A recently passed amendment to the EU Privacy Directive will require Internet users’ consent before cookies can be placed on their computers. This is part of a revised ePrivacy Directive that is close to enactment, that includes improvements on security breach, cookies and enforcement. The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment. The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules. The revised ePrivacy Directive must be implemented by the Member States within 18 months.

The changes introduced include:

    For the first time in the EU, a framework for mandatory notification of personal data breaches . Any communications provider or Internetservice provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them. Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. The notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
    Reinforced protection against interception of users’ communications through the use of – for example – spyware and cookies stored on a user’s computer or other device. Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
    The possibility for any person negatively affected by spam , including ISPs, to bring effective legal proceedings against spammers;
    Substantially strengthened enforcement powers for national data protection authorities. They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

What this means is that the current laws that the data subject has increased protection online. If their personal data has been exposed, they must be notified. As such they must be informed if personal information on them is being collected, and they should have the option to opt-out (or more preferably opt-in). This is not possible with the way cookies are used today where they are just downloaded onto the users’ PCs without warning. All security to warn the user of tracking cookies are provided by the web-browser. This will now have to be included in the cookie itself.. I think. Any experts out there that know how this could work in practice, please jump in here and comment 🙂

I also read some references to how the use of RFID for the collection of personal information falls in the scope of this amendment.

And finally enforceability is key. Hence each member state must have the appropriate legilsation implemented to make this amendment effective and enforceable.

“Michigan entering into a federal agreement to put unencrypted, long-range RFID computer chips into our driver’s licenses presents a huge privacy risk with very little benefit”, says Republican State Rep. Paul Opsommer, in a statement. “I don’t think we need RFID in our licenses period, but even if we did, there is absolutely no reason it couldn’t be short range and encrypted. The federal government has made some bad technology choices that they now want to cram down the rest of our throats. Canada is totally rethinking this whole program from the ground up, and so should Michigan.” Read more at Network World.