Three significant amendments to the EU e-Privacy Directive came into force on 18 December 2009: the first will introduce a mandatory notification regime in respect of personal data security breaches applicable to electronic communications service providers processing personal data in the EU; the second will require any data controller which installs cookies on a user’s equipment to obtain consent to such installation; the third will give ISPs the power to take action against spammers.

The 27 EU member states have until 25 May 2011 to enact national legislation implementing these requirements. Further details on each requirement are set out below:

Mandatory data breach notification

The new regime only applies to providers of “publicly available communications services” (principally telcos and ISPs) and requires them to notify:

  • their national data protection regulator where a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available communications service in the Community; and
  • the subscriber or individual affected by such breach if the breach is likely to affect his/her personal data or privacy.

Whilst these requirements are restricted to electronic communications service providers at present, there was much lobbying to extend their reach to all data controllers within the EU during the passage of the legislation. It is possible that during the transposition into national legislation certain EU member states could implement these requirements so that they cover all data controllers in that member state.

Change to consent rules on cookies

At present, the e-Privacy Directive allows the installation of cookies on a user’s equipment on condition that the user is provided with clear and comprehensive information about the processing undertaken through the cookie and offered the right to refuse such processing. This requirement has most commonly been implemented through a section in the website privacy policy describing what information is collected through the cookie and how it will be used together with instructions or link to instructions as to how to delete and/or refuse cookies.

The amendment to the e-Privacy Directive replaces the right to refuse such processing with a requirement to give consent to such processing. Interestingly one of the recitals to the amending directive states in respect of this provision that where “it is technically possible and effective…. the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

Whether EU member states implement this provision through an express requirement for further written consent or allow such consent to be given through changes to a browser setting will impact the drafting of privacy policies and consent wordings. We will publish further updates on this point, together with recommended changes to wordings, as and when national legislatures amend their e-Privacy Directive implementing legislation.

Powers to take action against spammers widened beyond the data subject

The amendment to the e-Privacy Directive provides for legal or natural persons other than the affected data subject to be given remedies against senders of unsolicited email. The provision refers to any person with a “legitimate interest in the cessation or prohibition” of the unsolicited email and expressly identifies ISPs whose business interests are affected. How far national implementing legislation extends such a right beyond ISPs will be of significant interest to other organisations whose infrastructure and employees are targeting by unsolicited email.