Navigation path

Left navigation

Additional tools

Other available languages: FR DE


Brussels, 31 October 2003

New privacy rules for digital networks and services - Directive kicks in today

As from today EU Member States must comply with the Directive on Privacy and Electronic Communications, which sets EU standards for the protection of privacy and personal data in electronic communications. The Directive includes basic obligations to ensure the security and confidentiality of communications over EU electronic networks, including internet and mobile services. It sets out specific conditions for installing so-called “cookies” on users' personal computers and for using location data generated by mobile phones. Notably, the Directive also introduces a 'ban on spam' throughout the EU.

"The Directive on Privacy and Electronic Communications is a key tool to strengthen consumer confidence in the Internet and electronic communications, which is a prerequisite for the success of e-commerce and, indeed, the Information Society” said Erkki Liikanen, European Commissioner responsible for Enterprise and Information Society.

The Directive is technology neutral and gives consumers and citizens a variety of tools to protect their privacy and personal data. This can be illustrated by a few examples:

  • Cookies (which register users' preferences as they visit websites) and other invisible tracking devices that can collect information on Internet users, such as 'spyware' may only be utilised if the user is given clear information about the purpose of any such invisible activity and is offered the right to refuse it. This will enable the user to decide which forms of access to his equipment are acceptable and which are not.

  • Location data generated by mobile phones can only be further used or passed on by network operators with explicit user consent. The only exceptions are (1) the transmission of the location data to emergency services; and (2) transmission of data to law enforcement authorities, subject to strict conditions, for purposes such as national security or criminal investigations.

  • Spam: With a limited exception - covering existing customer relationship - e-mail marketing is only allowed with prior consent. Disguised identities and invalid return addresses, often used by “spammers”, are also outlawed. This “opt-in” regime equally covers SMS messages and other electronic messages sent to any mobile and fixed terminal. Member States can also ban unsolicited commercial e-mails to businesses. The Commission intends to issue a specific Communication on this subject by the end of the year (see also: IP/03/1015).

From today Member States must apply and effectively enforce these rules. Bilateral and multilateral international co-operation efforts are needed, alongside EU efforts.


In 1997 the EU adopted a specific Directive on the protection of privacy and the processing of personal data in the telecommunications sector (97/66/EC). The Directive translated the principles of the General Data Protection Directive (95/46/EC) for a number of specific privacy issues related to public telecommunication networks and services.

The 1997 Directive was updated in 2002 to take account of technological developments and to ensure that the same level of privacy protection is provided for all communications over public networks regardless of the technology used. The Directive covers the processing of personal data in connection with the provision of publicly available electronic communication networks and services in the Community.

The Directive includes provisions on security of networks and services, confidentiality of communications, access to information stored on terminal equipment, processing of traffic and location data, calling line identification, public subscriber directories and unsolicited commercial communications.

The Directive contains no legally binding provisions that would either allow or prevent national measures requiring the retention of traffic or location data for 'law enforcement' purposes, since these are beyond its scope. However, any such measures would have to be accompanied by human rights safeguards specified in the Directive.

Directive 2002/58/EC on Privacy and Electronic Communications is also part of a new, wider technologically neutral regulatory framework governing the provision of electronic communications networks and services in the EU (see IP/01/1801 and IP/02/259)

Background information on the new rules is available at the following URL address:

Background information on the specific Commission plans on spam is available via:

Side Bar