According to the draft paper, seen by EurActiv, the Commission is gearing up for a crackdown on how web companies, in particular social networking sites and online advertising firms, use citizens' private data.
"It is […] essential that individuals are well and clearly informed, in a transparent way, by data controllers about how and by whom their data are collected and processed, for what reasons [and] for how long," reads the draft Commission communication.
Citizens should be kept informed of "what their rights are if they want to access, rectify or delete their data," according to the paper, entitled 'A comprehensive strategy on data protection in the European Union'.
Facebook and Google
The move stems in large part from problems the EU executive has had with web firms like Google, Yahoo! and Facebook.
Facebook has had lengthy privacy disputes with national data protection authorities and Commission sources say the company is not out of trouble yet.
"Some social networking sites have complied with stricter privacy rules, but with Facebook there have been some problems," a Commission official said.
In particular, Facebook profiles do not disappear for good and can be reactivated, according to complaints made to the Commission, meaning that the data could - in theory - still be used by the company.
Users have also complained that there should be a privacy setting to prevent other users from posting pictures of them. Currently they can retroactively de-tag their names from other users' photos, but not remove them altogether.
The official named German company StudiVZ and NewsCorp's MySpace as other sources of concern.
Behavioural advertising, when advertisers use an individual's browsing history to send them adverts they think would be of interest, is also highlighted as a practice that needs stricter rules, according to the paper.
"The proliferation of actors involved […] and the technological complexity of the practice makes it difficult for an individual to know and understand if personal data is collected, by whom and for what purpose," reads the document.
This has raised eyebrows with Internet companies as behavioral advertising relies on cookies (Internet-based code that collects users' browsing data), which web firms believe has already been dealt with under the EU's ePrivacy Directive.
At the end of 2009, the EU's ePrivacy Directive was updated to include a provision asking Internet companies to inform users when their data is being downloaded.
Industry sources argue that cookies are instrumental in their business models and that the Commission should avoid inventing burdensome consent or privacy notices that could hamper their business practice.
"Having ten pop-ups appear every time you use the Internet is deeply unworkable," said one source.
A Commission source confirmed that pop-ups were one of a few measures being considered to seek users' consent to download their data.
"Internet companies were given public assurance by the European Commission that cookies fall under the ePrivacy Directive," an industry source told EurActiv.