The European Commission’s announcement that it will consider simplifying regulatory regimes, notably in relation to data and technology, seems to open Pandora’s box. Is it a chance to draw lessons from what works well and what works less well?

In this series on “Better Regulation” in relation to the digital economy, I will be exploring various laws and topics, and this first piece in this series concerns the possibility of revisiting the ePrivacy Directive, Directive 2002/58/EC.

This piece of legislation, amended in 2009, has recently seen a large update attempt that failed, the ePrivacy Regulation legislative initiative. Recently in the sense that it was finally dismissed recently, but the attempt started with a legislative proposal of the Commission in January 2017. Eight years of discussion, speculation, negotiation – all for nought?

So let’s think big with simplification: is there a way simplify the legislative framework on ePrivacy? Perhaps even getting rid of the ePrivacy Directive altogether?

This is not a proposal to repeal the ePrivacy Directive tomorrow, but rather to see what can be observed in the legislative framework, in its interpretation and enforcement, and what lessons can be drawn for future legislation (hello Digital Fairness Act and GDPR revision?).

As some of the rules of the ePrivacy Directive (ePD) are telecom-specific, the analysis below is based on key (groups of) articles, with an indication of which ones are telecom-specific and which are not.

In summary, the ePD should be either repealed, or its interpretation revised:

• Security (Art. 4 ePD): NIS2 and the GDPR deal sufficiently (and better than Art. 4 ePD) with security measures, incident reporting and personal data breach reporting. 

• Confidentiality of communications (Art. 5(1) and 5(2) ePD): GDPR interpretations risk preventing any useful storage of communications, and the provisions’ own interpretation may prevent the taking of measures to protect the service itself and its lawful recipients. These provisions should be repealed, or their exceptions improved.

• Processing of traffic data & certain kinds of location data (Art. 6 & 9 ePD): these provisions effectively illustrate how to apply the GDPR’s data protection principles to telecom providers, while failing to address fraud prevention. They should be repealed.

• Cookies / storage & access (Art. 5(3) ePD): the EDPB’s views of this provision’s scope and of consent exemptions make true compliance doubtful. It could be removed altogether, or its scope could be brought back to its traditional interpretation (provided the consent exemptions are made workable in a consistent manner). 

• Anti-spam / unsolicited communications (Art. 13 ePD): the EDPB’s views on “storage” and other interpretation issues require either a repeal, or a clarification of the provision’s scope and of the consent exemption (soft opt-in) to make it workable for organisations of all sizes, including corporate groups.

“Better Regulation” means not only improving existing laws and writing new ones better – it also means repealing laws that simply cannot be complied with. Today, that includes the ePD.

Introduction

The European Commission recently announced that it will consider simplifying regulatory regimes, notably in relation to data and technology. This is an opportunity to reflect on what works well and what works less well since the implementation of the applicable legislation in these areas, notably the ePD.

This piece of legislation, amended in 2009, has recently seen a large update attempt that failed, the ePrivacy Regulation legislative initiative. Recently in the sense that it was finally dismissed recently, but the attempt started with a legislative proposal of the Commission in January 2017.

The question of whether the ePD should be repealed is not new. The telecom association ETNO, now Connect Europe, commissioned a decade ago a study on the topic. The study concluded that many provisions could be repealed simply by virtue of the GDPR that was then being negotiated and that others could be integrated in the Telecoms Package, i.e. telecom-specific legislation. We do not believe that this analysis holds entirely true, but this is also because the legislative framework has changed in the meantime.

For instance, many concerns that are reflected in that study relate to the difference in treatment between “traditional” telecom operators (Internet service providers and infrastructure providers) and providers of “over-the-top” services (i.e. similar services provided over the Internet, such as instant messaging platforms [vs SMS], voice-over-IP [vs phone calls] etc.). This distinction matters much less since the adoption of the European Electronic Communications Code (EECC), whereby such “interpersonal communications services” have been brought within the scope of the concept of “electronic communications services”. Telecom-specific provisions are therefore not limited to the more traditional idea of a telecom provider.

Likewise, in the framework of its impact assessment building up to the proposal for an ePrivacy Regulation, the Commission had examined the possible repeal of the ePD (alongside certain other options). The conclusion by the contractor appointed by the Commission was that a repeal “would remove the specific protection of privacy and confidentiality in the electronic communications sec[t]or and in this respect may penalise citizens”[1], a conclusion that based on the analysis below may have been superficial and that given today’s legislative framework does not appear to hold true.

As some of the rules of the ePD are telecom-specific, the analysis below is based on key (groups of) articles, with an indication of which ones are telecom-specific and which are not.

The analysis is built around the following structure:

I………… Security: Article 4 ePD (telecom-specific)

I.1.        Security measures

I.1.A.    Measures to be taken? NIS2 > ePD.

I.1.B.    Sanctions? NIS2 > ePD.

I.1.C.    Management involvement & liability? NIS2 > ePD 

I.2.        Incident reporting & personal data breaches.

I.2.A.    Incidents? NIS2 > ePD.

I.2.B.    Personal data breaches? GDPR+NIS2 ≈ ePD 

I.3.        Conclusion on Art. 4 ePD

II………. Confidentiality of communications: Articles 5(1) & (2) ePD (general scope)

II.1.       Principle of confidentiality of communications

II.2.       Necessary exceptions to confidentiality

II.3.       Could one consider repealing those provisions?

II.4.       Should these provisions be kept?

II.5.       Conclusion on Art. 5(1) & 5(2) ePD

III……… Traffic data & location data: Articles 6 & 9 ePD (telecom-specific)

III.1.      Principle: anonymisation or erasure, save specific circumstances

III.2.      Added value compared to the GDPR?

III.3.      What of anti-fraud processing?

III.4.      Conclusion on Art. 6 & 9 ePD

IV……… Other telecom rules: Articles 7, 8, 11, 12, 14 ePD (telecom-specific)

V………. The “cookie” rule: Article 5(3) ePD (general scope)

V.1.       Storage of informationd

V.2.       Gaining of access

V.3.       Consent

V.4.       Consent exemptions

V.4.A.  “Communication” consent exemption

V.4.B.  “Service” consent exemption

V.5.       Could one consider repealing those provisions?

V.6.       Should these provisions be kept?

V.7.       Conclusion on Art. 5(3) ePD

VI……… Unsolicited communications & anti-spam: Article 13 ePD (general scope)

VI.1.     Electronic mail

VI.2.     Soft opt-in

VI.3.     Solicited communications

VI.4.     Could one consider repealing those provisions?

VI.5.     Should these provisions be kept?

VI.6.     Conclusion on Art. 13 ePD.

VII……. Conclusion: whither ePrivacy?

I.  Security: Article 4 ePD (telecom-specific)

Article 4 ePD can be summarised as requiring appropriate technical and organisational measures to safeguard the security of telecom services (Art. 4(1) ePD), with the power for national (telecom) regulators to audit those measures and issue recommendations (Art. 4(1a) ePD). In case of a “particular risk” of a breach of security of the network, information to subscribers is required, and in case of a personal data breach that is “likely to adversely affect the personal data or privacy” of a subscriber or individual, information to the subscriber or individual is required (Art. 4(3) ePD).

The Commission is entitled to adopt an implementing regulation in this respect, which it did by way of Commission Regulation 611/2013.

With the advent of the Network & Information Systems (NIS) Directive (Directive 2016/1148) and now NIS2 (Directive 2022/2555), there are good reasons to question the relevance of Article 4 ePD.

In fact, even without NIS2 at the time, the Commission’s proposal for an ePrivacy Regulation did not include an equivalent to Article 4 ePD because “The alignment with the GDPR resulted in the repeal of some provisions, such as the security obligations of Article 4 of the ePrivacy Directive”[2]. This was not entirely correct, and the ePrivacy Regulation proposal was withdrawn in any event. The assessment hereunder is therefore important.

The requirements of NIS2 apply to all providers of public electronic communications networks and services, regardless of their size (Art. 2(2)(a)(i) NIS2 Directive), and those requirements are stricter than NIS1.

I.1.                   Security measures

First, on security measures:

I.1.A.             Measures to be taken? NIS2 > ePD

Art. 21(2) NIS2 Directive has a long list of the types of measures that need to be taken, while Art. 4 ePD just has the general “appropriate” measures requirement. Even the equivalent general “appropriate” measures requirement in Art. 21(1) NIS2 Directive is better than Art. 4 ePD: (i) it mentions not only technical and organisational measures but also operational measures, (ii) it is not purely about “security of its services” but specifically mentions measures “to prevent or minimise the impact of incidents on recipients of their services and on other services” and (iii) it highlights the importance of proportionality in the assessment of measures, which helps limit abuses by regulators or complainants.

I.1.B.              Sanctions? NIS2 > ePD

Art. 4 ePD sanctions are very unclear. Regulators can audit measures taken and issue recommendations about best practices, but sanctions as such are not defined within the ePrivacy Directive itself (other than the power to order the cessation of infringements). In other words, it is up to national law, which varies in this respect. In NIS2, there is a very powerful combination of sanctions (Art. 32 & 34 NIS2 Directive), including fines, binding instructions (better than vague orders to cease an infringement), and even, if other sanctions are “ineffective”, the power to (i) suspend a certification or authorisation regarding the services (basically making it illegal for the service to be offered) or (ii) prohibit the actual CEO or legal representative (the natural person) from exercising managerial functions in the entity in question (Art. 32(5) NIS2 Directive).

I.1.C.             Management involvement & liability? NIS2 > ePD

The above is without even counting the obligations for management bodies under Article 20 NIS2 Directive – obligations for management bodies to approve the cybersecurity risk-management measures taken, to oversee implementation and to be trained re cybersecurity risks and risk-management practices, as well as the possibility for them to be liable for infringements.

I.2.                   Incident reporting & personal data breaches

Next, on breaches and incidents, it is first worth noting that NIS2 barely says anything about personal data breaches, simply because it refers to the GDPR:

“The competent authorities shall work in close cooperation with supervisory authorities under Regulation (EU) 2016/679 when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the supervisory authorities under that Regulation” (Art. 31(3) NIS2 Directive).

As the GDPR is stricter regarding data breaches than the Data Protection Directive (Directive 95/46/EC) was when the ePD was adopted, this makes sense – just like it makes sense that a Commission Regulation was needed to strengthen the ePD framework regarding data breach notifications in the telecom space in a pre-GDPR phase.

I.2.A.             Incidents? NIS2 > ePD

Commission Regulation 611/2013, which is examined in further detail hereunder, focusses on personal data breaches. Incidents other than personal data breaches are not mentioned therein, so only the text of the ePD is relevant – and all that is says is that subscribers must be informed in case of a “particular risk” of a breach of the security of the network and that they must be informed of remedies (Art. 4(2) ePD).

The reporting mechanism in NIS2, by contrast, is detailed and prescriptive. 24 hours to send an early warning to the competent authority of any “significant” incident; 72 hours to file an incident notification; one month maximum for the final report (Art. 23(4) NIS2 Directive). And then also a notification to “recipients of their services that are potentially affected”, “without undue delay” (Art. 23(2) NIS2 Directive).

I.2.B.              Personal data breaches? GDPR+NIS2 ≈ ePD

While NIS2 itself does not handle the issue of personal data breaches (referring instead to the GDPR), the standard of the GDPR could be said to encompass most of the ePD personal data breach requirements set out in Commission Regulation 611/2013.

At first sight, this may seem a stretch when looking at the standard for notifications to data subjects:

• The GDPR requires information to data subjects when a personal data breach is “likely to result in a high risk to the rights and freedoms of natural persons” (Art. 34(1) GDPR);
• In the ePD regime, the standard for notifications to individuals or subscribers is when the personal data breach is “likely to adversely affect the personal data or privacy of a subscriber or individual” (Art. 3(1) Commission Regulation 611/2013).

Although this is not the same wording, data protection regulators themselves have interpreted it to have the same scope. In its final Guidelines 9/2022 on personal data breach notification under GDPR, the European Data Protection Board (EDPB) states that “the GDPR requires the controller to notify a breach to the competent supervisory authority, unless it is unlikely to result in a risk of such adverse effects taking place. Where there is a likely high risk of these adverse effects occurring, the GDPR requires the controller to communicate the breach to the affected individuals as soon as is reasonably feasible”[3]. “Adverse effect” is in reality the same as “adversely affecting” a data subject, and “likely high risk” is in practice a strong likelihood.

As far as notifications to supervisory authorities are concerned, under the ePD regime, providers of electronic communications services are required to “notify all personal data breaches to the competent national authority” (Article 2(1) Commission Regulation 611/2013), and this must take place “no later than 24 hours after the detection of the personal data breach, where feasible” (Article 2(2) Commission Regulation 611/2013). This appears to leave less flexibility than the GDPR, which exempts the controller from data breach notifications to authorities if a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons” (Article 33(1) GDPR).

But does the ePD notification requirement really do anything good? The EDPB guidance on personal data breaches and guidance from the EDPB’s predecessor (the Article 29 Working Party / WP29) have shown that there are good reasons not to notify every personal data breach to authorities. The three main examples given (disclosure of publicly available data; disclosure to a trusted recipient; disclosure of encrypted or “essentially unintelligible” data without breach of the encryption key and without loss of data) are situations in which it makes sense even for operators of electronic communication services to be able not to notify an authority.

The trusted recipient example illustrates this well. It is the scenario where personal data is disclosed (accidentally or not) to a recipient from whom the controller or processor (based on a certain level of assurance) can reasonably expect that he/she not to read or access the data sent in error, and will comply with the instructions of the controller/processor to return the data. As WP29 and the EDPB explained, “the fact that the recipient is trusted may eradicate the severity of the consequences of the breach but does not mean that a breach has not occurred […] this in turn may remove the likelihood of risk to individuals, thus no longer requiring notification to the supervisory authority”.

It is logical for providers of electronic communications services to also be able to benefit from this notification exemption, just like the “publicly available data” exemption.

And as for the “unintelligible data” exemption, Commission Regulation 611/2013 includes it explicitly in its Article 4(1).

This appears to contradict the EDPB’s own statement that the GDPR’s standard “is in contrast to existing breach notification requirements for providers of publically available electronic communications services in Directive 2009/136/EC that state all relevant breaches have to be notified to the competent authority”[4]. The alleged contrast is not so strong.

The GDPR’s timing requirements are perhaps less stringent (72h where feasible, as opposed to 24h where feasible under Commission Regulation 611/2013), but with NIS2’s incident reporting requirements and strict timeline there isno timing discrepancy in terms of notifications to authorities in general.

In other words: it does indeed appear logical to apply the GDPR standard. The ePD requirements regarding notifications do not add anything in practice other than complexity.

I.3.                   Conclusion on Art. 4 ePD

In conclusion, Article 4 ePD does not add anything in practice in the light of today’s statutory environment, in which NIS2 and the GDPR deal more than sufficiently (and often far better than Art. 4 ePD) with the issues of security measures, incident reporting and personal data breach reporting.

II.            Confidentiality of communications: Articles 5(1) & (2) ePD (general scope)

The next provisions to be examined deal with the processing of communications data and traffic data.

In essence, “communications” in this context means the actual content of a phone call, e-mail exchange, interpersonal messaging system (like SMS or any instant messaging system) but also web browsing. It is not the identity of the recipient or sender of the message, nor is it the web address you are visiting; rather, it is the content: the message, the webpage contents, the voice signal you hear when speaking to someone over the phone. Article 2(d) ePD defines “communication” as “any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service”.

That surrounding information is metadata (“data about the data”), so information about the communication such as the phone number you dial, the URL you visit online, the duration of your phone call, etc. Some of that metadata is “traffic data” within the meaning of Article 2(b) ePD, i.e. “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof” (for instance, without knowing the duration of a call, a telecom operator cannot know whether it is part of the subscription plan or if it should be invoiced to the caller as a separate item). Some of that metadata (sometimes the same as traffic data) may also be “location data”, i.e. “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”(Article 2(c) ePD).

The proposal for an ePrivacy Regulation introduced useful nuances here, by creating a distinction between “electronic communications content” and “electronic communications metadata”, and calling the combination “electronic communications data”.

This had the benefit of being clearer and avoiding certain misunderstandings.

II.1.                 Principle of confidentiality of communications

Articles 5(1) and 5(2) ePD essentially say that:

1. communications transmitted by way of a public communications network and related traffic data are confidential (Article 5(1) ePD),
2. tapping / listening / storage / interception / surveillance of communications and related traffic data by “persons other than users” is prohibited “without the consent of the users concerned”, save statutory exceptions and save technical storage necessary for conveyance of the communication (Article 5(1) ePD) and
3. it remains possible to carry out the “legally authorised” recording of communications and related traffic data to provide “evidence of a commercial transaction or of any other business communication” (Article 5(2) ePD).

Article 5(1) ePD is in reality an implementation of (a part of) Article 7 of the EU Charter of Fundamental Rights, which consecrates the right to privacy also as regards communications (“Everyone has the right to respect for his or her private and family life, home and communications”). At the same time, Article 5(1) ePD can be said to go further than the Charter by extending confidentiality of communications also to non-private communications, as it does not refer to private communications and it prevents even the storage of communications by “persons other than users” (see explanation hereunder).

It is clear that the idea underlying Articles 5(1) & (2) ePD is very important. Before looking at what they say and their implications, it is worth recalling that the aim of the present analysis is to determine whether the ePD should be repealed altogether – and if something should not be repealed, it is also worth checking whether it belongs somewhere else.

Yet these provisions are not without their flaws, and the issue of the exceptions to confidentiality illustrates this well.

II.2.                 Necessary exceptions to confidentiality

The first clear exception to confidentiality is the one for which Article 5(2) ePD provides evidence of a commercial transaction or of any other business communication. Because the provision applies to everyone (not just in the telecom space), it allows any individual or organisation to prove that they entered into a contract or that certain terms were agreed even if the contract or terms were not signed in the traditional sense, by producing an e-mail or other form of communication showing there has been an agreement between parties.

This can be particularly relevant for organisations as part of business continuity needs, but data protection authorities continue to impede e-mail use by employers (as seen recently in Italy and Belgium).

Interestingly, the ePrivacy Regulation proposal did not include this exception (nor did the versions with the positions of the Council or the European Parliament).

Even if the principle and exception were to disappear from the ePrivacy framework and its national implementations, some countries might already have separate rules on the confidentiality of correspondence permitting this scenario, and some may even permit the production of evidence even if it is obtained unlawfully. It would go against many fundamental principles of law (including the rights of defence, the [national] principles regarding the binding nature of agreements and largely aligned basic principles of evidence) to prevent a party from using its own correspondence with another to prove that the two entered into a commercial transaction.

In fact, it would be more useful to have a clear rule on the lack of confidentiality of correspondence vis-à-vis the subscriber itself, in particular in the case of e-mail. If a person works for a company and has dealings with the outside world in the context of that role, those outsiders are in contact with the person in question in the context of that person’s role and thus are in fact also in contact with the company itself. John Doe sends an e-mail to Bobby Baker at ABC because Bobby represents ABC. It is rare nowadays for an employee only to have one e-mail address, the professional one, and not to have any private e-mail address, so external exchanges with a professional e-mail address can in reality be presumed to be professional in nature. The same will not necessarily be the case for a phone number or instant messaging, though, showing the need for a flexible approach to confidentiality of correspondence.

Yet this flexibility is precisely an issue, taking into account Articles 5(1) and 5(2) ePD: exceptions must be foreseen by law (and will thus typically be interpreted strictly, due to the strict interpretation of exceptions as a general rule).

In addition, because of the way in which it is implemented, the principle of confidentiality of communications constitutes a significant hurdle for operators of electronic communications services in many situations that directly or indirectly benefit (legitimate) end-users. Anti-fraud measures, for instance, require the analysis of good and bad behaviour; in the payments industry, anti-fraud analyses can be carried out without the need for a specific statutory authorisation, while Article 5(1) ePD means that in the telecom industry it is harder to carry out anti-fraud analyses without a specific statutory authorisation. To illustrate, Belgium introduced only in 2022 (20 years after the adoption of the ePD) a provision requiring the deployment of anti-fraud measures by telecom operators; even then, its requirement is that telecom operators must do so “[w]ithout gaining knowledge of the content of communications” (Art. 121/8 of the Belgian Act on Electronic Communications – FR / NL). Not every Member State has such a provision.

This issue needs to be read in conjunction with Article 6 ePD (on traffic data – a telecom-specific provision), as will be examined further below.

In summary, the principle of confidentiality is one thing, but its exceptions are not properly considered or set out throughout the EU.

II.3.                 Could one consider repealing those provisions?

Articles 5(1) and 5(2) ePD provide a very important illustration of the objective of this analysis: if a provision is unhelpful or unnecessarily hampers legitimate practices, could it be repealed altogether?

Repealing Article 5(1) ePD would not affect the existence of the principle of confidentiality of private communications, which exists in the EU Charter of Fundamental Rights, but it would remove one specific statutory prohibition for telecom operators in particular.

It is unlikely that this would have any actual negative effects. Confidentiality within the meaning of “not disclosing anything as a rule” is in any event further protected by virtue of the combination of two sets of rules:

• The GDPR requires notably measures to protect against the risk of disclosure of personal data. Article 32(2) GDPR requires account to be taken of various risks, including “unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”, and Article 4(12) GDPR defines personal data breach as any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In other words, if there is personal data in play, the GDPR already requires confidentiality of communications.
• The NIS2 Directive defines the “security of network and information systems” notably as the “ability of network and information systems to resist, at a given level of confidence, any event that may compromise the […] confidentiality of stored, transmitted or processed data”(Art. 6(2) NIS2 Directive).

Any abuse by a telecom operator could thus be deemed to be in breach of at least NIS2, potentially also the GDPR if it concerns personal data.

The same would be true for any other entity covered by NIS2, directly or indirectly (due to the increasing rate at which NIS2-related security requirements are imposed on suppliers of NIS2-covered entities).

This could in theory leave a gap, where an entity is not covered by NIS2 and at the same time the communication does not involve the processing of personal data.

This could for instance be the case for certain Internet-of-Things (IoT) communications – but in that case, the Data Act (Regulation (EU) 2023/2854) would come into play.

The Data Act addresses issues that are similar to the principle of confidentiality of communications in practice. For instance, it explicitly refers in its Article 11(1) to the possibility for a “data holder” to apply technical protection measures “to prevent unauthorised access to data”. In addition, if a data recipient has unlawfully used data or disclosed it to another party, it must comply with any request from the data holder to “inform the user of the unauthorised use or disclosure of the data and of the measures taken to put an end to the unauthorised use or disclosure of the data” (Article 11(2) Data Act).

In other words: the gap left by removing Articles 5(1) and 5(2) ePD may not be very wide

Doing away with Articles 5(1) and 5(2) ePD might not have dramatic consequences, in particular as a result of legislation that has been adopted over the past decade.

II.4.                 Should these provisions be kept?

If there is no intention to get rid of these provisions, though, the limitations highlighted above regarding the exceptions remain problematic.

The two examples given higher of Belgium and Italy illustrate a general issue with Articles 5(1) and 5(2) ePD, one that also applies elsewhere: positions of certain regulators born from a certain view of the GDPR are having an impact on the desirability of the rule of confidentiality of communications and will block any useful (re)interpretation of those provisions.

The position of the Italian data protection authority, the Garante, on metadata is a serious issue in terms of management of communications. Metadata regarding e-mails can only be kept for a certain number of days, according to the Garante, with the result that if any organisation wishes to keep a record of what goes on in terms of communications, it must change its entire approach to record-keeping. The Garante’s position seems to be an unworkable and unrealistic version of data retention requirements. Even if this position is to be observed, the principle of confidentiality of communications, coupled with the absence of a clear right for the subscriber (= the organisation) to also get access to and to store the content of the communication, means that it becomes impossible for an organisation to even make a copy of the content of the communication or otherwise store it without the consent of the employee who received it and the consent of the third party who sent it (= consent of the users concerned).

While the Garante’s decision is a GDPR-related decision and not one related to the confidentiality of communications, by considering that the employer does not have a justification for keeping the metadata for longer, the Garante is in effect saying that the employer is not one of the users concerned by the communication. Otherwise, the justification for retention of the metadata in question would be self-evident, even after a person has left an organisation.

This last point is relevant as regards the Belgian position mentioned above. The Belgian Data Protection Authority has repeatedly considered that employee e-mail addresses must be deleted (with no mention of the consequences for e-mails in the mailbox that may be relevant to the organisation) maximum three months after an employee leaves an organisation. In an earlier decision on the topic[5], the Belgian DPA even strongly recommended (and seemed to require) an authorisation from the employee before the mailbox could be kept alive for more than one month. In the words of the Belgian DPA, the purpose of processing of personal data (in the mailbox) was “irrelevant”[6] after that period of maximum three months. Put differently: the organisation is not a participant, it is not entitled to do anything by default with those communications. Even storage of e-mails for evidence purposes – Article 5(2) ePD – appears to be a no-go unless the employee has actually forwarded the e-mail to someone else who remains within the organisation.

With such GDPR-related decisions in mind, even Article 5(2) ePD is deprived of at least some of its effect, and any interpretation of Articles 5(1) and 5(2) ePD that makes e-mail communication conservation workable for business continuity purposes would be of no use, as (strict) interpretations of the GDPR prevent the conservation of those e-mails and metadata in any event.

This means that the provisions themselves are being deprived of their effect.

Articles 5(1) and 5(2) ePD appear therefore to have become statutory provisions whose application is rendered irrelevant because another law is deemed (i) to prevail over them and (ii) to mean that the provisions are insufficient for compliance. This is precisely the kind of scenario that normally would lead to repeal of the provisions in question.

If there is any desire to maintain the relevance of Articles 5(1) and 5(2) ePD, there must be certain changes to their interpretation.

First, organisations making e-mail addresses available to their personnel (as employees or otherwise) must be considered by default as being a participant, for the reasons mentioned earlier. Any other interpretation makes it easier for data protection authorities – as illustrated by the Belgian and Italian positions – to restrict the use of e-mails by such an organisation in a manner that is incompatible with business continuity concerns. Again, e-mail may be a special case today for the reasons set out earlier, but a similar reasoning could perhaps be used in relation to professional phone numbers where a new number is granted to an employee and the employee can be shown to keep a separate phone number for private purposes.

Second, there should be a clear EU-wide approach to managing exceptions to this perspective as regards actually private communications. It has long been good practice under Articles 5(1) and 5(2) ePD (not counting the recent GDPR positions mentioned above) for organisations to have an “e-mail usage policy” or broader “IT usage policy” for personnel, setting out the rules for monitoring of communications etc. and notably any indicators that personnel can use to create a presumption that a communication is indeed private.

If a single digital market is truly an ambition, barriers should not be put up that have the effect of introducing national barriers for the technical implementation of some of the most fundamental and widespread organisation-wide IT systems such as e-mail.

Third, there should also be a clear EU-wide approach to other exceptions, notably as regards security and anti-fraud measures. Recent debates regarding child sexual abuse material (CSAM) and mandatory backdoors to encryption have shown the importance of not allowing full exceptions to certain protections purely on the basis of the allegation of a potential effect, but there must be ways to ensure that the rules intended to protect the confidentiality of correspondence do not kill that very correspondence by making it too hard to adequately secure the communication or block certain clearly harmful communications from reaching the recipient. This is not a debate for regulators alone to carry out, however – it is a debate that requires the legislator’s involvement.

It is worth bearing Article 6, and in particular 6(5), ePD in mind in this respect as regards telecom, as will be discussed hereunder.

II.5.                 Conclusion on Art. 5(1) & 5(2) ePD

In conclusion, Articles 5(1) and 5(2) ePD cannot be maintained in their current format if GDPR interpretations prevent any useful storage of communications or if their own interpretation prevents the taking of measures to protect the service itself and its lawful recipients. Either they should be removed altogether, or their exceptions should be clarified, harmonised further and expanded. It would not hurt either to remind data protection regulators of the consequences of their decisions for the viability of these provisions on the confidentiality of communications.

III.          Traffic data & location data: Articles 6 & 9 ePD (telecom-specific)

Articles 6 and 9 ePD are strongly related to Articles 5(1) and 5(2) ePD, in that they set out conditions under which providers of electronic communications services are permitted to use traffic data (Article 6 ePD) and location data other than traffic data (Article 9 ePD).

III.1.              Principle: anonymisation or erasure, save specific circumstances

Under Article 6 ePD, telecom providers must render traffic data anonymous or delete it after transmission of a communication has taken place, except for the following scenarios:

• Billing: any traffic data that is necessary for billing purposes (or interconnection payments – i.e. when one telecom provider pays another for the handshake between them that allows a signal to pass through the network of the other on the way to the destination) can be processed to that end, until the bill can no longer be challenged (in many EU countries, this is around 5-10 years after the invoice has been issued);
• Marketing: subject to consent of the subscriber or user, telecom providers can process traffic data to market their own electronic communication services or “value-added services” (specific kinds of services that require the use of traffic data; more hereunder);
• Internal access: the provider must restrict the categories of persons who are permitted to process such traffic data to specific services, namely those in charge of billing, traffic management, customer enquiries, value-added services, marketing of electronic communications services and (a category not mentioned previously) fraud detection – and a purpose limitation requirement applies (access restricted to what is necessary for the purposes of those activities).

Article 9 ePD is a smaller sibling of Article 6 ePD, requiring anonymisation of location data other than traffic data, unless it is used with the consent of the user or subscriber and then only for the provision of a value-added service. Similarly to the logic under Article 6 ePD, only the categories of persons involved in the provision of value-added services are permitted to process this data, and only for the purposes of providing the value-added service.

III.2.              Added value compared to the GDPR?

Where traffic data concerns personal data, these provisions now seem largely like an echo of the GDPR’s principles of data minimisation, purpose limitation and storage limitation.

The only addition of these provisions compared to the GDPR is in practice the further restrictions that they impose on providers of electronic communications services, in that any processing not covered by Article 6 ePD or Article 9 ePD will simply be prohibited.

As to whether this is still desirable, this should of course be read in conjunction with the European Electronic Communications Code and the extension of “providers of electronic communications services” also to “over-the-top” providers and interpersonal communications services, as well as, to some extent, with the Digital Markets Act and the restrictions that it imposes separately on the combination of personal data by a “gatekeeper”.

If no personal data is processed (where a telecom provider’s customer is a legal entity), the GDPR will not apply. In that context, though, one may also ask the question of whether there is any true added value to these restrictions in the light of the general principle of confidentiality of communications.

III.3.              What of anti-fraud processing?

Ultimately, if the EU legislator considers it desirable to maintain these restrictions, there is the larger question of anti-fraud processing.

The inclusion of fraud detection teams within the list of those authorised to process traffic data (Article 6(5) ePD) appears out of place, considering the fact that “fraud” is not mentioned anywhere else in the ePD articles. Only one recital, recital 29 ePD, states the following “Traffic data necessary for billing purposes may also be processed by the provider in order to detect and stop fraud consisting of unpaid use of the electronic communications service”. This preamble reference only mentions “unpaid use” of the electronic communications service, not the misuse of the service for example in an attempt to defraud users (e.g. phishing or spam).

This remains a large question mark. Whatever the legislator’s perspective may be on Articles 5(1), 5(2) and 6 ePD, not permitting more explicitly fraud detection and fraud prevention appears to be a weakness in the legislative framework.

One could always suggest that this is a “value-added service”. The “value-added service” option is underutilised, and organisations have requested assistance to explore the option in certain cases regarding personalised content and even personalised advertising. However, the idea of the service is that it is optional, chosen at the discretion of the user/subscriber – rendering it a poor choice for features or functions that are added systematically to every part of the electronic communications service.

III.4.              Conclusion on Art. 6 & 9 ePD

In conclusion, Articles 6 & 9 ePD do not appear to add much value in the light of the GDPR’s data protection principles, except as a pointer of how to apply them to the case of telecom providers. The absence of any particular anti-fraud exception brings Art. 6 ePD’s relevance further into question.

IV.          Other telecom rules: Articles 7, 8, 11, 12, 14 ePD (telecom-specific)

There are several other telecom-specific rules of less significance in practice, notably on itemised billing, call forwarding and phone directories. The continued existence of the ePrivacy Directive does not depend on these provisions, however, due to their lesser impact on electronic communications.

Because they could very easily be part of the European Electronic Communications Code, these provisions do not require a more in-depth assessment.

V.             The “cookie” rule: Article 5(3) ePD (general scope)

Article 5(3) ePD, known as the “cookie rule”, states in effect that the “storage” of information or the “gaining of access” to information already stored in terminal equipment of a subscriber or user is subject to consent, unless such storage/access is:

• strictly necessary for the provision of an information society service explicitly requested by the subscriber or user (the “service” consent exemption), or
• for the sole purpose of carrying out the transmission of a communication over an electronic communications network (the “transmission” consent exemption).

It is important to examine the “storage” and “gaining of access” conditions separately, before looking at the consent exemptions, in order to determine whether Article 5(3) ePD is still desirable, and if so, which changes may be needed.

V.1.                 Storage of information

Art. 5(3) ePrivacy Directive applies as soon as there is storage of information in terminal equipment, whether as part of the actual storage process or the follow-up action, i.e. gaining of access to information already stored.

In November 2023, over twenty years after the adoption of the ePD, the EDPB published a set of Guidelines for public consultation on the “Technical Scope of Art. 5(3) of the ePrivacy Directive”. In these Guidelines, just as in the final version of the Guidelines published in October 2024, the EDPB adopted a view that had until then not been clearly formulated by authorities, namely that “storage” within the meaning of Article 5(3) ePD covers just about every interaction with a computer, from actual computing storage on hard disc drives and solid state drives to random-access memory (RAM) and CPU cache (paras. 37 & 38 of the final version of those Guidelines).

This position is inconsistent with the ordinary understanding of the word “storage” in computing terms or even with the ordinary meaning of the verb “to store” as defined in dictionaries. RAM and CPU cache are a form of “memory” in computing terms, intended notably to allow the computer to remember values of computing operations for a few microseconds before using them as part of a broader set of computing operations. This “memory” is ephemeral by nature, while “storage” in computing terms is intended to cover the keeping of information for far longer, and certainly more than immediacy.

Information kept in memory is constantly being replaced with other short-term data that comes into use, making memory the live, volatile version of the keeping of information and storage the permanent, durable version.

Nothing in the ePD suggests that the EU legislator ever intended to cover “memory”. Instead, the few illustrations contained in the Recitals to the ePD are clear examples of computer “storage” (and not “memory”).

The reason for this expansive interpretation of “storage” appears to be rooted in an intent to mitigate the likelihood of certain technologies evading the scope of Art. 5(3) ePD – while the provision itself is drafted in a manner that only applies to technologies meeting certain criteria. As will be examined below, though, this appears to stem from a desire to protect instances of personal data processing, raising the question of the relevance of the continued existence of this provision within the framework of the ePD.

The expansive interpretation of “storage” raises various concerns, but it is first worth examining the second condition, “gaining of access”.

V.2.                 Gaining of access

Next to “storing of information”, the second type of interaction with a device that leads to the applicability of Article 5(3) of the ePrivacy Directive is the “gaining of access to information already stored” in the device.

Because “stored” appears in this scope, it is worth stressing once more that the EDPB in its Guidelines 2/2023 has adopted an expansive interpretation of that notion.

Beyond the broad interpretation of “storage”, the EDPB has also taken a broad view of what constitutes “gaining of access” to information already stored. While an interpretation of this wording based on the ordinary meaning of words would ascribe to “gaining of access” an active connotation, the EDPB has expanded it to also cover the passive receipt of information stemming (at one point) from the user’s device.

This is made clear by the EDPB’s view that the receipt of Internet Protocol (IP) addresses is covered by the “gaining of access” criterion:

“Some providers are developing solutions that only rely on the collection of one component, namely the IP address, in order to track the navigation of the user, in some case across multiple domains. In that context Article 5(3) ePD could apply even though the instruction to make the IP available has been made by a different entity than the receiving one.” (para. 54 of EDPB Guidelines 2/2023)

From a technical perspective, though, an entity that reads IP addresses has received them automatically, without asking for them, because IP addresses are transmitted systematically and automatically as part of every single Internet communication.

The EDPB’s justification for this view is that someone instructed the sending of IP addresses, even though it is not the entity in question, because the transmission of IP addresses is part of the protocol used for Internet communications.

This view fails to consider the fact that this particular protocol, TCP/IP, was introduced in 1974, and that if the EU legislator had intended for the (passive receipt and) use of IP addresses to be covered, this could easily have been mentioned in the ePD in relation to Article 5(3) when the ePD was adopted in 2002.

Instead, (i) the EU legislator mentioned IP addresses solely in relation to an entirely different provision (through Recital 28) and (ii) in relation to Article 5(3) ePD, the EU legislator mentioned another technology that is entirely different and that is not part of every single Internet communication, namely (HTTP) cookies – whose specification was standardised in 1997.

In fact, national regulators in France[7] and Germany[8] considered as recently as 2021 that “gaining of access” requires an active instruction on the part of the entity in question, and that reliance solely on automatic transmission based on communications protocols, such as TCP/IP, does not fall within the scope of Article 5(3) ePD.

Once again, the motivation behind the EDPB’s new interpretation appears to be based on a desire to leave no technology outside of the scope of Article 5(3) ePD – all the while placing the focus on the processing of personal data.

In this context, it is important to look at consent conditions and consent exemptions.

V.3.                 Consent

Unless one of the two consent exemptions applies, Article 5(3) ePD requires consent – and that consent must comply with the standard of the GDPR (since the GDPR replaced the Data Protection Directive 95/46/EC). While this makes sense in relation to personal data, it is worth stressing Article 5(3) ePD applies to any information, whether personal data or not. This creates tensions when considering the GDPR’s own conditions for consent (which refer to the prospective processing of personal data, not information more generally) as well as the extent to which the EDPB has been broadening the conditions for valid consent (for instance, requiring in its Consent or Pay Opinion[9] that the consequences of processing must be understood by data subjects for their consent to be valid, even though the GDPR does not state this).

This raises concerns from various perspectives, notably:

1. Should “consent” only be interpreted based on GDPR requirements to the extent that any technology covered by Art. 5(3) ePD does involve the processing of personal data? What if no personal data is involved? [The judgment of the Court of Justice of the European Union (CJEU) in the Planet49 case[10] said in its paragraphs 66-71 that no difference is to be made between the two scenarios, but this was before regulators started to add conditions to the notion of consent, so there may be room to revisit Planet49.]

1. Should regulators who are not necessarily ePD regulators(see further) be permitted to move the goalposts regarding ePD compliance?

1. As Art. 5(3) ePD deals with technologies that are not often easy even for regulators to understand, can the EDPB’s suggestion that “informed consent” requires understanding the consequences of processing be taken into account? And if so, can consent ever be truly “informed” in such a technical context?

V.4.                 Consent exemptions

V.4.A.           “Communication” consent exemption

The “communication” consent exemption states in effect that if something is used for the sole purpose of transmission of a communication, there is no need for consent.

However, the EDPB’s stance regarding IP addresses in particular raises important questions in relation to this exception.

As mentioned previously, IP addresses are transmitted automatically as part of every single Internet communication. If IP addresses are deemed to be information stored on a device and that there is any “gaining of access” to it even by way of its automatic transmission (a highly debatable point, as highlighted above), it would make sense to consider that this is “for the sole purpose of carrying out the transmission of a communication”. This would be the case for every single person in the chain of transmission of the Internet communication, from the Internet service provider of the sender to the recipient, namely the website operator in the case of a website visit.

Yet if the website operator already knows that it will be using the IP address to track household-related interactions with a website, that IP address is no longer being used “for the sole purpose of carrying out the transmission”.

If this approach is pushed to its extreme, the communication exception would cease to be applicable even to the intermediaries, requiring consent for every part of the transmission as well.

Even if it is not pushed to its extreme, the website operator itself would be required to have consent even for the transmission part, as the IP address would not be used for the sole purpose of carrying out the transmission.

That can surely not have been the intention of the legislator, as it effectively prevents access to a website without consent even to the transmission of information as foreseen in a protocol that was devised in 1970 and that forms the backbone for all Internet communications.

The practical consequence is that there are only two real options for proper interpretation of Article 5(3) ePD:

1. Either the EDPB is wrong regarding the coverage of IP addresses and similar types of information being transmitted automatically by virtue of a general protocol, in which case the “communication” consent exemption can remain as it stands;
2. Or the EDPB is right, in which case the only way to maintain a workable “communication” consent exemption is by striking the word “sole” from the text of the law itself.

V.4.B.            “Service” consent exemption

The “service” consent exemption has given rise to strict interpretations. The UK ICO has adopted the most explicitly strict position in this respect, stating that the “service” exemption under the UK’s ePrivacy implementation (PECR) only applies if “without it, the service couldn’t be provided on a technical level”, and that the strict necessity for the service should be assessed “from the point of view of the subscriber or user, not your own. For example, you might view the use of advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service. However, they are not ‘strictly necessary’ from the user’s perspective”[11].

This “technical level” approach, “from the user’s perspective”, is a concern that some other authorities have expressed in vague terms in relation to web analytics, i.e. audience measurement. The general idea is that a service can be technically provided to one user without this requiring to understand how the user interacts with the service.

However, this approach fails to take into account various considerations:

• A general consideration is that such analytics and measurements permit product and service improvements, which in turn enable tomorrow’s service to be better. Improvement is inherent to service delivery, as it enables tomorrow’s service delivery.
• Security and anti-fraud measures follow a similar logic: without them, a service could be provided on a technical level to that particular user, and they are therefore not strictly necessary from that user’s perspective. Yet the ICO explicitly recognises “ensuring the security of terminal equipment” and “preventing or detecting fraud” as capable of being exempt[12], and the EDPB’s predecessor, the Article 29 Working Party, stated in 2012 that “cookies set for the specific task of increasing the security of the service”, such as “cookies used to detect repeated failed login attempts on a website, or other similar mechanisms designed to protect the login system from abuses”[13], could be exempt from consent.
• Legal compliance also follows a similar logic. From a technical perspective, compliance with legal obligations is not required for a service to be provided. Yet Article 5(3) ePD does not include compliance with legal obligations as an alternative to consent, creating difficulties in regulated sectors (such as the telecommunications sector, but also for instance the financial services sector).

In other words, a strict interpretation of the “service” exemption is not only problematic; it is also inconsistent with regulators’ own views of similar scenarios.

V.5.                 Could one consider repealing those provisions?

With all of the above flaws and concerns, could Article 5(3) ePD be removed entirely?

In this respect, it is first worth looking at who is responsible for enforcement of this provision. In many countries, the authorities invoking Art. 5(3) ePD to sanction organisations are data protection authorities, i.e. supervisory authorities within the meaning of the GDPR (and thus members of the EDPB). In certain others (most notably Finland and the Netherlands), there is a distinction between the Art. 5(3) ePD enforcer and the GDPR supervisory authority. Yet even in those cases, the GDPR supervisory authority itself is actively enforcing compliance with Art. 5(3) ePD.

The Dutch Autoriteit Persoonsgegevens (AP) provides a useful illustration of this, having even written to the Dutch government in March 2025 to point out the fact that the ePD enforcer, the Netherlands Authority for Consumers and Markets (ACM), has the task of supervising the placing of all cookies, while the AP only has supervisory powers regarding “cookies that process personal data”[14] and to request exclusive enforcement powers. Despite the ACM having actual enforcement powers regarding Article 5(3) ePD, the AP is very active in controlling the use of cookies on websites and confirmed in April 2025 that it will “check in a structured manner how things are with cookie banners in the Netherlands”[15], with warnings initially and then likely fines.

The basis for these controls is therefore the GDPR, not Article 5(3) ePD, and it is typically based on lawfulness, i.e. an assessment of the legal grounds for the processing of personal data (typically situations where the authority in question considers that consent would be required). Data minimisation is another principle that can help in assessing whether a particular choice of digital technology (whether cookies or otherwise) is the most appropriate.

From this perspective, a supervisory authority could clearly carry out GDPR enforcement in relation to the use of cookies and similar technologies, even without Article 5(3) ePD. The largest disadvantages for the authority would be (i) the need to properly assess whether any processing of personal data actually takes place (something that it should do today in any case) and (ii) the absence of any possibility to tackle directly any cookie or similar technology that does not involve the processing of personal data.

As regards that second point, though, it is unclear whether this would truly present any unjustified difference in terms of scope compared to the current level of enforcement of Article 5(3) ePD, in the light of the broad definition of “personal data”, and the even broader manner in which the EDPB and its members have been interpreting it (as illustrated by the EDPB’s position in relation to pseudonymisation[16], which seems at odds with the position developed by the Advocate General to the CJEU in the EDPS v SRB case[17]).

Even in the case of non-personal data, other legislation would continue to apply, such as the Data Act’s rights for users in relation to data generated through connected products as well as consumer protection rules and provisions on fair market practices. Misleading practices could still be challenged under the latter rules, including any concerns in relation to so-called “dark patterns”.

Finally, the removal of Article 5(3) ePD would not likely entail the disappearance of the cookie banner, as the mechanism remains an important one for obtaining and managing consent.

V.6.                 Should these provisions be kept?

Considering the above, it would seem possible to remove Article 5(3) ePD without any actual weakening of the rights of data subjects in relation to “their” information.

It would also have the advantage of limiting the impact of the evolving and maximalist positions of the EDPB in relation to the scope of Article 5(3) ePD, which in effect has been transformed into a law of every interaction with a computer (see position on “storage”) and of every Internet communication (see position on “gaining of access”).

The issues in terms of scope are apparent when looking at scenarios in which the rules would apply under the EDPB’s position.

First, based on the concept of “storage”:

• Any part of a user interface of a website or app, as this gets written to memory, such as custom fonts or even just the design elements such as colours and button sizes;
• Security checks, such as lockout countdowns (to check inactivity, for instance on banking websites or apps);
• Previews for video players (those little thumbnails that you see appear when you drag a progress bar to see where you want to pick up from when watching a video);
• Any calculations going on within a device, such as code that powers a user interface (for instance to show or hide a button;
• Every bit of code that loads on the “client” side (i.e. on the device itself), even debugging code or even code comments.

Next, as regards “gaining of access”:

• Any request from a device to a server to load a web page or app content;
• Every single audience measurement, even the more privacy-friendly solutions that do not seek any device-specific information, simply by virtue of receiving the IP address;
• Any connection made by security researchers / ethical hackers to a server, and conversely any use of IP addresses communicated by those researchers in advance to avoid the activation of countermeasures;
• Any use of IP addresses by a video streaming provider to ensure that people outside an authorised country or territory do not get access to the content (which is nevertheless important to ensure that IP rights are protected);
• Any use of user agent information (= type of browser) or related information to make a website display content in a manner that is more appropriate to the device size and capabilities.

Yet the EDPB’s views of exceptions have meant that consent will be required in most of these situations – including many where consent would defeat the very purpose of the action in question.

For instance, why go for privacy-friendlier audience measurement if consent is required for it anyway? Why would consent of a security researcher or hacker be needed to validate IP addresses that can be used for penetration testing?

If users are asked for consent to load a font to make a user interface work in the custom font or other typeface selected by an organisation in line with its branding, the users might say no and in the process change the entire brand experience, creating differences in experience that are not in line with how and organisation wishes itself to be seen. ePrivacy becomes a law governing branding.

These positions thus increase the likelihood of non-observance, as organisations are less likely to seek consent in such situations (not only because this cannot have been the intention of the EU legislator, but also because this renders the rules unworkable). This in turn is likely to further reduce the likelihood of compliance even within the traditionally accepted scope of Article 5(3) ePD.

In fact, in its “online tracking strategy” published in January 2025, the UK regulator, the ICO, wrote a very encouraging yet legally unusual statement:

“We will explore where PECR requirements to obtain consent for non-essential storage and access technologies prevents an industry-wide shift towards more privacy-friendly forms of online advertising, such as contextual models, and publish a statement outlining low-risk processing activities (such as, potentially, privacy-preserving ad measurement), which are unlikely to cause damage or distress or result in enforcement sanction. We will work with government to explore how it could amend legislation to reinforce this”.

In other words, the ICO recognised that it will not enforce a rule in certain cases, which is in itself a recognition that the rule itself (as interpreted by the ICO, just like the EDPB) is flawed.

Ultimately, these regulatory positions have brought the legal text far beyond anything the EU legislator appears to have intended and can be viewed as bringing into question the very relevance of the rule. A removal of Article 5(3) ePD might then be viewed as more positive for legal certainty than regulators’ view of the provision.

V.7.                 Conclusion on Art. 5(3) ePD

In conclusion, Article 5(3) ePD cannot be maintained in its current form, as the EDPB’s views of its scope and of consent exemptions are of such a nature as to bring into question the very possibility of compliance with the rule and that questions the very validity of the rule. Either Article 5(3) ePD should be removed from the legal landscape altogether, or its scope should be brought back to its traditional interpretation and the consent exemptions should be made workable in a consistent manner.

VI.          Unsolicited communications & anti-spam: Article 13 ePD (general scope)

The anti-spam rule, Article 13 ePD, can be summarised as follows:

• Electronic mail cannot be used for direct marketing without consent (Art. 13(1) ePD),
• Except for direct marketing to existing customers in relation to its own similar products or services (provided they have already had and continue to have the opportunity to object) (Art. 13(2) ePD). [called the “soft opt-in” mechanism]

That summary hides some of the complexity, though.

VI.1.               Electronic mail

The anti-spam rule applies in relation to “electronic mail”, which is defined as “any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient” (Article 2(h) ePD). While it is clear that this covers e-mail and SMS / text messages, as well as direct messages on social media, there are various concerns that remain with this concept.

From a technical perspective, even posts on social media to a whole but “closed” network of connections could be deemed to fit the requirements for “electronic mail”: a post on a closed social media network is “text sent over a public communications network” (when posted online by the author) “which can be stored in the network” (through storage on the servers of the social media provider) “until it is collected by the recipient” (when one of the author’s contacts loads his or her feed of social media content).

Articles 13(1) and 13(2) ePD do not add any conditions.

The title of Article 13 ePD – “Unsolicited communications” – refers to the concept of “communications”, namely the exchange or conveyance of information “between a finite number of parties” (Art. 2(d) ePD), but the concept of “communications” does not appear in the provisions themselves.

At the time of posting, the post is made available to a “finite” (albeit potentially large) number of recipients, namely the (closed) list of social media contacts of the author. However, unlike e-mail forwarding that requires a clear, unambiguous action through which the content is brought to the attention of one or more other recipients, social media posts gain visibility instantaneously to the entire network of a contact of the author as soon as the contact person in question interacts with the post (by commenting on, liking or sharing the post).

In other words, a convoluted interpretation of the law is needed before one can make the anti-spam rule apply to e-mail but not to social media posts. Yet this is absolutely needed, as the consequences would otherwise be that every user on social media platforms must have the GDPR-compliant consent of every other user (whether part of their connections or not) before the former’s content can be shown to the latter. That is of course not what the legislator intended.

A convoluted interpretation is also needed in order to avoid making the displaying of website content “spam”. When a person logs into an account on a website, some of the content is personalised, such as the appearance of that account’s username (even in the user account management area). Put differently, this particular content is directed towards that user specifically and individually – information that is conveyed between a finite number of parties, namely the website operator and that specific user (and only that user). From a technical perspective, the content of the webpage is also “in the network” (as the information that constitutes that web page comes from information spread across one or more databases, combined a fraction of a second before the page reaches the user’s Internet connection). Is it truly “stored” in the network? This raises once more the discussion of “memory” versus “storage”. If regulators are permitted to hold on to their interpretation that “storage” covers computer memory as well, then the anti-spam rules are also relevant in relation to the mere loading of a webpage.

Even the “until collected” condition is unhelpful in this respect, as it does not work properly even in relation to e-mail today due to the dominance of IMAP (a protocol that ensures synchronisation between the mail system and mailboxes on the user’s phone and computer). The idea of collection – just like when a letter is collected by the recipient from the post office where it is stored – worked with SMS as well as e-mail using POP, another protocol that is far less used today. With IMAP, it is as if a recipient goes to the post office and receives a copy of the letter and envelope, and the recipient can go any time to the post office again to fetch a new copy – just like with any web content.

In short, the definition of “electronic mail” does not give sufficiently objective and tangible criteria for organisations to make a proper technical assessment on their own of various kinds of situations.

VI.2.               Soft opt-in

The soft opt-in mechanism foreseen in Art. 13(2) ePD has its own share of issues too.

First, the soft opt-in condition only applies to the natural or legal person who obtains the contact details from the customers in question, and it only applies if that same natural or legal person is the one using the contact details for direct marketing. This creates significant difficulties as soon as a company grows becomes part of a corporate group, whether organically through growth and specialisation or as a result of an acquisition, as it must then work with complex structures just to permit direct marketing. Regulators have been firm in this respect, in accordance with the position made clear by WP29 two decades ago: “only the same natural or legal person that collected the data may send marketing e-mails. For instance, subsidiaries or mother companies are not the same company”[18].

Next, the idea that this direct marketing can only be in relation to “own similar products or services” raises serious concerns for certain business models:

• “Own”: Any time someone is not the creator or manufacturer of a product or service, the question of what is an “own” product or service arises. A reseller could argue that the products that it sells are its “own”, because it has bought them from its supplier. With other forms of commercial relationships, such as commercial agency, this condition makes the assessment harder.

• “Similar”: Another issue relates to what is similar. Some supermarkets consider that all that they sell are consumer goods and thus “similar”; some energy companies consider that solar panel installations, gas boiler maintenance and electricity provision are all “similar” too because they are part of a broader category of goods and services that is perceived as similar by the consumer. Some regulators have stressed that only the “objective perspective (reasonable expectations) of the recipient”[19] should be taken into account, but this point of view has not yet been supported or brought into question in case law.

VI.3.               Solicited communications

While the title of Article 13 ePD refers to “unsolicited communications”, the ePD never addresses the fate of “solicited communications”, nor does it explain what criteria can be used to assess whether a communication is solicited or not.

The Belgian Data Protection Authority’s recent guidance on direct marketing merely states without explanation that Article 13 ePD only applies to “unsolicited” communications[20], but it does state earlier in its guidance on GDPR legal grounds that it can imagine certain “theoretical” situations where contract could be used as a legal ground, where “the purpose of the agreement between the data subject and an organisation is precisely and exclusively to send direct marketing communications, and the personal data provided will therefore be processed solely for this purpose”[21].

In practice, this could for instance be a form of subscription to coupons and discounts.

Some national implementations have made the “unsolicited” aspect clearer, such as the UK’s implementation in Section 22 of PECR (Privacy and Electronic Communications Regulations), but they are the minority.

Section 22(1) and (2) PECR state the following:

“(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.”

This provision makes it clear that electronic mail is purely the technical means of conveyance of the message, and that if that message is “solicited” in any way, it will not be covered by the anti-spam rule.

However, if an anti-spam national implementation does not explicitly exclude solicited communications, there can be a real tension between GDPR compliance (which could permit reliance on contract as a legal ground) and ePD compliance (where the options appear to be “consent, soft opt-in, or prohibition”).

VI.4.               Could one consider repealing those provisions?

Removing the anti-spam provision would have the effect of removing a statutory consent requirement in various cases. However, this does not mean that spam would be permitted.

Regulatory practice and case law under the GDPR has shown that regulators and courts are unafraid to strongly discourage or even exclude certain legal grounds in certain cases. For instance, profile-based advertising is considered by many regulators and courts to require consent, alleging that consent is the only legal ground that is permissible in the light of the (perceived) intrusiveness of the relevant professing (even though the reasons given could be challenged).

In this context, nothing would prevent them from holding that in the light of the unsolicited nature of such direct marketing by electronic mail and its intrusiveness, only consent is available as a legal ground under the GDPR (as an equivalent to Art. 13(1) ePD), except in circumstances such that a balancing of the (commercial) legitimate interest of the organisation prevails over the rights and freedoms of the recipient (as an equivalent to Art. 13(2) ePD).

It would require authorities to develop an argument in support of their position, one that could be challenged if not strong enough, but the possibility of requiring consent by default would still exist.

VI.5.               Should these provisions be kept?

The complications that the EDPB’s interpretation of “storage” in relation to Art. 5(3) ePD create for Art. 13 ePD mean that in practice either the EDPB’s interpretation must go, or Art. 13 ePD itself must go. The third option – keeping both intact – would in effect make Art. 13 ePD the law of every web connection.

The difficulties in interpretation of key concepts (“electronic mail” but also the key concepts of the soft opt-in rule) make any enforcement of Art. 13 ePD more difficult as well.

In combination, as long as the EDPB’s interpretation on “storage” remains unchanged, the provision presents significant issues, but even without it the provision should be adapted to resolve outstanding interpretation problems.

VI.6.               Conclusion on Art. 13 ePD

In conclusion, Article 13 ePD cannot be maintained in its current form, in particular as a result of the EDPB’s evolving views regarding “storage” and as a result of other difficulties in interpretation. Either Article 13 ePD should be removed from the legal landscape altogether, or its scope should be more clearly defined (to avoid potential misuses) and its consent exemption, the soft opt-in mechanism, should be made workable for organisations of all sizes, including corporate groups.

VII.        Conclusion: whither ePrivacy?

The ePrivacy Directive was a significant piece of legislation when it was adopted in 2002 and when it was amended in 2009. When discussions started about a replacement, the proposed ePrivacy Regulation, the possibility of repeal was examined, but the conclusion of the contractor appointed by the Commission had been that this would be the “worst” option for citizens, compared to four other options – with the “measured” option having formed the basis for the ePrivacy Regulation proposal.

An in-depth look at the provisions themselves and the current statutory framework, however, paints a very different picture, such that a repeal of the ePrivacy Directive does not appear to have the negative consequences the Commission was told would occur. NIS2, the GDPR, the Data Act and several legislative evolutions help create a situation in which the ePrivacy Directive could in fact be repealed.

Perhaps even more importantly, regulatory positions have given additional weight to the argument in favour of repeal at least of certain provisions.

Ultimately, the issue that should be examined by legislators and regulators alike is double-edged: if the ePrivacy Directive is to survive, maximalist interpretations by regulators should be set aside clearly. Failure to do so will only increase the likelihood and weight of calls to repeal the ePrivacy Directive, as compliance will simply be impossible.

The ICO’s recognition that it will not enforce the UK’s implementation of Article 5(3) ePD in certain cases is in itself a recognition that the rule itself (as interpreted by the ICO, just like the EDPB) is flawed.

Yet a law is only as good as its observance, and “Better Regulation” means not only improving existing laws and writing new ones better – it also means repealing laws that simply cannot be complied with.

---

[1] Commission staff working document impact assessment accompanying the document proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 16 January 2017, 2017/0003 (COD), 5358/17 ADD 3, p. 156.

[2] European Commission, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 10 January 2017, COM(2017) 10 final, Explanatory memorandum, section 1.2.

[3] European Data Protection Board, Guidelines 9/2022 on personal data breach notification under GDPR, Version 2.0, Adopted 28 March 2023, pp. 9-10.

[4] Ibidem, p. 18.

[5] Belgian DPA, decision 64/2020 of 29 September 2020.

[6] Ibidem, para. 28.

[7] CNIL intervention during an online conference of 22 January 2021 organised by French trade associations, available online at https://www.dailymotion.com/embed/video/k1CBd9Y3iOEm6wwCvb1, in which CNIL representatives stated that the use of TCP/IP is specifically not in scope of the ePD provided that no cookie is passed in the HTTP request. In addition, they stated that the automatic receipt of IP addresses does not constitute a “gaining of access” to users’ devices.

[8] Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder, 20 December 2021, Orientierungshilfe der Aufsichtsbehörden für Anbieter:innen von Telemedien,available online at: https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf

[9] EDPB, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, 17 April 2024.

[10] Court of Justice of the European Union, 1 October 2019, C-673/17, EU:C:2019:801.

[11] Information Commissioner’s Office, Guidance on the use of storage and access technologies, 20 December 2024, available online at https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/what-are-the-rules/#what_is_the_strictly_necessary_exemption

[12] Ibidem.

[13] Article 29 Working Party, Opinion 04/2012 on Cookie Consent Exemption, 7 June 2012, WP 194.

[14] Autoriteit Persoonsgegevens, 26 March 2025, letter to the Minister for Economic Affairs, Proposal AP regarding supervisory competence on cookie provision (Voorstel AP aangaande toezichtbevoegdheid cookiebepaling).

[15] Autoriteit Persoonsgegevens, 8 April 2025, Wrongful cookie banners modified after intervention AP (Foute cookiebanners aangepast na ingrijpen AP), rough translation. Original in Dutch: “De AP gaat de komende jaren structureel controleren hoe het staat met de cookiebanners in Nederland”.

[16] EDPB, Guidelines 01/2025 on Pseudonymisation, 16 January 2025.

[17] Advocate General Spielmann, Opinion in case C‑413/23 P, 6 February 2025, EU:C:2025:59.

[18] WP29, Opinion 5/2004 on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC, 27 February 2004, p. 9.

[19] See WP29, Opinion 5/2004 on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC, 27 February 2004, p. 9.

[20] Belgian Data Protection Authority, Recommendation 01/2025 relating to the processing of personal data in the framework of direct marketing, 10 March 2025, p. 59.

[21] Belgian Data Protection Authority, Recommendation 01/2025 relating to the processing of personal data in the framework of direct marketing, 10 March 2025, p. 45 (rough translation).