The law will extend the time telecoms companies and ISP are required to hold data, introduce an opt-in clause for receiving marketing e-mail and clarify laws on cookies, the small data files stored on users' PCs used by Web sites to track visits.
Existing European data protection laws state that traffic data should be stored for no longer than the billing period and restrict law enforcement officials' rights of access to people's data.
The latest proposals will allow member states to override data privacy to conduct criminal investigations and safeguard national or public security, when this is a "necessary, appropriate and proportionate measure within a democratic society".
Erkki Liikanen, the European Commissioner in charge of drafting the data protection directive, said last December that policy must "look at the world differently" after the 11 September terrorist attack in the US.
Draft legislation was then amended to call on telecom companies and ISPs to retain information on their customers' log of phone calls or e-mail and Internet connections, beyond the one- or two-month period the information is normally held for billing purposes, in order to assist police investigations.
The move has left telecom providers and ISPs fearing they would be left to carry the costs of data retention.
"This compromise mentions data retention but it doesn't define what 'data' is - it could include the content of people's messages, as well as the time, duration and direction of the call or e-mail," said Fiona Taylor, a senior adviser at the European Telecommunications Network Operators' Association (ETNO).
"Until we know what we need to store we can't say how much it will cost," she said.
"Data retrieval will be more costly than storage," said Jo McNamee, European affairs manager for the association of European ISPs, EuroISPA. He too was concerned that there is no definition of data.
His main concern about the data retention clause, however, was that it established the principle that it is permissible to retain data.
"Member states will be able to pass national laws on the retention of data by ISPs and telecoms providers, and there is nothing here in this EU data protection directive to stop them," McNamee said.
The new law would ban the sending of unsolicited e-mail and will require marketers to get express permission from users before sending e-mail. However, online suppliers will still be able to send e-mails to existing customers.
The UK government has long favoured an opt-out approach, and it had been expected that the European Union would leave it up to member states to decide whether spam should be opt-in or opt-out.