When you access the web, you often entrust vital personal information, such as your name, address, and credit card number, to your Internet Service Provider and to the website you are using. What happens to this data? Could it fall into the wrong hands? What rights do you have with regards to your personal information?
Common EU rules have been established to ensure that personal data enjoy a high standard of protection everywhere in the EU. Currently, the two main pillars of the data protection legal framework in the EU are the ePrivacy Directive (Directive on Privacy and Electronic communications), and the General Data Protection Regulation, adopted in May 2016.
The EU General Data Protection Regulation ensures that personal data can only be gathered under strict conditions and for legitimate purposes. Organisations that collect and manage your personal information must also protect it from misuse and respect certain rights.
The ePrivacy Directive builds on the EU telecoms and data protection frameworks to ensure that all communications over public networks maintain respect for fundamental rights, in particular a high level of data protection and of privacy, regardless of the technology used.
On 10 January 2017 the European Commission adopted a proposal for a Regulation on Privacy and Electronic Communications to replace the 2009 Directive.
Informed consent for "cookies" and other devices
The ePrivacy Directive requires Member States to ensure that users grant their consent before cookies (small text files stored in the user's web browser) are stored and accessed in computers, smartphones or other device connected to the Internet.
The draft Regulation introduces the concept of "privacy by design" whereby users opt for a higher or lower level of privacy.
Personal data breaches
Telecom operators and Internet Service Providers possess a huge amount of customers data, which must be kept confidential and secure. However, sometimes sensible information can be stolen or lost, or illegally accessed. The ePrivacy Directive ensures that the provider reports any "personal data breach" to the national authority and informs the subscriber or individual directly of any risk related to personal data or privacy.
The draft Regulation does not include specific provisions on personal data breaches but relies on the relevant provisions of the General Data Protection Regulation.