Statement of the EDPB on the revision of the ePrivacy Regulation and its
impact on the protection of individuals with regard to the privacy and
confidentiality of their communications
The Data Protection Authorities of the European Union, united in the European Data Protection
Board, consider that the revision of the current ePrivacy Directive (2002/58/EC, amended by
2009/136/EC) is an important and necessary step that has to be concluded rapidly. The use of
IP based communication services has become widespread since 2009, and these ‘Over-the-
Top’ services are currently not covered by the existing Directive; in order to ensure that end-
users’ confidentiality of communications is protected while using these new services and to
create a level playing field for providers of electronic communication and functionally
equivalent services, we call on the European Commission, Parliament and Council to work
together to ensure a swift adoption of the new ePrivacy Regulation, replacing the current
Directive as soon as possible after the coming into effect of the General Data Protection
Regulation in May this year.
Given the developments in deliberations on the proposal, and for the benefit of the co-
legislators, the EDPB has decided to offer further advice and clarifications on some specific
issues raised by the proposed amendments by the co-legislator.
1. Confidentiality of electronic communications requires specific protection beyond the
GDPR
Confidentiality of communications (the modern equivalent of the traditional postal secrecy of
correspondence) is a fundamental right protected under Article 7 of the Charter of Fundamental
Rights of the European Union, already implemented by the ePrivacy Directive. This right to
confidentiality must be applied to every electronic communications, regardless of the means
by which they are sent, at rest and in transit, from the sender to the receiver, and must also
protect the integrity of every user’s terminal equipment.
Electronic communications are the keystone of many essential activities of our modern
societies, since they support the exercise of many fundamental rights such as freedom of
thought, conscience, religion, expression, information, assembly, association, etc. Reinforcing
the confidentiality and neutrality of the messaging services delivering our communications is
therefore a necessity.
Given the importance and the widespread use of electronic communications in our digital lives,
they are very likely to contain, or to reveal, special categories of personal data, either explicitly
or because of mere accumulation and combination of electronic communications content or
metadata, which can allow very precise conclusions concerning the private lives of the people
to be drawn, implying high risks for their rights and freedoms, and should therefore be treated
accordingly.
Therefore, we fully support the approach of the proposed Regulation, based on broad
prohibitions, narrow exceptions, and the use of consent. Accordingly, there should be no
possibility under the ePrivacy Regulation to process electronic communications content and
metadata based on open-ended grounds, such as ‘legitimate interests’, that go beyond what is
necessary for the provision of an electronic communications service. Furthermore, there should
be no possibility under the ePrivacy Regulation to process electronic communications metadata
for the performance of a contract, meaning that there should not be an exception based on the