A proposed new "Rome 1" European Union (EU) legislation demonstrates the effect EU law can have on the private sector, in particular on small and medium-sized enterprises (SMEs).

The draft regulation was presented as an update and clarification to the obligations of the Rome 1 convention. However, unfortunately it came with a price, and under the changes, all e-commerce traders would be required to settle any consumer dispute according to the laws of the country from which the product was ordered, and not the country from which the trader operates.

The draft Rome 1 proposal has since been through a series of amendments, because of significant exposure and opposition in the EU, and now provides for businesses and consumers to be able to choose the law applicable to the contract. However, it could easily have had a serious effect on UK internet traders and small businesses relying on cross border e-commerce for profitability and growth, as well as on consumers who have benefited from the increased choice that free and open internet trade has brought.

Privacy regulations are also taking centre stage. In the wake of the HM Revenue and Customs data loss incident, the European Commission is planning to introduce a security breach notification law, which will force companies to tell customers when their personal data security has been breached.

Such notifications are common in the US, but if made law over here would result in a serious shake-up for data security practices. The importance of adequately securing personal data will become a legal requirement, similar to the regulations imposed on companies processing cardholder data by the PCI Security Standards Council.

On a similar matter of privacy, there is a debate at the moment with the EU questioning whether IP addresses should be considered as personal data.

With the use of dynamic IP addressing systems, IP addresses can change or be given out to another user. However, with the move towards IPv6 it will be even easier to identify an individual by an IP address.

The outcome of this debate will have serious consequences, not just for search engines such as Google, but for European companies, and how they do business with external resources. It is important to stay up-to-date with EU and national laws and their effects on security-related topics such as corporate governance, data protection and privacy.

It is also important to protect your own interests by including security aspects of great importance to the business in supplier negotiations.

This includes client responsibilities, data protection and privacy laws, safe harbour obligations and guidelines. Making security a contractual issue is the right step forward to changing the mentality among non-security professionals that security is desirable, but not essential.

Emma Leith is information security consultant at Comsec and a BCS contributor