The EU has announced that "nothing stands in the way" of its ePrivacy Directive, paving the way for stronger rules surrounding data breaches and other privacy issues.

The EU said that, since the telecoms reform package had been approved, any work left to do on its rules was just a formality, with the new ePrivacy Directive requiring compulsory adoption by member states within 18 months.

The 'formalities' required for the EU's formal adoption of the rules are expected to take just a few weeks, and once completed will tighten up rules surrounding security breaches, spyware, cookies and spam.

Under the new rules, if an ISP is involved in a data breach involving individuals' personal information, they will have to notify the people involved. The EU suggested likely scenarios including, "those where the loss could result in identity theft, fraud, humiliation or damage to reputation".

Other rules will ensure the 'reinforced' protection of communications, such as how and when cookies are installed on user machines, and the right to bring 'effective legal proceedings against spammers'. This last change will apply to both individuals and ISPs, the EU said.

European data protection controllers will also find their powers extended, and will be able to order that any breaches of their rules are immediately stopped, whether on their own shores, or cross-European borders.

Peter Hustinx, the European data protection supervisor, said, "I welcome the many improvements in the protection of privacy in the revised ePrivacy Directive. But it is now crucially important to broaden the scope of the security breach provisions to all sectors and further define the procedures for notification.

"Also, the new rules must be effectively enforced. I note in particular the emphasis on more effective enforcement of the rules on spyware and cookies. This has special relevance where privacy rights must be protected in relation to so-called targeted advertising."