivacy Regulation

The European Council published its first revisions to the ePrivacy Regulation (read more on our blog here) on 8 September 2017, and European Data Protection Supervisor Giovanni Buttarelli issued recommendations on specific aspects of the ePrivacy Regulation on 5 October 2017 (read more on our blog here). The European Parliament adopted a report, including its draft resolution on the ePrivacy Regulation (“Report”), on 23 October 2017. Adhering to the requirements for processing personal data under the ePrivacy Regulation, the Report does not allow further data processing for compatible purposes or on the basis of legitimate interest. On 5 December 2017, the European Council released a consolidated version of the ePrivacy Regulation (“Consolidated Version”) which summarizes the work done so far in the European Council as a basis for its future work. The Consolidated Version also outlines that further internal discussions will be necessary, i.e., on Art. 6, 7, 9 ePrivacy Regulation as well as on further grounds for processing.

Next steps

Now, the European Council has to determine its final proposal to the ePrivacy Regulation, which will likely not happen until summer 2018, as currently stated by the German government. Trilogue discussions between the European Parliament, Council and Commission will then take place if the European Council does not agree with the European Parliament’s amendments (Art. 294 Treaty on the Functioning of the European Union).

Which law fills the gap?

If the ePrivacy Regulation misses the deadline of 25 May 2018, the arising gap in the legislative framework will be closed by national law that implements the ePrivacy Directive 2002/58/EC, the predecessor of the ePrivacy Regulation (Art. 95 GDPR). In Germany, in addition to the requirements of the GDPR, Sec. 12 (1), 13 (1), 15 (1) German Telemedia Act would apply.


It will likely take until mid-2019 or the end of 2019 until the ePrivacy Regulation comes into force. The main focus of the European Union and the European member states currently is on the GDPR.

The uncertainty concerning the final text of the ePrivacy Regulation and the unclear timeline confuse organisations operating with electronic communications services as to how to get ready for the new legal framework. Organisations should keep in mind that the ePrivacy Regulation will affect, i.e., websites, apps, cookies and other tracking technologies and marketing activities, when implementing the GDPR to their business. Identifying these topics will help organisations have their businesses prepared for getting compliant with the final ePrivacy Regulation. Once the final text of the ePrivacy Regulation and timeline are established, organisations can refer to third-party technologies, such as consent boxes, to comply with the new provisions.