EU countries ignore new law on Internet privacy

Most member states fail to take any action on the new anti-cookie directive

New European Union rules to ensure privacy have been ignored by the vast majority of E.U. member countries, according to Jonathan Todd, European Commission spokesman for Digital Agenda.

Only Denmark, Estonia and the U.K. have so far notified measures to implement the revisions to the ePrivacy Directive, Todd said on Wednesday.

The new law, which aims to give Internet users more information about the data stored about them, was supposed to be implemented by all E.U. countries by May 25. However it is not clear whether even the three countries that have taken measures are fully compliant with the law, leading to speculation that better protection of personal data online for customers is far from a priority.

Member states have had two years to implement the revised rules against tracking cookies. Under the new law, before being asked for their consent, users must be given information on the use of the collected data. The so-called "Cookies Directive" requires companies to obtain "explicit consent" from Web users before storing cookies.

Cookies are small pieces of software that are installed on the user's computer to remember log-in details and other preferences relating to a particular website. But they can be used to target advertising based on browsing history. The only exception to the cookie rule is when they are necessary for a service requested by the user, for example, when a user clicks "add to basket" button to buy goods from a website.

The slow implementation of this directive highlights the difficulty of framing legislation to protect consumer privacy. What "consent" to cookies requires in practice is not defined in detail in the directive, and some counties are hoping that, in principle, a browser set to "accept cookies" implies consent.

However, even U.K. Information Commissioner Christopher Graham acknowledges that his office's guidelines are "a work in progress." But he warned that browser settings alone may not be enough for compliance with the directive.

"The circumstances in which such settings can be considered appropriate for expressing the user's consent depends on how well they meet the general requirements in the legislation," said European Digital Agenda Commissioner Neelie Kroes.

The European Commission, the E.U.'s executive body, will consider opening infringement procedures against the 24 member states that have failed to transpose the directive into national law, said Todd.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylegalinternetgovernmentprivacy

More about EUEuropean Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jennifer Baker

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts