EUROPEAN COMMISSION

Information Society and Media Directorate-General

Electronic Communications Policy

Implementation of Regulatory Framework (I)

Brussels, 20 October 2010

DG INFSO/B2

COCOM10-34

COMMUNICATIONS COMMITTEE

Working Document

Subject: Implementation of the revised Framework–

Article 5(3) of the ePrivacy Directive

This is a Committee working document which does not necessarily reflect the official
position of the Commission. No inferences should be drawn from this document as to the
precise form or content of future measures to be submitted by the Commission. The
Commission accepts no responsibility or liability whatsoever with regard to any
information or data referred to in this document.

Commission européenne, B-1049 Bruxelles/ Europese Commissie, B-1049 Brussel –Belgium. Telephone: (32-2) 299 11 11.
Office: BU33 4/43. Telephone: direct line (32-2)296 85 00. Fax: (32-2) 296 88 75.
E-mail: infso-cocom@ec.europa.eu
1. Background and purpose

During the legislative process of the Telecom Reform, amendments to Article 5(3) of the
ePrivacy Directive1 (‘Directive’), which concerns the storing of information, and the
gaining of access to information already stored in the terminal equipment of a subscriber
or user were adopted, partly based on an amendment requested by the European
Parliament2. The EP amendment was meant to "better ensure compliance with this
obligation" as there were concerns that some current practices with respect to the use of
'cookies'3 and similar devices, including in the context of online targeted advertising, did
not provide sufficient protection for the rights of users, in particular with respect to
transparency and choice.

Given the complexity of the underlying technologies, as well as the fast pace of
technological progress in the area, it is necessary to maintain a technology-neutral
formulation of Article 5(3) in national transposition instruments, in line with the wording
of the Directive. Secondly, interested parties are likely to need further guidance on how to
apply the new rules in an efficient manner in various circumstances. This may also be
necessary in the interest of legal certainty of all parties involved.
The present document is intended to explain the understanding by the Commission
services of Article 5(3) of the ePrivacy Directive, and in particular its practical application
in the light of Recital 66 of the Citizens’ Rights Directive regarding users'/subscribers'
consent, that has to meet the conditions defined in Directive 95/46/EC4, through
appropriate settings of a browser or other application.5 Relevant provisions of the ePrivacy
Directive are provided in annex.

It should be emphasized that the interpretation of European Union law is ultimately the
role of the Court of Justice of the European Union.

2. Objective and scope

1
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications), OJ N L 201, 31.7.2002, as amended by
Directive 2009/136/EC, OJ L 337, 18.12.2009 (Citizens' Rights Directive).

2
European Parliament legislative resolution of 24 September 2008 on the proposal for a directive of the
European Parliament and of the Council amending Directive 2002/22/EC on universal service and
users" rights relating to electronic communications networks, Directive 2002/58/EC concerning the
processing of personal data and the protection of privacy in the electronic communications sector and
Regulation (EC) No 2006/2004 on consumer protection cooperation (COM(2007)0698 – C6-
0420/2007 – 2007/0248(COD)).
3
A HTTP cookie is a text string stored by a user's web browser, standardised through RFC 2965 of the
Internet Engineering Task Force (IETF).
4
Article 2 (h) "the data subject consent" shall be any freely given specific and informed indication of his
wishes by which the data subject signifies his agreement to personal data relating to him being
processed"
5
It should be noted that the Article 29 Data Protection Working Party, the independent advisory body on
data protection and privacy has recently adopted an Opinion on behavioural advertising (Opinion
2/2010 of 22 June 2010, WP 171).

2
The main objective of Article 5(3) is to protect the terminal equipment of users and any
information stored on such equipment as part of the private sphere of users requiring
protection under the European Convention for the Protection of Human Rights and
Fundamental Freedoms, as explained in Recital 24 of the Directive. After entering into
force of the Treaty on the European Union and the Treaty on the Functioning of the
European Union (Lisbon Treaty), the Charter of Fundamental Rights of the EU is now
binding at primary law level. In this context, the Union directly in its own instrument
recognizes in Article 7 respect for private and family life and right to the protection of
personal data in Article 8. In order to ensure that communications are confidential, it is
necessary to protect them not only against third party interception during transmission by
means of electronic communications networks and services, but also while they are being
prepared, delivered to the communications service from the user terminal equipment or
received by the terminal from the service, and when they are being made accessible to the
user or stored in the user's terminal equipment. In addition to the content of
communications and related traffic data, the user's equipment may also contain other
privacy-sensitive information that should also be protected in order to ensure the user's
right to privacy6. In this respect, Article 5(3) complements Article 5(1) of the Directive,
according to which confidentiality of communications and the related traffic data must be
ensured, in particular by prohibiting their storage or other kinds of interception or
surveillance without consent of the users concerned or specific legal authorisation (e.g.
public security, prosecution of criminal offences).
The protection of user equipment against unauthorised interference by third parties is to be
understood as an objective in its own right, regardless of any processing of data executed
before or after storing or accessing of data on the user terminal equipment. Depending on
the circumstances and the nature of the processing, as well as in particular the types of
data processed from the user's terminal equipment, the provisions of the general Data
Protection Directive (Directive 95/46/EC)7 may apply to such processing operations. The
provisions of Article 5(3) apply regardless of whether or not the storing or accessing of
information on the user's terminal constitutes processing of personal data within the
meaning of Directive 95/46/EC. Therefore, Article 5(3) applies to HTTP cookies, Flash
cookies and any similar devices which may perform the functions described in the
provision (i.e. store information on or read it from a user’s terminal equipment). The
protection under Article 5(3) extends to “spyware” and other malicious software such as
to web bugs, hidden identifiers, viruses, for which by nature no information is provided. It
also applies regardless of the method used for its delivery and installation on a user’s
equipment: not only distribution through downloads from the Internet, but also via
external data storage media, such as CDs, CD-ROMs, USB keys, external hard drives etc.
As a result, for enforcement and prosecution it will be sufficient to prove the illegal
installation on the user's terminal and to identify the perpetrator, but it will no longer be
necessary to provide detailed evidence of the method of installation.

Finally, Article 3 of the ePrivacy Directive provides that the Directive 'shall apply to the
processing of personal data in connection with the provision of publicly available
electronic communications services in public communications networks in the Community,

6
See also Recital 65 of Directive 2009/136/EC.
7
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data, OJ N L 281, 23.11.1995

3
including public communications networks supporting data collection and identification
devices'. A specific issue in this respect concerns the application of these obligations to
companies not established in the European Union. The establishment of a person in a third
country should not stand in the way of the protection of individuals provided for8. Article
4 of Directive 95/46/EC provides in particular that national measures executing Directive
95/46/EC apply, inter alia, 'where the controller is not established on Community territory
and, for purposes of processing personal data makes use of equipment, automated or
otherwise, situated on the territory of the said Member State, unless such equipment is
used only for purposes of transit through the territory of the Community'. As indicated by
the Article 29 Data Protection Working Party, a user's personal computer, for instance,
should be viewed as equipment in the sense of Article 4, in particular in cases where
cookies are placed and controlled by a given company (not established in the EU/EEA)9.
For the purpose of Article 5(3), the Commission services' view is that this provision
applies to companies not established in the European Union which make use of a user's
terminal equipment situated on the territory of the said Member State.

3. The concept of informed consent

Article 5(3) provides that 'the storing of information, or the gaining of access to
information already stored, in the terminal equipment of a subscriber or user is only
allowed on condition that the subscriber or user concerned has given his or her consent,
having been provided with clear and comprehensive information, in accordance with
Directive 95/46/EC, inter alia, about the purposes of the processing'.
Article 2 of the ePrivacy Directive provides that the definitions of Directive 95/46/EC
shall apply to the ePrivacy Directive. Accordingly, consent has the same meaning as the
data subject's consent defined in Article 2(h) of that Directive, i.e. "a freely given specific
and informed indication of his wishes (…)". Recital 17 of the ePrivacy Directive
emphasizes this interpretation of consent and explains that "Consent may be given by any
appropriate method enabling a freely given specific and informed indication of the user's
wishes, including by ticking a box when visiting an Internet website". This is understood
as follows.
Consent must be informed10, i.e. the user must have information about the purpose of the
intended operations when deciding on whether or not to consent to this operation. This
condition is emphasized by the wording of the paragraph ("having been provided with
clear and comprehensible information") and underlined by Recital 24 ("The use of such
devices should be allowed for legitimate purposes, with the knowledge of the user
concerned.").
In order to fulfil the condition to be specific, consent must relate to a defined set of
operations about which the user has been informed at the time of giving consent. Changes

8
See Recital 20 of the Directive 95/46/EC.
9
See Working document of 30 May 2002 of the Article 29 Data Protection Working Party on
determining the international application of EU data protection law to personal data processing on the
Internet by non-EU based web sites (Ref. WP 56).
10
In accordance with article 10 of Directive 95/46/EC information should cover at least the identity of the
company, the purposes of the intended processing and any further information in so far as such further
information is necessary, having regard to the specific circumstances in which the data are collected, to
guarantee fair processing in respect of the individual.

4
in the purpose occurring after obtaining the user's consent cannot be assumed to be
covered by that consent, such as processing of data for incompatible secondary purposes,
which would hence be unlawful11. However, where a sequence of operations of storing
and accessing data on a user's terminal equipment are part of processing for the same
purpose, it is not necessary to obtain consent for each individual operation of gaining
access to or storing of information on a user's terminal, if the initial information and
consent covered such further use. This is clarified by Recital 25 which explains that
"Information and the right to refuse may be offered once for the use of various devices to
be installed on the user's terminal equipment during the same connection and also
covering any further use that may be made of these devices during subsequent
connections."
Consent should be freely given, i.e. the user must have an actual choice. This also implies
that a user having freely given his or her consent can also revoke this consent at any time.
Recital 25 however clarifies that freely-given consent implies that a user may not be able
to be provided with a specific service if he or she does not consent to the storing and/or
accessing of information on his or her terminal equipment: "Access to specific website
content may still be made conditional on the well-informed acceptance of cookies or
similar device, if it is used for a legitimate purpose".
Where the storing or accessing of information on a user's terminal equipment is part of a
complex operation which includes the processing of personal data within the meaning of
Directive 95/46/EC, the specific provisions of that Directive apply to that processing. It
has to be reminded that as a rule processing of special categories of personal data is
prohibited with certain exemptions12.
The second sentence of Article 5(3) provides for a possible exception to the principle of
information and consent where the use of cookies and similar devices could be allowed
without the need for transparency and consent. Following the amendments introduced by
Directive 2009/136/EC, the possible exception may apply when the processing is ‘strictly
necessary in order for the provider of an information society service explicitly requested
by the subscriber or user to provide the service’. As it is an exception to the principle, its
must be interpreted restrictively, as illustrated by Recital 66: "Exceptions to the obligation
to provide information and offer the right to refuse should be limited to those situations
where the technical storage or access is strictly necessary for the legitimate purpose of
enabling the use of a specific service explicitly requested by the subscriber or user".

4. The concept of technological feasibility and effectiveness

The provisions of the Directive generally do not specify the technical means for informing
the user or obtaining consent. Recital 17 of the ePrivacy Directive illustrates this by
stating that 'Consent may be given by any appropriate method enabling a freely given
specific and informed indication of the user’s wishes …". The Recitals give indications of
general principles to be observed when implementing technical solutions compliant with
the provisions, and name some examples, but they do not refer to any specific technical
elements.

11
Further processing of personal data for historical, statistical or scientific purposes is not generally to be
considered as incompatible with the purposes for which the data have previously been collected,
provided suitable safeguards are in place (see Recital 29 and Article 6 paragraph 1 letter b) of Directive
95/46/EC.
12
Article 8 of the Directive 95/46/EC

5
Recital 25 of the ePrivacy Directive and Recital 66 of the amending Directive underline
the importance of a user-friendly technical solution to provide the user with information
and to obtain his or her consent: "The methods for providing information and offering the
right to refuse should be as user-friendly as possible".
Recital 66 of the amending Directive further refers to one specific method for consenting,
which is by using the settings of a browser or another application. The condition under
which such settings can be considered appropriate for expressing the user's consent is that
this is "technically feasible and effective, in accordance with the relevant provisions of
Directive 95/46/EC". It should be noted in this respect that currently available browsers
support the storing and accessing of information on user terminal equipment via standard
http-cookies. Other technologies for storing or accessing information on users' terminals
are supported by add-ons to browsers or by specific applications and would need to be
assessed in their own right.
Another question is whether a specific solution allows compliance with the legal
requirements established by the relevant provisions, and in particular, the conditions to
obtain valid consent, i.e. allowing for informed, specific and freely-given indication of the
user's wishes. This would include the provision of information on the purposes of
processing to the user and the ability of the user to express his or her wishes.

5. The role of self-regulation

The Commission services consider that the industry is well placed to design innovative
technical solutions, including browser settings or other applications, facilitating
compliance with legal requirements while avoiding divergence among the Member States
hence minimising the cost for implementing them13.
Self-regulatory efforts in this regard can be a means to effective application, provided they
meet the legal requirements in particular of effective transparency towards users and
consent in an appropriate form of affirmation on the part of the user. Moreover, as
illustrated in Recital 66, they should provide for a user-friendly solution, possibly based
on browser (or another application) settings. Finally, they should allow for effective
enforcement.

The Commission services take note that industry is working towards solutions
corresponding to the needs of industry, consumers and regulators. The Commission
services are ready to assist them, and to disseminate any effective solution towards
Member States as part of the implementation policy regarding the relevant privacy rules.
It is to be noted that, in accordance with Article 27 of Directive 95/46/EC, industry may
submit codes of conduct to national data protection authorities and drafts EU codes to the
Working Party referred to in Article 29 of the same Directive.

13
See also Opinion 2/2010 of 22 June 2010, WP 171 of the Article 29 Data Protection Working Party.

6
Annex - Relevant provisions of the Directive on Privacy and Electronic
communications
Article 5(1) of the amended ePrivacy Directive provides that "Member States shall ensure
the confidentiality of communications and the related traffic data by means of a public
communications network and publicly available electronic communications services,
through national legislation. In particular, they shall prohibit listening, tapping, storage
or other kinds of interception or surveillance of communications and the related traffic
data by persons other than users, without the consent of the users concerned, except when
legally authorised to do so in accordance with Article 15(1). This paragraph shall not
prevent technical storage which is necessary for the conveyance of a communication
without prejudice to the principle of confidentiality."

Article 5(3) of the amended ePrivacy Directive provides that "Member States shall ensure
that the storing of information, or the gaining of access to information already stored, in
the terminal equipment of a subscriber or user is only allowed on condition that the
subscriber or user concerned has given his or her consent, having been provided with
clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia,
about the purposes of the processing. This shall not prevent any technical storage or
access for the sole purpose of carrying out the transmission of a communication over an
electronic communications network, or as strictly necessary in order for the provider of
an information society service explicitly requested by the subscriber or user to provide the
service."

For ease of use, the following text shows changes to Article 5(3) compared to its 2002
version:

3. Member States shall ensure that the use of electronic communications networks to store
storing of information, or to gain the gaining of access to information already stored in
the terminal equipment of a subscriber or user is only allowed on condition that the
subscriber or user concerned has given his or her consent, is having been provided with
clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia,
about the purposes of the processing, and is offered the right to refuse such processing by
the data controller. This shall not prevent any technical storage or access for the sole
purpose of carrying out or facilitating the transmission of a communication over an
electronic communications network, or as strictly necessary in order to provide for the
provider of an information society service explicitly requested by the subscriber or user to
provide the service.

Recital 17 of the ePrivacy Directive states that "For the purposes of this Directive,
consent of a user or subscriber, regardless of whether the latter is a natural or a legal
person, should have the same meaning as the data subject's consent as defined and further
specified in Directive 95/46/EC. Consent may be given by any appropriate method
enabling a freely given specific and informed indication of the user's wishes, including by
ticking a box when visiting an Internet website."

Recital 24 of the ePrivacy Directive states that "Terminal equipment of users of electronic
communications networks and any information stored on such equipment are part of the
private sphere of the users requiring protection under the European Convention for the
Protection of Human Rights. So-called spyware, web bugs, hidden identifiers and other
similar devices can enter the user's terminal without their knowledge in order to gain
access to information, to store hidden information or to trace the activities of the user and

7
may seriously intrude on the privacy of these users. The use of such devices should be
allowed only for legitimate purposes, with the knowledge of the users concerned."

Recital 25 elaborates further on the use of such devices for legitimate purposes:
"However, such devices, for instance so-called 'cookies' can be a legitimate and useful
tool, for example, in analysing the effectiveness of website design and advertising, and in
verifying the identity of users engaged in on-line transactions. Where such devices, for
instance cookies, are intended for a legitimate purpose, such as to facilitate the provision
of information society services, their use should be allowed on condition that that users
are provided with clear and precise information in accordance with Directive 95/46/EC
about the purposes of cookies or similar devices so as to ensure that users are made
aware of information being placed on the terminal equipment they are using. Users should
have the opportunity to refuse to have a cookie or similar device stored on their terminal
equipment. This is particularly important where users other than the original user have
access to the terminal and thereby to any data containing privacy-sensitive information
stored on such equipment. Information and the right to refuse may be offered once for the
use of various devices to be installed on the user's terminal equipment during the same
connection and also covering any further use that may be made of those devices during
subsequent connections. The methods for giving information, offering a right to refuse or
requesting consent should be made as user-friendly as possible. Access to specific website
content may still be made conditional on the well-informed acceptance of cookies or
similar device, if it is used for a legitimate purpose."

Recital 65 of Directive 2009/136/EC, which amends the ePrivacy Directive, provides that
, “Software that surreptitiously monitors the actions of the user or subverts the operation
of the user’s terminal equipment to the benefit of a third party (spyware) poses a serious
threat to the privacy of users, as do viruses. A high and equal level of protection of the
private sphere of users needs to be ensured, regardless of whether unwanted spying
programmes or viruses are inadvertently downloaded via electronic communications
networks or are delivered and installed in software distributed on other external data
storage media, such as CDs, CD-ROMs or USB keys. Member States should encourage
the provision of information to end-users about available precautions, and should
encourage them to take the necessary steps to protect their terminal equipment against
viruses and spyware.”

Recital 66 of Directive 2009/136 provides that "Third parties may wish to store
information on the equipment of a user or gain access to information already stored, for a
number of purposes, ranging from the legitimate (such as certain types of cookies) to
those involving unwarranted intrusion into the private sphere (such as spyware or
viruses). It is therefore of paramount importance that users be provided with clear and
comprehensive information when engaging in any activity which could result in such
storage or gaining of access. The methods for providing information and offering the right
to refuse should be as user-friendly as possible. Exceptions to the obligation to provide
information and offer the right to refuse should be limited to those situations where the
technical storage or access is strictly necessary for the legitimate purpose of enabling the
use of a specific service explicitly requested by the subscriber or user. Where it is
technically possible and effective, in accordance with the relevant provisions of Directive
95/46/EC, the user’s consent to processing may be expressed by using the appropriate
settings of a browser or other application. The enforcement of these requirements should
be made more effective by way of enhanced powers granted to the relevant national
authorities."