In today’s digital landscape, where personal data is constantly being processed, tracked, and stored, privacy laws are more critical than ever. One of the most significant regulations in the European Union’s privacy framework is the ePrivacy Directive. While often overshadowed by the General Data Protection Regulation (GDPR) and the many regulations that emerged recently, the ePrivacy Directive plays a crucial role in protecting electronic communications and ensuring online privacy. Despite the initial optimism regarding the EU normative leadership, times have changed. In February 2025, the EU Commission withdrew the AI Liability Directive and the ePrivacy Regulation proposals, among other initiatives.
The evolution of the ePrivacy Directive
The ePrivacy Directive (Directive 2002/58/EC) focuses on the confidentiality of electronic communications. Adopted in 2002 and amended in 2006 and 2009, the directive sets rules for privacy in digital communication services, including emails, phone calls, messaging apps, and internet browsing. Its scope of application covers the processing of personal data through electronic communication services offered in the EU for both individuals and businesses.
Certain processing operations may be subject to both, the GDPR and the ePrivacy Directive’s rules, and authorities must consider both provisions when assessing compliance, for example, the use of cookies to collect personal data through a website. To this end, the European Data Protection Board (EDPB) has addressed this interplay in its Opinion 5/2019. The EDPB noted that when a processing activity triggers the material scope of both regulations, data protection authorities are competent to oversee compliance. The GDPR regulates this relationship in Article 95, in which the ePrivacy Directive is acknowledged as lex specialis.
One of the ePrivacy Directive’s core principles is ensuring that users’ communications remain private and secure, requiring service providers to obtain consent before processing any personal data. The directive also applies to various tracking technologies, such as cookies, which led to what is now commonly known as the “cookie law.”
The ePrivacy Directive was amended in 2006 by the Data Retention Directive (2006/24/EC), requiring telecommunications providers to store metadata (such as call logs, IP addresses, and text message details) to assist law enforcement in investigating serious crimes, including terrorism and organized crime. However, the directive faced significant legal challenges and, in 2014, it was struck down by the Court of Justice of the European Union (CJEU), ruling that it violated the principle of proportionality.
One of the most significant changes to the ePrivacy Directive came in 2009 when the EU introduced stricter rules on cookies and similar tracking technologies. As a result, websites were now required to obtain informed consent from users before storing or accessing data on their devices, a policy that led to the familiar cookie pop-ups seen across the web today.
Before this amendment, websites could place cookies on users’ devices without explicit consent, often tracking browsing behaviour for advertising purposes. The new rules aimed to give users greater control over their online privacy, ensuring that websites could not track them without clear permission. While the regulation improved transparency, it also led to criticism, as some users found cookie pop-ups intrusive and disruptive to the browsing experience. The constant need to decide whether to consent or not to non-essential cookies such as analytics or advertising created unexpected effects, which experts call “cookie fatigue”.
A need for change: the long-awaited ePrivacy Regulation.
Nevertheless, in the same context that led to the birth of the GDPR, the EU Commission, following a review of the ePrivacy Directive, announced it was considering simplification of cookies provision and adjustment of its scope and potential application of some of its rules, for example, those relating to confidentiality. It also planned to include Over-the-top (OTT) online communications services such as WhatsApp and Telegram, in the Regulation’s scope, ensuring a harmonised approach and fostering a data-driven economy.
The text was put forward by the EU Commission in 2017. However, the proposed text faced significant delays due to disagreements over balancing privacy rights with business interests. Since 2020, negotiations have stalled, while the DSA, DMA, and DORA have been praised for strengthening the EU digital single market and regulating tech giants.
EU Competitiveness First: A shift of priorities
The new work programme for the Commission revolves around policy objectives of competitiveness, simplification and innovation. The work programme emerges from a growing policy debate over the EU’s future as an economic powerhouse, mostly exemplified by the Draghi Report. The Dragui Report and its political sibling, “A competitiveness compass for the EU” stress the need and laid out a plan to foster economic dynamism, decarbonisation and reducing dependencies through competitiveness and innovation to ensure economic growth and overall security.
As a result of this shift, among the more than 30 withdrawal proposals are the ePrivacy regulation on grounds of lack of agreements from the co-legislators, the European Parliament and the Council of the EU, and the need for a new approach in line with the recent legislations and technology development. Similar is the reason for the withdrawal of the proposed AI Liability Directive, less than a year after the big splash announcement of the adoption of the AI Act as the first law worldwide regulating AI.
It seems that the EU’s regulatory optimism has faltered. The work programme for 2025 presents a new plan for Europe’s sustainable prosperity and competitiveness. Competitiveness is the EU Commission’s top priority. In the digital field, the objectives are fostering digital infrastructure under a proposed Digital Network Act and Quantum Act and improving access to data, supported by a Cloud and AI Development Act. Both initiatives are part of the “Omnibus package”, which is centred on simplifying legislative obligation, aiming to reduce administrative burdens by at least 25% for small European companies and increasing European competitiveness, echoed the famous Draghi Report.
The proposed ePrivacy Regulation faced strong criticism since the beginning. Big tech companies such as Amazon and Google, have engaged in heavy lobbying against it. In addition, for many in the publishing sector, the ePrivacy Directive is a flawed piece of legislation in which its consent-based approach affects ad-funded journalism revenue and overwhelms individuals with consent requests. The withdrawal of the proposed regulation offers an opportunity to debate a more balanced approach towards electronic privacy. The debate over regulation and economic development is far from being a new trend, but recent developments have returned it to the spotlight. A fair compromise is necessary to ensure European competitiveness and protect the EU’s fundamental rights. These objectives are not mutually exclusive, but finding an equidistant arrangement is challenging. The pendulum now seems to have swung more toward competitiveness and innovation.
The Future of Digital Privacy in the EU
International events, such as the protectionist and confrontational behaviour of the Trump Administration and the new developments in the war in Ukraine coupled with sluggish economic growth, have contributed to this new policy orientation. The EU Commission is now discussing a new omnibus package, which will possibly include the simplification of GDPR rules concerning retention of records to ease the burden on smaller organizations.
Despite the shifting political priorities, reflecting a broader recalibration of priorities toward competitiveness and regulatory simplification, ePrivacy concerns remain at the heart of the EU’s digital framework. The withdrawal of the proposed regulation does not affect the ePrivacy Directive, which remains in force. In the past few years, big tech companies were fined millions due to cookie violations. In 2022, the French authority, CNIL, imposed fines on Google and Facebook which combined surpassed 200 million euros.
Overall, the need for a new framework for electronic privacy is unequivocal. From both user and provider perspectives, the consent-based model needs adjusting to address the “cookie fatigue” and burden on small and medium online businesses. Beyond this reorientation, it is necessary to consider how this new framework would align itself to the already enforced GDPR, DMA and DSA provisions to protect the fundamental right to privacy without thwarting economic dynamism. In doing so, it should prioritize transparency, user control, and scalable compliance mechanisms that reduce friction for businesses while maintaining robust privacy protections.
Suggested citation:
Elio Machado Neto, ‘The ePrivacy Regulation: Overlooked Once More in the Reshuffle of Cards’ (Comparative Digital Law Blog, 07 April 2025) <https://lawandtech.ie/the-eprivacy-regulation-overlooked-once-more-in-the-reshuffle-of-cards/>.
Elio Machado Neto is an Associate at Zeidler Group and a European Master in Law, Data and Artificial Intelligence (EMILDAI) graduate. In addition, he volunteers as Research Associate at the Policy and Quality Assurance Unit of the Erasmus Mundus Association (EMA).
