EU Adopts New Rules on Data Breaches, Cookies, Spyware

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Telecommunications service providers in European Union member states will be required to notify customers of security breaches that compromise their personal data, under new amendments to the EU’s Directive on Privacy and Electronic Communications ("ePrivacy Directive,” CCH Privacy Law in Marketing ¶40,110).

The amendments to the ePrivacy Directive were part of a sweeping telecommunications reform package approved by the European Parliament on November 24, 2009.

The breach notification rules are the first of their kind in Europe, although unlike breach notification laws in the United States, the ePrivacy Directive’s notice requirements will be limited to telecommunications providers.

The legislation also reinforces protection against the interception of users’ communication through the use of spyware and cookies stored on a user’s computer or other device. The amended ePrivacy Directive requires websites to provider users with better information and easier ways to control whether they want cookies stored on their computers.

The amendments also (1) give Internet service providers the right to protect their business and their customers through legal action against spammers and (2) substantially strengthen the enforcement powers of national data protection authorities.

“The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment,” according to European Data Protection Supervisor Peter Hustinx.

“The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules,” he said. “But it is now crucially important to broaden the scope of the security breach provisions to all sectors and further define the procedures for notification.”

The revised ePrivacy Directive, as amended by the European Parliament and adopted by the European Council, must be implemented by the member states within 18 months.

The amendments to the ePrivacy Directive will be reflected in CCH Privacy Law in Marketing. They appear on pages 71 to 83 of the telecom legislation found here on the European Union website.