Navigation path

Left navigation

Additional tools

Other available languages: FR



Brussels, Monday 9 November 2009

ePrivacy Directive close to enactment: improvements on security breach, cookies and enforcement, and more to come

Following last week's agreement on the EU telecoms reform, nothing stands in the way for the ePrivacy Directive to enter into force. The formalities required for formal adoption will be undertaken in the coming weeks. The revised ePrivacy Directive (*) , as amended by the European Parliament and adopted by the Council must be implemented by the Member States within 18 months.

The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment. The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules. The EDPS cooperated closely with the European Parliament, the Council and the European Commission on the legislative work leading to the final text (**) .

Peter Hustinx, EDPS, says: "I welcome the many improvements in the protection of privacy in the revised ePrivacy Directive. But it is now crucially important to broaden the scope of the security breach provisions to all sectors and further define the procedures for notification. Also, the new rules must be effectively enforced. I note in particular the emphasis on more effective enforcement of the rules on spyware and cookies. This has special relevance where privacy rights must be protected in relation to so called targeted advertising."

The changes introduced include:

  • for the first time in the EU, a framework for mandatory notification of personal data breaches . Any communications provider or Internet service provider (ISP) involved in individuals' personal data being compromised must inform them if the breach is likely to adversely affect them. Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. The notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;

  • reinforced protection against interception of users' communications through the use of - for example - spyware and cookies stored on a user's computer or other device. Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;

  • the possibility for any person negatively affected by spam , including ISPs, to bring effective legal proceedings against spammers;

  • substantially strengthened enforcement powers for national data protection authorities. They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

(*) Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

(**) EDPS first ( pdf ) and second ( pdf ) opinions on the ePrivacy Directive review

For more information, please contact the EDPS Press Service at:

EDPS - The European guardian of personal data protection

Side Bar