The study examines whether the ePrivacy Directive has achieved its intended effects and puts forward recommendations for future revision. It does so on the basis of evidence on the transposition of the ePrivacy Directive in the Member States and of an in depth analysis of the implementation and enforcement of key provisions. The study also assesses how the ePrivacy Directive and the proposed Data Protection Regulation (GDPR) will operate together.
The study notes that national provisions on topics such as cookies, traffic and location data, or unsolicited communications, adopted pursuant the ePrivacy Directive, frequently have a different scope of application than the one defined by Article 3 of the ePrivacy Directive, which is limited only to providers of publicly available electronic communication services (i.e. traditional telecoms companies). It finds that the limitation of the scope of the Directive only to providers of electronic communications services is ambiguous and may give rise to unequal treatment if information society service providers using the Internet to provide communication services are generally excluded from its scope. To remedy this situation, it recommends extending the scope of the ePrivacy Directive in general to also the latter type of services.
The study also considers that the rules on cookies and similar techniques may have not entirely achieved their objectives, given that users receive too many warning messages which they do not properly consider. Therefore, the study recommends maintaining the current opt-in approach to cookies, but limiting it only to situations where there is an interference with users' privacy (including websites serving third party cookies for behavioural advertising purposes, excluding analytics cookies). This result may be achieved, for example, by broadening the exceptions to the cookie consent rule (which allows the placing of cookies in the users' terminal equipment or equivalent web-tracking techniques only with the users' prior and informed consent).
The study findings will feed into the forthcoming review of the ePrivacy Directive, not before the adoption of the General Data Protection Regulation.
The documents below include, other than the report and its annex, also a mapping of the relevant implementing measures ("Concordance Table") and the relevant enforcement authority ("Enforcement "Authority") for each of the relevant provision of the ePrivacy Directive in each Member State as a structured dataset.