Personal Data Security Breach and Cookies under the E-Privacy Directive

Cecilia Irene Álvarez Rigaudias.

10/12/2009 Legal Today


Following the agreement on the EU telecommunications reform, the so-called e-Privacy Directive that amends, among others, Directive 2002/58/EC on privacy and electronic communications, has been adopted.

The new provisions relating to the protection of the personal data in the online context mainly relate to personal data security breaches, spyware, cookies, spam, and enforcement of rules:

  • first EU framework for mandatory notification of personal data breaches applicable to communications providers and ISPs that shall include recommended measures to avoid or reduce the risks;
  • reinforced protection against interception of users' communications through the use of - for example - spyware and cookies stored on a user's computer or other devices (including an obligation to obtain the user's prior consent);
  • effective legal proceedings against spammers available to any person negatively affected by spam, including ISPs; and
  • strengthened enforcement powers for national data protection supervisory authorities.

Peter Hustinx, the European Data Protection Supervisor, who closely worked on the legislative work leading to the final text of the ePrivacy Directive said: "I welcome the many improvements in the protection of privacy in the revised ePrivacy Directive. But it is now crucially important to broaden the scope of the security breach provisions to all sectors and further define the procedures for notification. Also, the new rules must be effectively enforced. I note in particular the emphasis on more effective enforcement of the rules on spyware and cookies. This has special relevance where privacy rights must be protected in relation to so called targeted advertising."