As part of the European Digital Market Strategy, the European Commission proposed an overhaul to the e-Privacy Directive (ePD), the EU’s primary law regulating the privacy of electronic communications. The proposed e-Privacy Regulation (ePR) would update the outdated ePD, resolve conflicts between the ePD and newly- implemented GDPR, and expand the law’s scope to include non-traditional communications providers.

This paper analyzes the anticipated impact of the ePR on digital economic growth and privacy protections in Europe. It identifies weaknesses in the current proposal and suggests a series of revisions. Specifically, the scope of the ePR should cover OTTs and ancillary service providers, but M2M service providers should be excluded. The ePR’s data processing criteria should more closely align to the GDPR, so regulators should liberalize the current consent-based approach by permitting processing for a prevailing legitimate interest. The ePR grants Member States broad discretion in establishing their own enforcement mechanism, which will result in inconsistent implementation across the EU. This discretion should be limited to reduce variation in ePR enforcement. Finally, the penalty provisions adopted from the GDPR are too stringent, going beyond what is necessary for deterrence and risking economic growth in the digital sector. The range of possible penalties should be narrowed and the maximum penalties reduced. Overall, the ePR should be adopted to update the ePD in light of the GDPR and technological innovation, but it requires additional revision avoid imposing unnecessary administrative burdens on Europe’s digital economy.