ePrivacy Regulation

ePrivacy Regulation

posted in Backup & Recovery ● 17 Oct 2017

There has been a lot of talk about how to become compliant with data laws and regulations in the coming months, especially around GDPR. However, the European Council has also proposed a second regulation designed in line with GDPR to form the two pillars of data protection across Europe. The Regulation on Privacy and Electronic Communications (ePrivacy Regulation), is designed to reinforce trust in and security in the Digital Single Market, a sector of the European single market that covers digital marketing, E-commerce and telecommunication.

‘This regulation applies to the processing of electronic communications data carried out in connection with the provision and use of electronic communications services and to information related to the terminal equipment of end-users’

All processors and controllers who look after electronic communications will have to ensure compliance with the regulation, as well as the GDPR. Throughout the regulation there are regular references to the GDPR.

When is the regulation going to take effect?

Despite not being as well known as the GDPR, the date for compliance with the ePrivacy Regulation is the 25th May 2018, the same day as the GDPR. As the regulation has stipulations around the use of electronic communications data created by software applications, software implemented before May will have until August to become compliant.


Key points of the ePrivacy Regulation

The ePrivacy Regulation is being put into place to strengthen the protection that European citizens have. As with the GDPR, there are updated definitions relating to the regulation, these are set out in Article 4 of the regulation, some of the key ones are:

Electronic Communications Data is defined as electronic communications content and electronic communications metadata.

Electronic Communications content is defined as the content exchanged by means of electronic communications services, such as text, voice, video, image and sound.

Electronic Communications Metadata is defined as data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content.

These new definitions aim to give clarity to the regulation and the data processors and controllers who will have to adhere to it.


One key area under the new regulation is the protection of data and the stance that ‘Electronic Communications data shall be confidential’. This will protect users from having their sensitive data such as text or email messages from being accessed by service providers and other organisations. Article 6 under the regulation sets out the conditions for the confidentiality of data to be removed, however the stated reasons for this include the need to have consent from the user. In line with the GDPR the definition for consent has also been updated.

Consent is defined as any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


Chapter V: Penalties

Chapter V of the regulation documentation sets out all remedies, liabilities and penalties that can be enforced following a breach in compliance. These include the right to compensation for data-subjects. Different articles within the regulation, when breached, carry their own penalties, penalties which are the same as those posed by the GDPR.

The maximum penalty that can be given by the data regulation authority involved is up to €20million or 4% of global revenue. This penalty can be given should an undertaking (serious data breach) occur or if Articles 5, 6, 7 or 18 be breached.

  • Article 5 is the Confidentiality of Electronic Communications Data.
  • Article 6 is the Permitted processing of Electronic Communications Data.
  • Article 7 is the Storage and erasure of Electronic Communications Data.
  • Article 18 refers to the responsibilities of Independent Supervisory Authorities.

Penalties of €10million or 2% of global revenue can also be given (A8, A10, A15, A16) and for some Articles the decision of the penalty imposed falls to the member state.



Redstor have been helping organisations to comply with data protection laws and regulations for almost 20 years. As a specialist in protecting and securing data, Redstor have helped organisations adhere to the Data Protection Act (DPA), the School Financial Value Standards (SFVS) and other industry specific regulations. With the impending General Data Protection Regulation (GDPR), Redstor is committed to helping all organisations comply.

See the future of data management. Now

Watch our product demos to find out more about our solution.

The cyber criminals exploiting coronavirus panic

Reading, 20 March 2020 – Cyber hackers are preying on the public’s fear of Covid-19 to spread their own harmful viruses. According to multiple cybersecurity experts, the spike in phishing techniques, fraudulently claiming to come from an official source is the worst in years.

Continue reading

How to keep business healthy during outbreak

Reading 12 March 2020 – Up to a fifth of the UK’s workforce are likely to be off sick at the peak of the coronavirus pandemic, according to the Government’s best estimations.

Continue reading

Is your medical practice a top ransomware target?

Reading, 17 January 2020 – Since the early 2000s, medical professionals have increasingly been choosing electronic patient records over paper. Although digital records are certainly easier to access and harder to lose or destroy, they are by no means immune to disaster – and organisations have more to worry about than just fires and floods.

Continue reading