In December 2009 a revision to the existing E-Privacy Directive came into force which, as I briefly indicated in my article Promoting Your Website amends fundamental parts of the directive. The change is part of a wider review of the EU telecoms regulatory framework. The key changes affecting businesses and consumers are the changes to the revised E-Privacy Directive and the changes to the Universal Services Directive.

This article discusses the changes to the E-Privacy Directive and the BIS consultation, setting the government's approach to the implementation of the revised E-Privacy Directive. Responses and comments are invited by 3 December 2010.

The revisions include the following:

Data security breach notification. A requirement for Member states to adopt provisions requiring providers of public communications services to notify the national regulator of any personal data breach. A personal data breach is defined as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community."

Spam. A right for legal persons with a legitimate interest in combating the sending of unsolicited commercial e-mails (spam) to take legal action against "spammers" in civil proceedings.

Cookies. A requirement that the use of cookies is only allowed on the condition that the subscriber or user concerned has given his or her consent (opt-in) having been provided with clear and comprehensive information about the purposes of such processing.

Penalties and enforcement. Member states must provide for effective, proportionate and dissuasive penalties (including criminal sanctions) for any infringements of the national provisions adopted pursuant to the Directive.Member states must adopt measures to implement the Directive by 25 May 2011. What the government proposes in its consultation document:

• In relation to the data security breach notification, the government plans to copy the provisions contained in Article 4(3) of the revised E-Privacy Directive into domestic law. It also proposes to authorise the Information Commissioner's Office (ICO) to publish guidance in relation to the notification mechanism for personal data breaches. The government questions, however, whether the ICO has sufficient power to audit compliance with the new notification system.
• In relation to penalties, the government and ICO are currently reviewing the effectiveness of the existing enforcement regime under Part V of the Data Protection Act 1998 (DPA) to ensure that the ICO is able to discharge its regulatory obligations as required by the amended Directive. The government proposes to make provision for additional sanctions, in the regulations implementing the revised Directive, to ensure that the UK complies with the requirements of Article 15a(1) of the revised E-Privacy Directive. The government invites comments as to how the provisions of the Directive could be better enforced.
• In relation to cookies, in the impact assessment, the government specifically rejects the establishment of an opt-in system for cookies which would mean that users would have to consent to every cookie placed on their computer. In the government's opinion, that approach would lead to a permanent disruption of services and to online providers potentially suffering substantial losses, both in relation to the costs they would incur in programming pop-up windows or other means to obtain consent, and in directly lost revenue from users choosing not to allow cookies (including lower advertising revenue and lost sales). Instead, the government proposes to copy the provisions contained in Article 5(3) of the revised Directive into domestic law, leaving the ICO (or any future regulators) the flexibility to adjust to changes in usage and technology. It intends to allow online providers to take advantage of the provisions contained in Recital 66 of the Citizens' Rights Directive which makes it clear that the user's will to accept cookies "may be expressed by way of using the appropriate settings of a browser or other application". The government suggests that browser owners should take steps to ensure that browser settings are made more visible to consumers. Browser owners and website owners that use cookies should also provide consumers with clear and comprehensive information about cookies and how to opt-out of them if they wish.
• In relation to information provision, the impact assessment sets out the government's plans to introduce a requirement on providers of electronic communication services to have procedures in place to be able to respond to requests for information from the police or security services. The information in question is likely to include all information that police and security services can access under various provisions of the Regulation of Investigatory Powers Act 2001. The government proposes that the cost of implementing such procedures should be borne by the service providers. In order to monitor compliance with this new requirement, the government intends to give the ICO the power to request information from providers of publicly available electronic communications services about the procedures they have in place for responding to requests for access to users' personal data, the number of requests received, the legal justification invoked and their response.

The government intends to lay the draft statutory instruments implementing the Directive before Parliament in April 2011 and therefore comments must be sent to BIS by 3 December 2010.