ePrivacy Directive

On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive.  The guidance is intended to help website operators and those using cookies understand how the rules

The Article 29 Working Party recently released an opinion on data breach notification in the EU. The opinion addresses two main issues:

  • Experience to date with the existing breach notification rules in the ePrivacy Directive.

The breach notification obligation imposed by article 4.3-5 of the ePrivacy Directive (2002/58/EC) only applies to providers of electronic communications services. EU Member States are still in the process of transposing the rules into their national laws. However, as most of them are unlikely to meet the deadline of May 25, the Working Party had little to go on for its evaluation. The Working Party underscores the need for harmonization and highlights the areas where such harmonization may be threatened, in particular (i) divergences in the scope of the breach notification obligation; (ii) diverging national guidelines on the modalities of the notification; and (iii) diverging interpretation of what constitutes “protected data” (e.g., encrypted data) that is not subject to some aspects of the breach notification obligation. In order to help ensure harmonization and to increase coordination in cross border breaches, the Working Party has decided to set up a sub-group on breach notification.

  • Expansion of the breach notification obligation to other sectors.

The Working Party welcomes the European Commission’s intention to adopt a horizontal breach notification obligation as part of the revision of the Data Protection Directive. In particular, the Working Party stresses that the new regime should be similar to the one in the ePrivacy Directive; that is, with the same harm threshold, the same notification procedure and the same modalities. More so, the Working Party invites the Commission to propose secondary legislation under the ePrivacy Directive that could also serve under the expected general breach notification, once introduced in the Data Protection Directive.

While the Working Party’s position comes as no surprise, three points are worth highlighting:Continue Reading The Article 29 Working Party and Breach Notification in the EU

Since the 2009 amendments to Article 5(3) of the ePrivacy Directive (2002/58/EC) regarding cookies and consent, there has been considerable debate over what web sites and ad networks must do in order to deploy cookies lawfully, and over what constitutes informed consent from users (e.g., opt-in versus opt-out).  For a flavour, see the Article 29 Working Party Opinion 2/2010 on online

The EU’s ‘cyber security’ agency ENISA has issued a report on data breach notifications in the EU.  The report is in response to the 2009 amendments to the ePrivacy Directive requiring telecom and Internet service providers to issue notifications for personal data breaches, which Member States must transpose into national legislation by May 2011. 

The ENISA report reviews best practices in countries where data breaches already are required or are expected to be notified (e.g., Germany, Spain and Ireland), highlights concerns of providers and regulatory authorities regarding the new EU-wide mandatory notification regime, and identifies areas where further EU level or local guidance is needed. Continue Reading ENISA report on data breach notifications in the EU