People whose personal details are exposed in a data breach will have to be told, according to a new privacy regulation passed by the European Commission.
The passing of the telecoms reform package last week opened the way for the ePrivacy Directive to enter into force. Member states must implement the revised directive within 18 months.
The new provisions improve the protection of the privacy and personal data in the online world. The improvements relate to security breaches, spyware, cookies, spam and enforcement.
Some observers believe the directive relates to the UK government's decision, announced yesterday, to delay its Big Brother data surveillance law until after the election. The proposed law would have forced internet service providers (ISPs) to collect information about who sent messages to whom, where and when, and details of web searches.
European data protection supervisor Peter Hustinx welcomed the many improvements in the protection of privacy in the directive. "It is now crucially important to broaden the scope of the security breach provisions to all sectors and further define the procedures for notification," he said.
He said the new rules had to be enforced, particularly for spyware and cookies. "This has special relevance where privacy rights must be protected in relation to so-called targeted advertising," he said.
The directive provides for the mandatory notification of personal data breaches for the first time in the EU. Any communications provider or ISP who is involved in a breach of individuals' personal data must inform them if the breach is likely to hurt them. This included events where the loss could result in identity theft, fraud, humiliation or damage to reputation.
The notification will have to include recommendations to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches, the European Commission said in a statement.
The directive also reinforced protection against interception of users' communications through spyware and cookies on a user's computer or other device. The new directive says users should be offered better information and easier ways to control whether they want cookies stored in their devices.
The directive will also make it easier for consumers to take spammers to court, including those in other countries.