Internet operators…including owners of web pages… will have to adapt to a double standard of the European Union regarding the data that they compile.

On one hand, the new Personal Data Protection Regulation. On the other, the Internet Privacy Directive (“ePrivacy Directive”), which regulates electronic communications. Interesting article by Magister Lucentinus.


On one hand, the General regulation on Data Protection not only protects a person’s data on the internet. On the other hand, the Privacy Directive refers to information that users transmit in electronic communication: be that personal data or other data.

The Data Protection Regulation applies to all personal data, including those “covered” by the Privacy Directive. Thus, those that receive and accumulate data on the Internet will need consent from the owner of the data if the data is personal; consent such as that exercised in the Data Protection Regulation:

The manifestation of specific, informed and unequivocal free will which the party interested accepts … through a declaration or a clear affirmative action regarding the treatment of personal data.


Both regulations concern “cookies”: data archives, which websites install in our computers when we visit a website. They are widely used by providers of internet services; giving them information regarding our “surfing” of the internet.

Cookies are regulated by the Privacy Directive. But they can be stored as databases for personal data and content in a “cookie”. Expressions such as the one below which we now see on many websites, will not suffice:

“If you continue to use this site, you are consenting to the use of your information”.

In fact, continuing to use the site does not signify consent.

This need for express consent also applies to cookies. There must be a free, specific, informed and unequivocal declaration of consent.


Not all cookies are subjected to the Data Protection Regulation. Those that do not have personal data are exempt from this complex procedure. Only the Privacy Directive would apply to them; allowing them to process (non-personal) data, if it is necessary: to attain the transmission of communication, maintain network security and communication services; or to detect technical or transmission errors.


Therefore, those responsible for websites (and for any other information or communication online) will have to pose the question:

Do I receive personal data?

Does my way of confirming consent respect Data Protection regulations?

Santiago Nadal