Updated Sep 23, 2022

Meanwhile, Directive 2002/58 continues to inspire case law, including the lifting of anonymity on the Internet for the purpose of tracing the authors of unlawful statements published on the InternetHowever, the directive concerns communications between individuals (private correspondence) and not the writing of public statements online (CJEU, gde. ch., Oct. 6, 2020, aff. C-511/18, C-512/18 and C-520/18) 


The Draft Regulation ePrivacy proposed by the European Parliament and Council on
January 10, 2017, aims to respond to the concerns of European citizens  on the protection of their data
personal information stored on their smartphones, tablets, laptops,
etc., by strengthening the rules applicable to communications
electronic and commercial canvassing.

In an information note, the European Commission officially launches the
legislative process devoted to the proposed regulation. The Commission
calls on the European Parliament and the Council to press ahead with the
work on their proposals and to ensure their adoption by 25 May 2018
at the latest (date from which, moreover, the general EU regulation
n°2016/679 of April 27, 2016 on data protection will come into force
This will be an update of the provisions of the directive ePrivacy 2002/58/EC
of July 12, 2002 (revised on November 25, 2009 by Directive 2009/136/EC).
The provisions of this old directive will therefore take
a new youth through this regulation, which will make them directly
applicable, this time to all Member States and without a transposition deadline,
thus making it possible to fight against inequalities and differences
assessment in matters of personal data protection. Furthermore,
this regulation will supplement the Regulation 
General EU n°2016/679 of April 27, 2016 on data protection which will come into force on May 25, 2018.

The old directive ePrivacy 2002/58/EC of July 12, 2002 had however already been the subject of scattered transpositions into French law from 2004 to 2012
through 11 texts, the new regulation will therefore have the merit of serving as a single reference text on the subject and directly applicable:

Law No. 2004-575 of June 21, 2004 for confidence in the digital economy
   Law No. 2004-669 of July 9, 2004 relating to electronic communications and
audiovisual communication services
   Law No. 2004-801 of August 6, 2004 relating to the protection of natural persons
with regard to the processing of personal data and amending Act No.
78-17 of 6 January 1978 relating to data processing, files and freedoms
   Decree No. 2005-862 of July 26, 2005 on the conditions of establishment and
network operation and the provision of communications services

Decree No. 2009-834 of July 7, 2009 establishing a department with national competence
called "Agence nationale de la sécurité des systèmes d'information

Law No. 2011-302 of March 22, 2011 adapting various provisions of the
legislation to EU health, labour and social legislation.
electronic communications
  Law No. 2011-901 of July 28, 2011 tending to improve the functioning of the houses
departments for people with disabilities and containing various provisions relating to
disability policy

Ordinance No. 2011-1012 of August 24, 2011 relating to electronic communications
     Decree No. 2012-436 of March 30, 2012 transposing the new regulatory framework
european electronic communications
   Decree No. 2012-488 of April 13, 2012 amending the obligations of operators to
electronic communications in accordance with the new regulatory framework

In the regulation in preparation, three sections are planned :
  • 1er
    : listening, interception, analysis and storage
    SMS, e-mail or voice calls will be prohibited unless
    consent of the user: this will concern the content of the
    communication but also the data relating to the place, the time and the
    recipient. (this will also concern applications such as WhatsApp,
    Facebook, Skype, Gmail, etc.).
  • 2th
    : the
    transparency in the use of cookies. The objective is to offer
    users a digital environment that is less 'invaded' by
    cookie banners that are displayed on each page visited. In this regard,
    the user will have the option to accept or decline cookies and
    should be able to do it more
    systematically by configuring the navigation parameters (concerning the
    so-called "third-party cookies", which are essentially intended to
    communicate data to third parties for commercial purposes, browsers
    must be able to block them by default)

Remark : the
cookie is the equivalent of a small text file stored on the
user's terminal. Their appearance dates from the 90s and allow
thus allowing website developers to retain user data in order to
to facilitate navigation and to allow certain functionalities. The
cookies have always been more or less controversial because they contain
personal information that could potentially be exploited by

2 guidelines to consider
account :

Directive 2002/58 on privacy: it contains rules on
the use of cookies. Article 5 §3 requires that the storage of data
(such as cookies) in the user's computer can only be
done if: the user is informed of how the data is used
the user is given the possibility to refuse this operation of
storage. However, this article also states that the storage of data for
technical reasons is exempted from this law. According to G29 Opinion No. 2/2010 of
2010, this directive remains very poorly applied: most sites
is limited to a simple "banner" informing about the use of
"without giving information on the uses, without
differentiate between "technical" and "business" cookies
It is not a question of "tracking", nor is it a question of offering real choice to the user.

Directive 2009/136/EC of 25 November 2009 therefore strengthens the obligations
prior to the placement of cookies on the user's computer, provided that
that the latter has given his consent after having received clear information and
complete. However, despite the will of the European legislator to the contrary, no
browser does not yet allow the dissociation of technical cookies and cookies
  • 3th
    : prohibition of electronic communications
    unsolicited, whatever the medium used (emails, SMS, calls
    telephones, etc.). Except prior consent of the user. Thus, for
    the sending of spams, the Net surfer will be able to materialize his consent by ticking
    a box and thus receive offers
    of the society. Similarly, the consumer who has actively registered his number
    on the red list shall not receive targeted telephone calls
This 3th shutter poses
useful questions for France: in fact, sending spam is
already governed by consumer law in France, as well as the implementation of
place of telephone restrictions (“Platform “ bloctel.gouv.fr ”, resulting from the law n ° 2014-344 of March 17, 2014
on consumption). Text messages and voice messages are not affected, but
depend on another procedure (Platform of the 33 700).
The main targets of this text,
are the actors of targeted advertising and
the GAFAs. Indeed, the commission's new proposal intends to include
within its scope all service providers
telecommunications: such as Facebook (Facebook Messenger), WhatsApp, Google
Hangouts etc.
For some observers, this
proposal does not go far enough in terms of data protection.
As Lukasz Olejnik explains,
British PhD researcher
IT from INRIA, specializing in security and privacy issues,
the commission's proposal does not take not
take into account the technical developments awaiting browsers
and this
finally content to validate the status quo: “ For example, this new update of the directive does not take
not take into account the fact that browsers will soon have
much more powerful features, such as access to sensor data
or the pairing between the browser and the user's device, via
Thus, browsers will be able to enter data via the
connected devices, including the collection of cookies.
Thus, this new regulation
would simply seem to renew some bases already acquired in 2009 or with
the new Directive coming into force in 2018, without really bringing any

See also: https://roquefeuil.avocat.fr/reglementation-des-cookies/

The states
announce that they will take a position on this regulation only from the end of April 2017.
On 9 February 2017, the G29 stated that it will publish its opinion on the Regulation " maybe in April, surely before
summer [Editor's note: 2017]