Data Privacy and Security: What’s the Difference?
Information has always been a form of currency in society—from buying...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 9, 2022
Published: July 8, 2020
The European Union takes the flow of data seriously. They recognize that data is a representation of our private lives that can be used to undermine our autonomy. We may choose to relinquish our data, but it should always be our choice.
You’re probably aware of the General Data Protection Regulation (GDPR), but there’s another important piece of privacy legislation that completes the EU’s data security framework: the ePrivacy Directive.
The ePrivacy Directive (ePD) is an older piece of legislation, enacted in 2002 and amended in 2009. It requires each EU Member State to pass their own national laws on data protection and privacy. It regulates several important issues, such as consent, confidentiality, spam, cookies, and treatment of traffic data.
The purpose of the ePD is to align national protections of EU fundamental rights - namely the rights to privacy, confidentiality, and the free movement of data. It applies to the processing of data in connection with electronic communication services. Its main provisions include:
Article 5 is the most important section for website owners. This section directs the 27 EU Member States to create laws that state websites may only store information or gain access to information already stored on users’ devices if they have provided users with clear and comprehensive information about the purpose of the processing and received user consent.
Recital 17 of the ePD explains how consent can be obtained. It offers a few appropriate methods, but one is most popular: ticking a box when visiting a site. This method is called a “cookie consent banner” (and why the ePD is commonly called the “EU cookie law.”) You’ve probably seen a lot of banners lately like this one on Osano's website.
On October 1, 2019, the highest legal entity of the EU, the Court of Justice of the European Union, ruled that consent can not be implied. It must be explicit. That means a note in the footer that says “By using this site you agree to let us use cookies…” or a pre-checked box aren’t sufficient. The user must actively consent.
While there’s plenty of overlap between ePD and the GDPR, they do not conflict. The GDPR deals generally with the rules of processing personal data. The ePD, however, focuses on the right to privacy and the right to freedom of communication, two rights in the EU Charter of Fundamental Rights. In a sense, the ePD elaborates on the GDPR in regards to electronic communications.
The ePrivacy Regulation (ePR) is an upgrade to the ePD. It’s intended to complete the GDPR. When it passes, it will override the many country-specific laws and create a single data protection standard for electronic communications in the EU. It broadly applies to traditional telecommunications service providers and over-the-top communications services such as instant messaging apps, social media platforms, webmail, voice- and video-calling services, and machine-to-machine communication services.
What’s the difference between a regulation and a directive? A directive is a flexible legislative instrument. It’s an objective EU Member States must meet. States can implement a directive however they like as long as they achieve the desired result. They can adapt their existing law or pass new ones.
A regulation, however, is more powerful than a directive. Once passed, a regulation is binding across all EU Member States. It becomes enforceable on its set date. It does not need to be transposed into law at the state level as it supersedes existing state law.
The GDPR, for example, is also a regulation that replaced a directive (the Data Protection Directive). The change from an ePrivacy Directive to an ePrivacy Regulation will be equally impactful.
Why change from a directive to a regulation? Because state laws are all different. A single regulation makes things simpler for everyone to do business with each other. As European Commissioner Andrus Ansip puts it:
"All this will mean the same level of protection for everyone in the EU. It also cuts red tape for European businesses. They will have just one set of rules to deal with, not 28."
There has been significant evolution in electronic communications over the last decade, which is why the Directive is now considered obsolete. ePR aims to modernize and harmonize existing law around electronic communications. According to the EU Commission, the ePrivacy Regulation will...
The ePR is designed to complement the GDPR. Whereas the GDPR provides a framework for activities involving personal data, the ePrivacy Regulation will apply the framework to privacy in electronic communications. If ePrivacy conflicts with the GDPR in any way, ePrivacy will override the GDPR.
Like the GDPR, ePR is extra-territorial. It would apply to companies offering services in Europe, not just EU-based companies. And it includes serious penalties - up to 2% or 4% of a company’s global annual turnover).
Additionally, people and businesses in the EU are prohibited from transferring data to countries outside the EU unless those countries are deemed to have an adequate level of data protection. The US does not meet the “adequate level” requirement as it lacks comprehensive federal legislation equivalent to the ePD and GDPR. US businesses and organizations can use the US Privacy Shield to obtain an adequacy agreement with the EU, allowing the transfer of data between US and EU entities.
The European Commission's proposal came out in January 2017. It was supposed to pass in May 2018, but EU institutions are still trying to reach a consensus. As of June 2020, EU legislators are still debating the language. There’s no guarantee that it will pass at all. If ePR fails to pass, ePD still applies.
Year | Event |
1995 | GDPR predecessor Directive 95/46/EC is adopted |
2002 | ePrivacy Directive |
2012 | First GDPR proposal |
2014 | GDPR predecessor Directive 95/46/EC is adopted |
2015 | EU Council, Parliament and Commission reach an agreement on the first draft |
2016 | EU Council and Parliament adopt new Data Protection Regulation |
2018 | GDPR is implemented. No consensus on ePrivacy reached |
2020/21 | Expected implementation of ePrivacy Regulation |
Businesses and organizations are holding up the legislation because their models are based on exploiting online activity, which means ePR will require big changes on their end. On the other hand, consumer protection groups want stronger protections, especially in the light of data misuse scandals like the Facebook-Cambridge Analytica mess that highlight our need to protect people from data-driven business models.
Regardless of when the EU will enact the ePR, the breadth of the regulation and its potential penalties mean companies inside the EU and abroad should take it seriously today. It’s important to use this time to work toward compliance.
Osano's consent management software is the most popular cookie consent solution on the planet, serving more than 2 billion consents per month across 3.5 million websites. Our private, fast quantum blockchain records every single visitor consent.
If you want to comply with the current ePrivacy Directive and the upcoming ePrivacy Regulation, get started with Osano now.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.