People whose personal details are exposed in a data breach
will have to be told, according to a new
privacy regulation passed by the European Commission.
The passing of the telecoms reform package last week opened the
way for the
ePrivacy Directive to enter into force. Member states must
implement the revised directive within 18 months.
The new provisions improve the protection of the privacy and
personal data in the online world. The improvements relate to
security breaches, spyware, cookies, spam and enforcement.
Some observers believe the directive relates to the UK
government's decision, announced yesterday, to delay its Big
Brother data surveillance law until after the election. The
proposed law would have forced internet service providers (ISPs) to
collect information about who sent messages to whom, where and
when, and details of web searches.
European data
protection supervisor Peter Hustinx welcomed the many
improvements in the protection of privacy in the directive. "It is
now crucially important to broaden the scope of the security breach
provisions to all sectors and further define the procedures for
notification," he said.
He said the new rules had to be enforced, particularly for
spyware and cookies. "This has special relevance where privacy
rights must be protected in relation to so-called targeted
advertising," he said.
The directive provides for the mandatory notification of
personal data breaches for the first time in the EU. Any
communications provider or ISP who is involved in a breach of
individuals' personal data must inform them if the breach is likely
to hurt them. This included events where the loss could result in
identity theft, fraud, humiliation or damage to reputation.
The notification will have to include recommendations to avoid
or reduce the risks. The data breach notification framework builds
on the enhanced provisions on security measures to be implemented
by operators, and should stem the increasing flood of data
breaches, the European Commission said in a statement.
The directive also reinforced protection against interception of
users' communications through spyware and cookies on a user's
computer or other device. The new directive says users should be
offered better information and easier ways to control whether they
want cookies stored in their devices.
The directive will also make it easier for consumers to take
spammers to court, including those in other countries.