Digital Single Market
Digital Economy & Society

Digital privacy

picture to illustrate the concept of privacy
The ePrivacy Directive and the General Data Protection Regulation provide the legal framework to ensure digital privacy for EU citizens. The Commission is revising the ePrivacy Directive to align with the Digital Single Market Strategy.

When you access the web, you often entrust vital personal information, such as your name, address, and credit card number, to your Internet Service Provider and to the website you are using. What happens to this data? Could it fall into the wrong hands? What rights do you have with regards to your personal information?

Common EU rules have been established to ensure that personal data enjoy a high standard of protection everywhere in the EU. The two main pillars of the data protection legal framework in the EU are the ePrivacy Directive (Directive on Privacy and Electronic communications), currently under revision, and the new General Data Protection Regulation.

The EU General Data Protection Regulation ensures that personal data can only be gathered under strict conditions and for legitimate purposes. Organisations that collect and manage your personal information must also protect it from misuse and respect certain rights.

The ePrivacy Directive builds on the EU telecoms and data protection frameworks to ensure that all communications over public networks maintain respect for fundamental rights, in particular a high level of privacy, regardless of the technology used. This Directive was last updated in 2009 to provide clearer rules on customers' rights to privacy. In particular, new requirements were introduced on data such as "cookies" and on personal data breaches. A revision of the Directive is currently under preparation.

Informed consent for "cookies" and other devices

The ePrivacy Directive adopted in 2009 requires Member States to ensure that users grant their consent before cookies (small text files stored in the user's web browser) are stored and accessed in computers, smartphones or other device connected to the Internet.

The Commission has encouraged the media and the advertising industry to develop codes of conduct to implement new user-friendly rules, given they comply with the legal requirements of the Directive.

Personal data breaches

Telecom operators and Internet Service Providers possess a huge amount of customers data, which must be kept confidential and secure. However, sometimes sensible information can be stolen or lost, or illegally accessed. The ePrivacy Directive ensures that the provider reports any "personal data breach" to the national authority and informs the subscriber or individual directly of any risk related to personal data or privacy.

The revised Directive is expected to add new rules that make sure personal data breaches are reported in a consistent way across the EU.

Consult the List of National Competent Authorities and the European Commission websites on Data Protection for related information.

ePrivacy Directive Reform

In the past years, the Commission has started a major modernisation process of the data protection framework, which culminated in the adoption in May 2016 of the new General Data Protection Regulation. The new rules, which will be applicable as of May 2018, strengthen individual rights and tackle the challenges of globalisation and new technologies.

As part of this reform, the Digital Single Market Strategy prescribes that the Commission also review the rules on ePrivacy and deliver a legislation that is fit for the digital age.
The Commission ran a public consultation between 12 April 2016 and 5 July 2016, to seek stakeholders' input on a retrospective performance evaluation of the current law and the potential changes to the Directive.

A summary report of the public consultation was published on 4 August 2016 and the full synopsis report will be published in autumn 2016. The feedback from the consultation will help the Commission prepare a new legislative proposal on ePrivacy, which is expected by the end of 2016.

The objectives of the review are:

  • Ensuring consistency between the ePrivacy rules and the future General Data Protection Regulation
  • Updating the scope of the ePrivacy Directive in light of the new market and technological reality
  • Enhancing security and confidentiality of communications
  • Addressing inconsistent enforcement and fragmentation
Last updated on 02/09/2016 - 17:03


26 OCT 2016


Joran Frik's picture
Joran FRIK
European Commission and Member States organised an event bringing together the private sector to consider how best to benefit from the new Regulation on Electronic Identification and Trust Services (eIDAS). The "Gatsby" style Metropole Hotel provided a great backdrop for an open discussion about how to work together.
More blog posts