How The Revised E-Privacy Affects You

By Maria Anassutzi
The E-Privacy Directive has recently been amended and the major effect is to only allow the use of cookies and is only allowed on the condition that the user has given his consent in a clear way. The changes to the E-Privacy Directive came following a study of the European Working Party on privacy.

The revisions address a number of points including:
• An obligation to notify the national regulator of any personal data breach;
• The right for companies to take civil proceedings against spammers;
• An obligation to use cookies only after the internet user has given his consent;
• Provision for substantial penalties in the event of a breach of the revised Directive provisions

More in detail:
In relation to the data security breach notification, the government plans to copy the provisions contained in Article 4(3) of the revised E-Privacy Directive into domestic law. It also proposes to authorise the Information Commissioner's Office (ICO) to publish guidance in relation to the notification mechanism for personal data breaches. The government questions, however, whether the ICO has sufficient power to audit compliance with the new notification system.

In relation to penalties, the government and ICO are currently reviewing the effectiveness of the existing enforcement regime under Part V of the Data Protection Act 1998 (DPA) to ensure that the ICO is able to discharge its regulatory obligations as required by the amended Directive. The government proposes to make provision for additional sanctions, in the regulations implementing the revised Directive, to ensure that the UK complies with the requirements of Article 15a(1) of the revised E-Privacy Directive. The government invites comments as to how the provisions of the Directive could be better enforced.

In relation to cookies, in the impact assessment, the government specifically rejects the establishment of an opt-in system for cookies which would mean that users would have to consent to every cookie placed on their computer. Instead, the government proposes to leave the ICO (or any future regulators) the flexibility to adjust to changes in usage and technology and to allow online providers to take advantage of the provisions that the user's will to accept cookies "may be expressed by way of using the appropriate settings of a browser or other application".

The government, however, suggests that browser owners should take steps to ensure that browser settings are made more visible to consumers. Browser owners and website owners that use cookies should also provide consumers with clear and comprehensive information about cookies and how to opt-out of them if they wish.

In relation to information provision, the impact assessment sets out the government's plans to introduce a requirement on providers of electronic communication services to have procedures in place to be able to respond to requests for information from the police or security services. The information in question is likely to include all information that police and security services can access under various provisions of the Regulation of Investigatory Powers Act 2001. The government proposes that the cost of implementing such procedures should be borne by the service providers. In order to monitor compliance with this new requirement, the government intends to give the ICO the power to request information from providers of publicly available electronic communications services about the procedures they have in place for responding to requests for access to users' personal data, the number of requests received, the legal justification invoked and their response.

The government intends to lay the draft statutory instruments implementing the Directive before Parliament in April 2011 and therefore comments must be sent to BIS by 3 December 2010.

Website owners and online advertising providers will, of course, be relieved with the government's position on the implementation of the new opt-in requirement for cookies.

However, the government's approach is likely to be in conflict with the position of the Article 29 Working Party which, in its pre-emptive opinion on the subject in June 2010, has demanded strict opt-in standards for the use of cookies.

This article is for general purposes and guidance only and do not constitute legal or professional advice.