The revisions address a number of points including:
• An obligation to notify the national regulator of any personal data breach;
• The right for companies to take civil proceedings against spammers;
• Provision for substantial penalties in the event of a breach of the revised Directive provisions
More in detail:
In relation to the data security breach notification, the government plans to copy the provisions contained in Article 4(3) of the revised E-Privacy Directive into domestic law. It also proposes to authorise the Information Commissioner’s Office (ICO) to publish guidance in relation to the notification mechanism for personal data breaches. The government questions, however, whether the ICO has sufficient power to audit compliance with the new notification system.
In relation to penalties, the government and ICO are currently reviewing the effectiveness of the existing enforcement regime under Part V of the Data Protection Act 1998 (DPA) to ensure that the ICO is able to discharge its regulatory obligations as required by the amended Directive. The government proposes to make provision for additional sanctions, in the regulations implementing the revised Directive, to ensure that the UK complies with the requirements of Article 15a(1) of the revised E-Privacy Directive. The government invites comments as to how the provisions of the Directive could be better enforced.
In relation to cookies, in the impact assessment, the government specifically rejects the establishment of an opt-in system for cookies which would mean that users would have to consent to every cookie placed on their computer. Instead, the government proposes to leave the ICO (or any future regulators) the flexibility to adjust to changes in usage and technology and to allow online providers to take advantage of the provisions that the user’s will to accept cookies “may be expressed by way of using the appropriate settings of a browser or other application”.
In relation to information provision, the impact assessment sets out the government’s plans to introduce a requirement on providers of electronic communication services to have procedures in place to be able to respond to requests for information from the police or security services. The information in question is likely to include all information that police and security services can access under various provisions of the Regulation of Investigatory Powers Act 2001. The government proposes that the cost of implementing such procedures should be borne by the service providers. In order to monitor compliance with this new requirement, the government intends to give the ICO the power to request information from providers of publicly available electronic communications services about the procedures they have in place for responding to requests for access to users’ personal data, the number of requests received, the legal justification invoked and their response.
The government intends to lay the draft statutory instruments implementing the Directive before Parliament in April 2011 and therefore comments must be sent to BIS by 3 December 2010.
Website owners and online advertising providers will, of course, be relieved with the government’s position on the implementation of the new opt-in requirement for cookies.
This article is for general purposes and guidance only and do not constitute legal or professional advice.
Copyright 2010 Anassutzi & Co Limited. All rights reserved. Information may be shared or reproduced only if accompanied by the author’s name and bio.