The ePrivacy Regulation will replace the ePrivacy and Electronic Communications Directive 2002, which was implemented in the UK in 2003. The fact that it is a regulation is important, as this means it will be a legal act and will be immediately enforceable in its entirety across all EU member states, as opposed to a directive, which allows states to introduce their own mechanisms, provided they match the spirit of the original directive.
Where GDPR is focused on protecting personal data, the ePrivacy Regulation is more about protecting personal privacy (both for individuals and businesses) across electronic communications. The distinction is important, as you’ll see when this article talks about the scope of the ePrivacy Regulation and the kinds of services it applies to.
What does ePrivacy Regulation cover?
The most important question at this point is: What does the ePrivacy Regulation actually cover? The regulation states that “electronic communications data should be defined in a sufficiently broad and technology-neutral way so as to encompass any information concerning the content transmitted or exchanged… and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication.”
Communications are protected regardless of whether the data is transmitted by wire, radio, optical or electromagnetic methods. That means communication data sent via satellites, cables, fixed networks, and electricity cable systems falls under the ePrivacy Regulation.
Such data should always remain confidential, and any interference with the communication of that data, either directly by a human or through automated processes, without the consent of the user, is prohibited.
Interference in this context can occur at any time during the transfer of that data or metadata, including during its transmission and at its destination. For example, listening to calls, scanning of electronic messages, monitoring of visited websites, and the monitoring of interactions between users all constitutes a breach of the regulation.