EDPS second Opinion on ePrivacy Directive review and security breach: privacy safeguards need to be strenghtened

Jan

2009

EDPS second Opinion on ePrivacy Directive review and security breach: privacy safeguards need to be strenghtened

On 9 January, the European Data Protection Supervisor (EDPS) adopted an Opinion on the review of the Directive on Privacy and electronic communications, usually referred to as the ePrivacy Directive. This Opinion follows upon a first EDPS Opinion, as well as Comments, in which recommendations were made to help ensure that the proposed changes effectively provide for the best possible protection of personal data.

This Second Opinion comes as a response to the Council's Common Position which, on a number of critical points, fails to endorse some of the data protection safeguards proposed by the European Parliament and the European Commission or previously recommended by the EDPS. The recommendations presented in this Opinion aim at streamlining some of the provisions of the Directive, while at the same time ensuring an adequate level of data protection and privacy.

The Opinion particularly focuses on the provisions relating to the setting up of a mandatory security breach notification system for which the Supervisor believes there is still some room for improvement.

Peter Hustinx, EDPS, says: "The full benefits of security breach notification will be best realized if the legal framework is set right from the outset. To this end, the Parliament and the Council will need to meet the challenge of determining the proper standard setting forth the conditions for notification and ensuring that the appropriate processes are put into effect. Citizens will expect such a system to apply not only to their Internet access providers, but also to their on-line banks and on-line pharmacies."

The Opinion also includes a number of recommendations covering the following issues:

scope of application: the EDPS supports the Parliament's approach to broaden the scope of application of the Directive to include publicly accessible private networks in the Community. He recommends to further clarify the types of services that would be covered by the broadened scope;
processing of traffic data for security purposes: the EDPS considers the new article introduced by the Parliament - and maintained by the Council's Common Position and the Commission's Amended Proposal - legitimising the collection of traffic data for security purpose as being unnecessary. In the EDPS view, such a provision may be subject to risk of abuse, especially if adopted in a form that does not include the necessary data protection safeguards;
right of action against infringements to the Directive: the EDPS calls upon the Commission and the Council to endorse the provision introduced by the Parliament that gives the possibility to legal entities, such as consumer associations, to bring legal action against infringements of any provisions of the Directive.

The EDPS is hopeful that, as the review of the Directive continues to make its way through the legislative process, new amendments will be adopted in accordance with the above recommendations with a view to restoring the necessary data protection safeguards.

Available languages: English, French

Topics

ePrivacy Directive

+ View more news

News

Visit Europe in one day

28 April 2025

To celebrate Europe Day, the European institutions are opening their doors to the public on 10 May 2025! Come visit us to discover the engaging activities the EDPS and EDPB have prepared for you. Stop by the EDPS on EU Open Day!

Learn more.

Annual Report 2024: acting for the future of data protection

23 April 2025

The EDPS Annual Report 2024 is about acting for the future of data protection, preparing for diverse possibilities and risk that the digital landscape represents.

Guided by our 2020 - 2024 strategy and its principles: Foresight, Action and Solidarity, the EDPS has:

unveiled and taken steps to start executing its Strategy for AI
monitored and analysed technologies, including AI- led technologies
advised EU-co legislator on upcoming EU regulations directly impacting people’s privacy and data protection
providing tools to EUIs to ensure their compliance with EU data protection laws
influence the development of data protection globally.

You can consult the EDPS Full Annual Report 2024, and its Executive Summary, to find out more about our supervisory actions, policy and legislative advice, and technology monitoring activities.

Read Annual Report

Read Annual Report - Executive Summaries

Read EDPS Press Release

Read Speech by Supervisor

More information

EDPS participates in fourth Coordinated Enforcement Action: focus on the right to erasure of personal data

7 April 2025

With our involvement in this fourth Coordinated Enforcement Action, we walk the talk by continuously advocating for a coherent application of EU data protection law, and the consistent protection of individuals’ personal data, across the EU/EEA.

Read Press Release

+ View full agenda

Agenda

29 April 2025

Leonardo Cervera Navas gives lecture on the EU AI Act at KU Leuven University, Brussels, Belgium

23 April 2025

Presentation of the EDPS Annual Report 2024 to the LIBE Committee of the European Parliament, Participation of Wojciech Wiewiórowski, Brussels, Belgium

11 April 2025

Leonardo Cervera Navas meeting with Kohei Kurihara, Co-Founder Privacy by Design Japan Lab, Brussels, Belgium

9 April 2025

Leonardo Cervera Navas meeting with Mr Uljar SHARKA, Founder & CEO of iGenius, Brussels, Belgium

9 April 2025

Wojciech Wiewiórowski meeting with a delegation of government representatives from the Socialist Republic of Vietnam, Brussels, Belgium