When you go online, you often entrust vital personal information, such as your name, address, and credit card number, to your Internet Service Provider and to the website you are using. What happens to this data? Could it fall into the wrong hands? What rights do you have regarding your personal information?
Common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. Since 2009, new requirements have been introduced and are being implemented by the Commission.
Under the EU Data Protection Directive, personal data can only be gathered under strict conditions and for a legitimate purpose. Organisations that collect and manage your personal information must also protect it from misuse and respect certain rights. In 2012, the Commission proposed a major reform of the EU legal framework on the protection of personal data. The new proposals will strengthen individual rights and tackle the challenges of globalisation and new technologies.
The Directive on Privacy and Electronic communications, known as the ePrivacy Directive, builds on the EU telecoms and data protection frameworks to ensure that a high level of privacy is granted to all communications over public networks, regardless of the technology used. This Directive was updated in 2009 to provide clearer rules on customers' rights to privacy. In particular, new requirements were introduced on data such as "cookies" and on personal data breaches:
- Informed consent for "cookies" and other devices: the new rules require Member States to ensure users have given their consent when data such as cookies (small text files stored by a user's web browser) is stored and accessed in their computer, smartphone or other device connected to the Internet. The Commission has encouraged the media and advertising industry to develop codes of conduct to implement the new rules in user-friendly ways, on the condition that they comply with the legal requirements of the Directive.
- Personal data breaches: telecoms operators and Internet Service Providers normally hold a range of data about their customers. In general, providers are required to keep this data confidential and secure. However, sometimes the data can be stolen or lost, or someone could gain unauthorised access to it. Under the new rules, the provider has to report such "personal data breaches" to the national authority and inform the subscriber or individual directly if there is a risk to personal data or privacy. The Commission is currently preparing additional rules to make sure that the personal data breaches are reported in a consistent way across the EU.