Use Article 5 as a confidentiality control: protect communications and related traffic data against listening, tapping, storage, interception, or surveillance unless users consent or a lawful authorization applies.
Built for product, legal, privacy, telecom, security, analytics, and vendor teams that need evidence for message handling, metadata processing, device access, recording, and GDPR handoffs.
Structured answer sets in this page tree.
Cited legal and guidance references.
Article 5 of the ePrivacy Directive is not a general-purpose analytics or security permission. It protects communications and related traffic data carried over public communications networks and publicly available electronic communications services. Product evidence should show what is communicated, which traffic or location data is processed, whether any storage, recording, access, monitoring, or metadata use is necessary, and where consent or a specific legal authorization is being relied on.
The core rule is confidentiality of communications and related traffic data. The Directive defines a communication as information exchanged or conveyed between a finite number of parties through a publicly available electronic communications service, while traffic data is data processed for conveyance or billing.
For a product review, separate message content from traffic data and location data. Content can reveal the substance of an email, call, chat, or message. Traffic data and location data can still be sensitive because they reveal who communicated, when, through which route, on what device, and sometimes from where.
Article 5 prohibits listening, tapping, storage, and other interception or surveillance by anyone other than users unless the users concerned consent or the activity is legally authorized under the Article 15 framework. It also preserves technical storage that is necessary to convey a communication, but that carve-out does not turn into permission for product analytics, profiling, or secondary metadata reuse.
The Directive separately allows legally authorized business recordings when carried out in lawful business practice to provide evidence of a commercial transaction or other business communication. Teams should document that basis distinctly from user consent and from technical transmission storage.
Confidentiality reviews often find a second ePrivacy issue: software that stores information on, or gains access to information already stored in, a user device. After the 2009 amendment, Article 5(3) generally requires consent after clear and comprehensive information, except for technical storage or access solely to transmit a communication or what is strictly necessary to provide a service explicitly requested by the user.
The EDPB treats Article 5(3) as broader than cookies. The technical review should cover pixels, tracked URLs, identifiers, local storage, browser or app APIs, IoT reporting, and unique identifiers where code instructs the terminal equipment to send back stored or generated information.
The evidence package should show how the service prevents unauthorized access to communications content and related traffic data, not only that a policy says confidentiality is important. Evidence should be usable by engineering, security, privacy, support, vendor-management, and audit reviewers.
For suppliers and embedded services, the key question is whether they can listen to, store, record, inspect, enrich, or receive communications data or terminal-equipment information. If they can, record the ePrivacy basis, contractual controls, technical controls, access logs, retention, and deletion evidence.
Not for the ePrivacy-governed traffic-data step if Article 6 of the ePrivacy Directive sets a narrower condition. The provider should first identify whether transmission, billing, interconnection, consent-based marketing of electronic communications services, a value-added service, dispute handling, or a legal authorization applies, then assess any later personal-data processing under GDPR.
Article 5 expressly covers communications and related traffic data. Commission ePrivacy materials also emphasize that metadata derived from electronic communications may reveal sensitive and personal information, so product evidence should cover both content access and metadata handling.
The ePrivacy Directive particularises and complements GDPR in the electronic communications sector. Where ePrivacy contains a special rule for a specific operation, such as traffic-data processing or terminal-equipment access, the product cannot bypass that rule by selecting a broader GDPR lawful basis.
GDPR still matters. Personal-data processing that is not specifically governed by an ePrivacy special rule remains subject to GDPR obligations, including transparency, data-subject rights, processor controls, security, retention, and international-transfer analysis. The practical split is operation by operation: ePrivacy for the communications or device-access step, GDPR for personal-data processing that follows unless ePrivacy also specifically regulates it.
Sorena can help turn communications flows, metadata use, device access, recording features, and GDPR handoffs into cited evidence requests and implementation checks.
Ask source-linked questions about Article 5 confidentiality, traffic data, terminal-equipment access, consent, and GDPR interplay.
Check whether your product, provider, or supplier evidence supports the communications confidentiality claim.
"lex specialis to the GDPR"
"protects the confidentiality of electronic communications"
"protects the confidentiality of electronic communications"
"confidentiality of communications and the related traffic data"
"listening, tapping, storage or other kinds"
"erased or made anonymous"
"confidentiality of communications and the related traffic data"
"restricted to what is necessary"
"necessary, appropriate and proportionate"
"storing of information, or the gaining of access"
"free, specific, informed and unambiguous"
"does not exclusively apply to cookies"
"particularise and complement"