ePrivacy: Enforcement and Remedies
Enforcement and Remedies [Art 15a]
Rule: Member States must establish effective enforcement mechanisms with appropriate penalties for ePrivacy violations.
Enforcement Framework
The ePrivacy Directive requires Member States to:
- Designate competent authorities — National regulators with investigation powers
- Establish penalties — Effective, proportionate, and dissuasive sanctions
- Provide remedies — Judicial remedies for individuals
National Implementation
Enforcement varies by Member State. Common authorities include:
| Country | Authority | Typical Penalties |
|---|---|---|
| France | CNIL | Up to €75,000 per violation |
| Germany | BfDI + State authorities | Up to €300,000 |
| Spain | AEPD | Up to €150,000 |
| Italy | Garante | Up to €120,000 |
| Ireland | DPC | Varies by violation |
| UK (pre-Brexit) | ICO | Up to £500,000 under PECR |
Types of Violations
| Violation | Typical Penalty Range |
|---|---|
| Unsolicited marketing (spam) | €1,000 - €50,000 per message/campaign |
| Cookie consent failures | Warning to €20,000+ |
| Traffic data retention breaches | €10,000 - €100,000 |
| Confidentiality breaches | €50,000 - €500,000+ |
Relationship with GDPR Enforcement
When ePrivacy and GDPR both apply:
- ePrivacy governs the specific activity (cookies, marketing, traffic data)
- GDPR may provide additional remedies and higher penalties
- Authorities coordinate to avoid double jeopardy
- GDPR penalties (up to €20M / 4% global turnover) may apply for related data protection breaches
Individual Rights
Under ePrivacy, individuals can:
- Complain to regulators — File complaints with national authorities
- Seek judicial remedies — Bring court action for damages
- Request investigations — Trigger regulatory investigations
- Obtain compensation — For material or non-material damage
Regulatory Powers
National authorities typically have power to:
- Investigate — Conduct audits and inspections
- Order compliance — Require specific remedial actions
- Issue fines — Impose administrative penalties
- Ban processing — Prohibit unlawful activities
- Publish decisions — Name and shame violators
Notable Enforcement Actions
| Year | Country | Company | Violation | Penalty |
|---|---|---|---|---|
| 2020 | France | Amazon | Cookie consent | €35 million |
| 2020 | France | Cookie consent | €100 million | |
| 2022 | Spain | Vodafone | Spam calls | €8 million |
| 2023 | Italy | TIM | Telemarketing | €7.6 million |
ePrivacy Regulation (Pending)
The ePrivacy Directive is expected to be replaced by the ePrivacy Regulation:
- Direct applicability — No national transposition needed
- Higher penalties — Aligned with GDPR (up to €20M / 4% turnover)
- Consistent enforcement — Harmonized rules across EU
Status: Negotiations ongoing since 2017.
Citation
Article 15a, ePrivacy Directive