The European Commission floated a draft regulation Tuesday that will expose tech companies outside the traditional telecom space—including Facebook, Google and Apple—to stricter privacy rules on electronic communications, but the proposed regime's cross-border uniformity and eased customer-consent requirements could make the changes easier to swallow.

The Regulation on Privacy and Electronic Communications would modernize and replace the bloc's e-privacy directive, which was enacted in 2002 and was last updated in 2009. While it provides for increased security and substantial penalties for noncompliance—as much as €20 million or 4 percent of worldwide annual revenue—attorneys said it’s not all bad news.

"The general significance is that it brings this part of the privacy regime up to date and in line with the [EU's] General Data Protection Regulation, which hopefully will bring at least more certainty for companies," Ballard Spahr LLP of counsel Odia Kagan said.

European officials last year approved the General Data Protection Regulation (GDPR) that is set to go into effect in May 2018 and that will replace the bloc’s current data protection directive with a new, uniform regulation.
"Electronic communications content and metadata are a much broader set of information than the personal data covered by the GDPR," Kagan said. "So for those companies that fall under both the GDPR and e-privacy regulation, compliance with GDPR is not going to be enough."