Home > Awareness, Data Protection, Internet, Privacy, Social Media > “Cookie” Directive

“Cookie” Directive

From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:

Directive 2009/136/EC amends and supplements Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.


Directive 2009/136/EC addresses the issues of unsolicited commercial messages, the use of technologies for telemarketing purpose the use of traffic and location data, public directories and cookies: “a message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server”. Through the implementation of this Directive, which complements and amends Directive 2002/58/EC, a better protection of users’ personal data is aimed at. Additionally, a new framework for disclosure of security breaches from the electronic communication provider to their users is set.

Regarding the access of the stored data (Article 4 E-Privacy Directive), in the view of this new Directive, the electronic communication providers should ensure that users’ personal data can be accessed only by “authorized personnel for a legally authorized purpose”. The new requirement essentially is that the communication service providers should implement security policies regarding the processing of users’ personal data. In regards to this stipulation, the national authorities are granted rights to audit the measures taken by the providers of communication services in regard to security and the processing of users’ data, and could provide best practices and techniques in achieving the best security measures for users’ data protection.

In the view of this Directive, regarding the breach of security, the communication service providers are provided with clear definitions and meanings of security breaches and risks, and the notion of personal data breach has been introduced. The scope of this Directive referring to security breaches is that the communication service providers should take appropriate actions to try stop or reduce the effect of security breaches, inform the user about the data that was at risk or breached, and when well-defined and potential security breaches could occur such as: “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.” The scope of identifying and defining those security risks is that from the moment this Directive will be implemented (e.g. June 2011), every communication service provider will refer to security breaches as to something well determined and are also obliged under the new Art 4 (3) to give Notice of security breaches to the competent national authority and to the user whose data is at risk, suffered an adverse effect or when data at risk could potentially disclose the user’s identity. The Notice is not required if the communication service provider proves that all the technical and security measures available were taken to protect users’ privacy and security breaches.

This directive applies to the collection of personal data placed on a EU user’s terminal (i.e. computer hard drive, smartphone, iPad) by using cookies as a mean of equipment. Consequentially, the EU users are protected against any website that uses cookies (without users opt-in consent),

The Directive requires before any cookie is sent to a user terminal, consent should be obtained. The user needs to express the opt-in consent before any cookie is sent. The user’s terminal is regarded as his personal and private space and an illegitimate installation of a program such cookies, is a privacy intrusion. In addition, if the user gives consent for cookies installation, the user should also be informed about any exchange of private information retrieved from his terminal. Precedent views regarding the user’s browser settings, assumed that if the browser setting allows cookies (i.e. the user set up his browser to accept cookies), then the consent is given. Furthermore, this Directive requires, even if the browser settings allow cookies, still the user must be informed regarding any exchange of private information between his computer terminal and the communication service provider.

For example, when a third-party website which uses Facebook “Like” button (even when the button is not clicked on that particular website, when the user visits it), when it is visited by a Facebook user, because of the cookie assigned to its unique Facebook ID number, makes him identifiable to the third-party website as well. The website “knows” then who is the visitor and can get access to that particular user’s Facebook profile (the “Like” button is designed to post on one’s Facebook Wall the website/business he likes). By getting access to private information this is a breach of this directive because the user should “be informed about any exchange of private information retrieved from his terminal”.

This Directive entered into force as of 2010, but the EU Member States should have transposed it into their national legislation by June 2011.

If you would like to read another E-Crime Expert Article on how the cookie “notification” is actually done in practice, check “Privacy: search for it and claim it“, post.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Did you know about this Directive? Are you aware of the use of cookies? Are you informed about the use of cookies on your machine?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

  1. April 2, 2013 at 17:57

    Great post. I was checking constantly this blog and I am impressed!
    Very useful information specifically the last part 🙂 I care for
    such information much. I was seeking this certain information for a long time.

    Thank you and best of luck.

  2. June 12, 2013 at 04:23

    You are so interesting! I do not believe I’ve read a single thing like that before. So good to find someone with original thoughts on this subject matter. Seriously.. many thanks for starting this up. This website is one thing that is needed on the web, someone with a little originality!

    • Dan Manolescu
      June 12, 2013 at 04:59

      Thank you for your kind message.

  1. October 30, 2011 at 02:16
  2. November 2, 2011 at 02:02
  3. November 3, 2011 at 01:36

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: