The long-running e-Privacy Regulation saga continues. On 18 September 2019, the Council of the European Union (the Council) released proposed amendments to the draft regulation. We take a look at some of the proposals.


The draft e-Privacy Regulation will replace the current Directive 2002/58/EC to “reinforce trust and security in the Digital Single Market”. It was meant to be introduced concurrently with GDPR in May 2018. However, it has been subject to many delays, debates and inter-EU institutional wrangling. The Council (under its current Finnish presidency) has now proposed additional changes to the existing draft.

The most eye-catching changes are new obligations regarding processing of electronic communications data to detect, delete and report child pornography.

Additional amendments include:

  • An updated definition of ‘Direct Marketing Communications’ to capture advertising sent through a publicly available electronic communications service directly to one or more specific end users. This includes calls (with or without human interaction) and electronic messaging. The revised definition has omitted terms such as ‘identified or identifiable’ and ‘presented’ from the previous definition, while adding new terms such as ‘directly’ and ‘specific’.
  • Restricting companies’ ability to process metadata. Metadata refers to data that describes or provides information on other data; hence, metadata may contain intrinsic personal information. Providers of electronic communication services should obtain users’ consent before processing metadata. Where consent is not obtained, such providers must take into account a list of considerations when deciding to process metadata (including, for example, that processing is necessary to protect end users’ vital interests or that processing is subject to appropriate safeguards).
  • Clarifying the direct marketing ‘soft opt-in’ rules for unsolicited direct marketing. EU member states are asked to set out, by law, time limits within which recipients’ contact details must be used from when they first make a purchase.
  • Clarifying the ability to block incoming calls to end users, including what would be considered unwanted, malicious or nuisance calls. EU member states are tasked with establishing transparent procedures, in particular, where providers may override anonymous call details to prevent unwanted, malicious or nuisance calls.


This proposal has provided more clarity across a variety of topics. However, we will have to wait and see if this proposal galvanises the EU institutions toward finalising the e-Privacy Regulation. Its delayed finalisation has been a consistent source of concern for companies that market electronically and use online behavioural advertising. The Council intended to discuss these changes in greater detail last week but we should not expect them to be finalised before 2020. As ever, we will continue to monitor events and keep you updated. Check back regularly!