Help Print this page 
Title and reference
Data protection in the electronic communications sector

Summaries of EU legislation: direct access to the main summaries page.
Languages and formats available
HTML html ES html CS html DA html DE html EL html EN html FR html IT html HU html NL html PL html PT html RO html FI html SV
Multilingual display

Data protection in the electronic communications sector

Information and Communication Technologies (ICTs), and in particular the Internet and electronic messaging services, call for specific rules to ensure that users have a right to privacy. This Directive contains provisions ensuring that users can trust the services and technologies they use for communicating electronically. In particular, it aims to ensure the protection of privacy and confidentiality in the electronic communications sector, including security for processing personal data, the notification of infringements, the confidentiality of communications and the ban on unsolicited communications, subject to the users' prior consent.


Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [See amending acts].


Directive 2002/58/EC forms part of the Telecoms Package, the legislative framework governing the electronic communications sector The Telecoms Package includes four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service.

The Telecoms Package was amended in December 2009 by the two Directives Better law-making and Citizens' rights, as well as by the regulation establishing a body of European regulators for electronic communications (BEREC).

This Directive principally concerns the processing of personal data relating to the delivery of communications services.

Processing security

The provider of an electronic communications service must protect the security of its services by:

  • ensuring personal data is accessed by authorised persons only;
  • protecting personal data from being destroyed, lost or accidentally altered and other unlawful or unauthorised forms of processing;
  • ensuring the implementation of a security policy on the processing of personal data.

In the case of an infringement of personal data, the service provider must inform the national authority within 24 hours. If this infringement is likely to harm the personal data or privacy of a subscriber or an individual, the service provider must also inform the subscriber or individual in question, except if the service provider has put in place technological protection measures that make the data incomprehensible to any person without authorised access (see Regulation (EU) No 611/2013).

Confidentiality of communications

The Directive reiterates that Member States must ensure the confidentiality of communications made over a public electronic communications network. They must in particular prohibit the listening into, tapping and storage of communications and traffic data by persons other than users without the consent of the users concerned, except if this person is legally authorised. They also guarantee that the use of electronic communication networks for storing information or accessing information stored in the terminal equipment of a subscriber or use is only permitted if the subscriber or user has given his consent after having received clear and full information, as a minimum, on the end uses of the processing.

Processing traffic and location data

The Directive establishes that traffic data must be erased or made anonymous when they are no longer required for the conveyance of a communication or for billing.

The electronic communications service provider must, nevertheless, process the traffic data to the extent and for the duration necessary for the supply or distribution of electronic communications services with added value, for as long as the subscriber or user concerned has given his prior consent.

With regards to location data other than that relating to traffic, this may only be processed once it has been anonymised or subject to obtaining the consent of the users or subscribers, to the extent and for the duration necessary for the supply or distribution of a service with added value.

Users or subscribers have the option to withdraw their consent to the processing of traffic or location data at any time.

On the sensitive issue of data retention, the Directive provides that Member States may withdraw the protection of data only to allow criminal investigations or to safeguard national security, defence and public security. Such action may be taken only where it constitutes a necessary appropriate and proportionate measure within a democratic society and in compliance with fundamental rights.

Unsolicited communications (spamming)

The Directive takes an opt-inapproach to unsolicited commercial electronic communications, i.e. users must have given their prior consent before such communications are addressed to them. This opt-in system also covers SMS text messages and other electronic messages received on any fixed or mobile terminal. However, exceptions are provided.


The Directive states that users must give their consent for information to be stored on their terminal equipment, or that access to such information may be obtained. In order to do this, users must receive clear and comprehensive information about the purpose of the storage or access. These provisions protect the private life of users from malicious software, such as viruses or spyware, but also apply to cookies.

Cookies are hidden information exchanged between an Internet user and a web server, and are stored in a file on the user's hard disk. Their original purpose was to retain information between sessions. They are also a useful and much decried tool for monitoring a net surfer's activity.

Public directories

European citizens must give prior consent before their telephone numbers (landline or mobile), e-mail addresses and postal addresses can appear in public directories.


Member States must implement a system of penalties, including legal sanctions in the case of infringements to the provisions of the Directive. They must also ensure that the national competent authorities have at their disposal the necessary powers and resources to monitor and control compliance with the national provisions transposing this Directive.



Entry into force

Deadline for transposition in the Member States

Official Journal

Directive 2002/58/EC



OJ L 201 of 31.07.2002

Amending act(s)

Entry into force

Deadline for transposition in the Member States

Official Journal

Directive 2009/136/EC



OJ L 337 of 18.12.2009


Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281/31 of 23.11.95].

This Directive is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU.

Regulation (EC) No 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [Official Journal L 8 of 12.01.2001]

This Regulation aims to protect personal data within EU institutions and bodies. The text provides in particular for the creation of an independent supervisory body to monitor the application of its principal rules.

Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications [Official Journal L 173 of 26.06.2013].

Court of Justice judgement of 8 April 2014 in the joined cases C-293/12 and C-594/12 . Digital Rights Ireland and Seitlinger et al.

In this judgement, the Court declared invalid Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks amending Directive 2002/58/EC. The Court considered in particular that Directive 2006/24/EC exceeded the limits imposed in respect of the principle of proportionality in view of Articles 7, 8 and 52, Paragraph 1, of the European Charter of Fundamental Rights. Notably, the Court underlined the fact that the Directive:

  • Included interference on a large scale and of particular seriousness, without the provision of clear and precise rules governing the coverage of this interference, and did not allow for sufficient guarantees in line with the security and protection of data held by the operators.

Last updated: 27.05.2014