E-privacy Directive

From Open Risk Manual


The E-privacy Directive 2009/136/EC came into force in May 2011, concerns the processing of personal data and the protection of privacy in the electronic communications sector (pdf). It is usually referred to as the "E-privacy Directive" and is an amendment of Directive 2002/58/EC.

The E-privacy Directive covers processing of personal data and the protection of privacy including provisions on:

  • the security of networks and services;
  • the confidentiality of communications;
  • access to stored data;
  • processing of traffic and location data;
  • calling line identification;
  • public subscriber directories; and
  • unsolicited commercial communications ("spam").

The main changes to the 2002 Directive include a rule requiring the notification of data breaches (for instance someone whose personal data are lost, modified or accessed unlawfully while being treated by its electronic communications provider should be notified if this breach is likely to affect him/her negatively) and an extension of the Directive to also cover various electronic tags, strengthened enforcement rules, etc.