Main Nav

Data Protection Reform Legislation in the European Union

Earlier in 2012, the European Commission proposed a major reform of the European Union’s (EU) legal framework on the protection of personal data.  The new proposals are meant to strengthen individual rights and to address the challenges of globalization in light of emerging technologies.  The EU's Data Protection Directive is also developing specific rules for the transfer of personal data outside the EU to ensure the best possible protection of data when it is exported abroad. (See earlier blog for further background information.)  Under EU law, personal data can only be gathered legally under strict conditions.  Organizations that collect and manage personally identifiable information (PII) must protect it from misuse and are required to respect certain rights of the data owners, which are guaranteed by EU law.

The Article 29 Data Protection Working Party was set up jointly by the European Parliament and the Council in 1995 to address issues on the protection of individuals with regard to the processing of personal data and the “free movement” of these data.  At its June 2012 meeting, it adopted an opinion on cookie consent exemption.

The revised Article 5.3 (the so-called “cookie-rule”) of the e-Privacy Directive, which went into effect on May 26, 2012, reinforces user protection of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s device.  While this opt-in requirement applies to all types of information stored or accessed in the user’s device, the majority of discussion has centered on the usage of cookies.

Article 5.3 allows some cookies to be exempted from the requirement of informed consent, if they satisfy one of the following criteria:

  • the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”;
  • the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.

According to the Opinion, the following cookies are not covered by the exemptions, and thus require prior opt-in consent:

  • Social plug-in tracking cookies
  • Cookies used for third-party advertising
  • First-party analytics cookies

The Opinion reveals that some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes.  These cookies include:

  • User-input cookies (i.e., session-id cookies)
  • Multimedia player session cookies
  • User interface customization cookies (e.g., language preference cookies selected by a user).

EDUCAUSE will continue to monitor and report on this issue.


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.


Digital Badges
Member recognition effort
Earn yours >

Career Center

Leadership and Management Programs

EDUCAUSE Institute
Project Management



Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.


EDUCAUSE organizes its efforts around three IT Focus Areas



Join These Programs If Your Focus Is


Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.



2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations

Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.