Mandatory notification of data breaches introduced by the European Commission…

The European Commission has passed a new privacy regulation which would require communications providers and Internet service providers to notify individuals whose personal details have been exposed to a data breach. The provisions of the ePrivacy Directive are aimed at improving the protection of privacy and personal data in the online community. Rules relating to security breaches, spyware, cookies, spam and enforcement are also covered by the Directive. In addition, focus is given to the protection of privacy threatened by targeted advertising. However, notably, for the first time in the European Union, notification of personal data breaches will be mandatory. A communications provider or ISP which finds itself involved in a data breach will now have to notify an individual affected by the blunder if the breach is likely to cause that individual harm. The potential for identity theft, fraud, humiliation or damage to reputation are likely to give rise to the requirement to notify. The Directive must be implemented by all EU Member States within 18 months.