Electronic-Communications

The ePrivacy Directive complements the GDPR for the electronic communications sector. It protects the confidentiality of communications, prohibiting interception or surveillance without user consent or legal authorization. For cookies and similar tracking technologies, it requires informed consent before placing non-essential trackers on user devices. The directive also regulates unsolicited communications: email marketing requires prior opt-in consent, while telephone marketing may use opt-out depending on member state implementation. Traffic data (who contacted whom, when, from where) and location data receive special protection and may only be processed with consent or when anonymized. A proposed ePrivacy Regulation has been under negotiation since 2017 to update these rules for modern communications services including OTT messaging apps.

The Electronic Communications Privacy Act of 1986 established the legal framework for government access to electronic communications in the US. It has three main parts: Title I (Wiretap Act) requires warrants for real-time interception of content. Title II (Stored Communications Act) governs access to stored communications with varying standards—a warrant for content under 180 days old, but only a subpoena for older content (though DOJ policy now requires warrants). Title III (Pen Register Act) covers metadata collection with minimal judicial oversight. ECPA’s framework predates cloud computing and treats email stored on servers differently than physical mail. Courts have struggled to apply 1986 concepts to modern services. The CLOUD Act amended ECPA to clarify extraterritorial application. For international users, ECPA’s relatively weak protections for stored data and metadata are a concern when using US services.