Navigation path

Left navigation

Additional tools

Other available languages: FR DE


Brussels, 23 May 2011

Digital Agenda: how new EU rules improve privacy protection for internet users

Clearer rules on customers' rights to privacy are laid down in new EU telecoms rules, which are due to be implemented in national law in all Member States by 25 May 2011 (see IP/11/622). The rules require operators to secure personal data properly and to inform their customers and data protection authorities promptly when personal data is lost. The rules also require Internet users to be better informed about data other parties store or access on their devices and improve the tools for fighting spam. This MEMO gives further details about these new privacy rules.

Notification of personal data breaches

The new rules clarify that telecoms operators and internet service providers must take strong security measures to protect the names, email addresses and bank account information of their customers, along with data about every phone call and internet session they engage in. This is to increase safeguards that the data does not accidentally or deliberately end up in the wrong hands.

The new rules also require operators, if security is breached and/or personal data is lost or stolen, to inform the data protection authorities and their customers without undue delay. This obligation increases the incentives for better protection of personal data by providers of communications networks and services.

Cookies and behavioural advertising

The new rules give Internet users the right to be better informed about data stored and accessed in their computer, smartphone or other devices connected to the Internet (such as cookies - small text files stored by a user's web browser).

In the case of data not related to the service currently accessed by the user, the new rules require Member States to ensure users have given their consent before such data is stored or accessed. Before being asked for their consent, the user must be given information about what the data collected about them is to be used for (e.g. targeted behavioural advertising).

The rules do not require websites to obtain consent from the user in the case of cookies that directly relate to the provision of a service explicitly requested by the user (e.g. cookies to remember language preferences or the content of shopping baskets on e-commerce websites).

Industry associations and other interested parties are free to agree on codes of conduct to implement the new rules in user-friendly ways (e.g. based on browser settings) on condition that they comply with the legal requirements of the Directive. The Commission recommends that such work is conducted in close cooperation with Member States' data protection authorities to ensure compliance with the law.


In order to tackle the fact that unsolicited commercial messages, so-called spam, have become a major burden for service providers and users, the new rules strengthen and clarify the legal requirements to counter spam. In particular, all commercial emails advertising web sites without full information about the company are now illegal.

As many spammers operate across borders, cooperation between enforcement authorities will be improved as they have now become part of an EU-wide Consumer Protection Cooperation network.

Furthermore, the new rules give internet service providers the right to protect their business and their customers by taking legal action against spammers.


The new rules (Directive 2009/136/EC) are part of the package of telecoms reforms adopted by the European Parliament and the Council in late 2009 (see MEMO/09/491). The Parliament and Council agreed that the rules must be implemented into Member States' national laws by 25th May 2011.

See also MEMO/11/319 and MEMO/11/321

Digital Agenda website:

Neelie Kroes' website:

Follow Neelie Kroes on Twitter:

Side Bar