Cookie Directive

Directive 2009/ 136/EC (aka the Cookie Directive) amending the Privacy and Electronic Communications Directive 2002/58[1]/EC Directive 2009/136/EC[1] introducing numerous changes, in particular regarding internet cookies.[2]

It seeks to give extra protection to users concerning electronic communication services through the obligation to notify breaches of personal data, the requirement of consent, as well as greater implementation and enforcement measures to instil the Directive into national law. The Member States were to notify the European Commission of their national provisions implementing this new directive by 25 May 2011 according to Article 15a of the Directive. Unfortunately, so far only five countries – Denmark, Estonia, Finland, Sweden and the United Kingdom – have notified measures to implement the new rules in full.[3]

Changes

“Security of personal data” – Article 4

The Directive updates Article 4 to provide a higher protection to personal data. Here, protection is offered to personal data against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure. Under the old Directive Article 4, the provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security.   The new directive now includes a further paragraph, 1a which lays down the minimum measures that the providers are to bring in. These are:

  • “to ensure that personal data can be accessed only by authorised personnel for legally authorised purposes”,
  •   “protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and,”
  •   “ensure the implementation of a security policy with respect to the processing of personal data”,

  It adds a new article 4(b) that provides for additional enforcement mechanisms to bring about these minimum requirements by requiring that national authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security that those measures should achieve.

Confidentiality and new regulations regarding Cookies – the Opt in Regime Article 5

Article 5 of the Cookie Directive amends the old Article 5(3) under the e-Privacy Directive which deals with storing and accessing information on a users’ equipment. The use of cookies areregulated under this provision.

Cookies are small text files uploaded onto a user's computer or other device, which are a vital, if occasionally controversial, part of the operation of a modern website. Cookies allow a site's operator to understand how the site is used. They are a technical pre-condition to being able to 'log-into' a site. They also facilitate the targeted advertising which funds much 'free' web content.[4]

The New Article 5(3) reads that:

“The storing of information or the gaining of access to information already stored in the user’s equipment is only allowed on the condition that the subscriber or user concerned has given their consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

This means that the new Directive requires the user to consent to the storing of cookies on their computer.

The main differences between the 2002 Directive and 2009 Directive are:

1)       Subject mater

  •   The old directive regulates “the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user”.
  •   The new directive regulates “the storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user”.  It has a broader scope than the old directive as it is not limited to the use of electronic communications networks but any form of storing of information on a users equipment this includes laptops and smart phones.

2)       The condition under which the storing and accessing of personal data is allowed.

  •   Under the old directive: storing and access is only allowed when the user is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.
  •   Under the new directive; “the user has to give consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.” There is no condition of a right to refuse such processing by the data controller.

 

Issue of consent

The Cookie Directive adds the condition of consent in order to be able to store or access information stored on the users equipment. Consent has been a very controversial issue as the question arises what is consent, how this should be defined and obtained.   If Article 5(3) is read that the consent “is to be given in accordance with the definition in Directive 95/46/EC”,( see the text of the directive), the definition under this Directive under Article 2(h) is that 'the data subject's consent' shall mean any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.

However even with this definition there is still divide as to what is consent that is freely given, specific and informed.

The debate has fallen into two camps – those who regard consent to include implied consent and those who see consent to be explicit.  

Implied Consent

A number of countries in implementing the Directive have decided that consent can be obtained through browser settings and technical application, which the user can be considered to have given his consent. This suggests that consent can be obtained through implied, indirect consent, potentially falling short of being freely given, specific and informed indication of the users intention. These countries include France, Finland, Denmark, Germany, Hungary, Ireland, Italy, Luxembourg, Slovakia, Spain, Sweden and the United Kingdom.[5]

It has been argued that Recital 66 of the Directive 2009/136 seems to acknowledge that the user’s consent to processing may be expressed by “using the appropriate settings of a browser or other application”, if it is technically possible and effective, in accordance with the relevant  provisions  of Directive 95/46/EC. Countries such as the UK has used Recital 66 as their rational and justification for using browser setting as complying to the consent requirement imposed by the Directive.

Opposition to implied consent

There has been opposition to interpreting the consent requirement as being satisfied through implied consent. Article 29 Working Party set up by the e-Directive, in its opinion on Online Behavioural Advertising, was quite hostile to the idea of browser consent. Its reasoning was that many users lacked the technical nous required to use their browser settings to properly manifest their preferences. A practical challenge for website designers is deciding what steps need to be taken to show that consent has actually been obtained. Surveys of practice have revealed a clear lack of certainty on this point.[6]

It has been questioned whether browsers provide the sufficient level of protection to users and comply with the definition of data subject consent according to Directive 95/46/EC as required by recital 66. In the UK for example, the Information Commissioner's Office is advising that current browser privacy settings are “not sophisticated enough to allow you to assume that the user has given their consent”.[7] Also, not every  user would access the site through a browser, but by an app on their mobile phone.[8] Therefore the consent requirement using browser settings out not in this case be met. Explicit Consent;

On the other hand, it is arguable that the Directive sought for consent to be prior and expressed. However, the Netherlands has been the only country to fully adopt Article 5(3) opt in regime explicitly and browser settings are regarded as insufficient. Pursuant to the new “cookie law”, incorporated in the Dutch Telecommunications Act (article 11.7a under 1), website operators will be required to obtain prior consent from users before they can store or gain access to cookies on the user’s computer (i.e. opt-in).  Consequently, current browser settings are insufficient to obtain consent.[9] However, it may be the case the Dutch legislation goes further than the proposal of the European Commission by requiring that website publishers have proof they have acquired the user's permission. The lower house has approved the legislation but it may still be overturned by the upper house. The Upper House decision is meant to be declared by October 2011.[10] The Dutch legislation requires that the data collector must have user’s permission to do so. It means that consumers have to agree to have their personal information store and traced by the internetservice providers. Vice President of the EU Commission Neelie Kroes is opposed to the Dutch legislation.[11]

Support for Explicit Consent

The Working Party Article 29 on Consent

Although the Data Protection Directive does not explicitly state when (i.e. at what point) consent should be sought, the Working Party set up under the e-Directive believe that it is clearly implied from the language of the various provisions that, as a general rule, consent has to be given before the processing starts.

The European Data Protection authorities, through the Article 29 Working Party, have attempted to define consent and in July 2011, adopted a formal Opinion (WP187) on the definition of consent ('the Opinion').[12]

It rests on a number of principles:

1)       Consent has to be given before the processing starts.

2)       Consent differs from the right to object.

3)       Consent based on an individual's inaction or silence does not normally constitute valid consent, especially in an online context. Some sort of positive action is required for consent to be valid.

4)       A situation of subordination often prevents consent from being seen as freely given.  

5)       Blanket consent without specifying and separating each purpose of the processing is not acceptable. Different elements that constitute data processing should each have consent.generic consent is not accepted.

6)       The mere availability of information is not sufficient for consent to be deemed informed — Information should be provided directly to individuals, it must be clearly visible (in terms of type and size of fonts), prominent and comprehensive.

7)       Consent must always be unambiguous, meaning that the procedure to get consent cannot leave any doubt as to the user’s intention. If there is a reasonable doubt about the individual's intention, there is ambiguity and that does not constitute valid consent.

8)       Evidence of consent should be created and retained, so that consent is verifiable.  This information should be made available to the relevant data protection authority upon request.   In a nutshell, for the EU data protection authorities are concerned, consent essentially means prior opt-in, and anything less will not qualify as valid consent.  Although the Data Protection Directive does not explicitly state when (i.e. at what point) consent should be sought, according to the Working Party it is clearly implied from the language of the various provisions that, as a general rule, consent has to be given before the processing starts.  

Opposition to Explicit consent

Commentators say that the opt in system would be difficult to implement. Website publishers voiced their concerns that the opt in approach will ruin user friendliness of websites.[13] This would go against what is voiced in recital 66 of the Directive 2009/16 that “the methods of providing information and offering the right to refuse should be as user-friendly as possible”. The Internet Advertising Bureau (IAB) Europe and IAB Belgium are amongst the opposition to the strict consent requirements imposed by the Cookies Directive. They claim that it would have serious consequences for the consumers’ surf experience. As a mark of protest the IAB has launched the website http://www.cookiedemosite.eu/ demonstrating the averse effects and hampering user friendliness of the internet as a result of the consent requirement and a warning to those Member States who are putting through such requirements in their legislation such as the Dutch Parliament.[14]

Kimon Zorbas, Vice President of IAB Europe, also believes that explicit consent is too harsh for practical use as “asking for consent so strict that it is in practice an explicit consent, goes far beyond the objective of the e-Privacy Directive,”. He also stated that “such requirements are likely to result in either pop-ups or registration-like processes, neither of which increases users’ privacy protection. Clear and transparent consumer information and meaningful controls (e.g. existing and new improved browser settings) contribute to better privacy in a pragmatic way”.[15]

The issue of consent may hamper the aim of the Directive to harmonise laws dealing with storing and accessing information using electronic communication networks in order to provide for a strong internal market. Member states in applying different definitions of consent may cause adverse effects on market competition. Even though the Dutch Government has pointed out that it will be enforcing the law - if adopted - against Dutch companies only the IAB Europe is concerned that the legislation will put Dutch companies at a serious competitive disadvantage. The maturity and value of the Dutch online advertising market is among the top five in Europe and is likely to lose its place in the EU ranking if the Dutch Senate confirms the proposed law.[16]

Further commentators also regard the explicit prior consent as very dogmatic, conservative and mathematical, which doesn’t take into account the balance of interest. For example, it doesn’t take into account what would be reasonable in some circumstances to regard a person’s passive behaviour as consent. Some sees the express prior consent as disproportionate. In support of this argument they refer to the e -Privacy Directive stating that the Directive itself distinguishes between different purposes for which third parties may wish to store, or gain access to, information stored in the terminal equipment of an internet user. The purposes are clearly stated in Recital 66 of Directive 2009/136. They range from the legitimate — in particular, cookies — to those involving an unwarranted privacy intrusion, such as spyware or viruses. A balanced and realistic assessment of the requirement for consent should take those differences into account and aim for a more pragmatic and reasonable standard.[17] Furthermore, the commentators regard the opinion as lacking in pragmatism as the opinion fails to recognise that certain types of processing are not significantly intrusive and that there should be more scope for a balance of interests in data protection compliance.

Some commentators believe that it would appear that the correct approach to consent will likely emerge from industry practice and regulatory dialogue.[18] General Manager IAB Belgium PatrickMarck, also believes this stating that "the debate on the use of cookies has been rather theoretical so far and we hope a real life demonstration website will help policy makers in Europe and Dutch Senators assess the impact of an overly strict consent provision properly." however he believes that having strict prior consent requirement is too curb some.

Obtaining consent

There seem to be two sides to the spectrum with regards to how consent is being reached. On one side, there is the position of the ICO which has disclosures about the use of cookies and requires that users tick a box noting that they accept cookies. Some argue that this seems to be excessive, particularly if one is to define the law under the e-Privacy Directive as merely requiring consent and not explicit consent which is a key distinction in data protection law. On the other hand, there are a number of commercial websites, which cover the relevant disclosures in their privacy policies. This position may be ill-advised, particularly as the purpose of therevised e-Privacy Directive and Regulations is to increase the level of disclosure about cookies.

There have been various disagreements as to how to go about and implement the new requirements of the Cookie Directive to get consent. The regulations do not specify a concrete way of doing so.

It is suggested that a possible approach may be for websites to take a more proactive role by educating their users about cookies. If a site goes 'above and beyond' the statutory duty of disclosure and actually informs its users as to how they can set their browsers to reject cookies, that site may be in a strong position to argue that they have taken all practical steps to obtain user consent.However, the question is whether websites will take on this educational approach and whether it will be enough to be deemed as obtaining true consent.[19]

With only 5 Member States adopting the Cookie Directive by the deadline date and with only one Member State namely Netherlands having adopted the explicit consent requirement, IAB Europe urges EU Member States to consider negative impact of an overly strict consent for cookies.

Exceptions

Article 5(3) allows for exceptions to obtaining consent.

The requirements of consent is not needed if storage or access is for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or if the storage or access is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

There is no need to require consent for those cookies that are strictly necessary for a service required by a user such as remembering items in your online shopping basket. The exemption is unlikely to cover advertising cookies (for example), which are not technically required to make a service function (even if they are required to make that service profitable).[20]

Therefore, websites that carry advertising require users' consent to the provision of cookies and the same rule applies to websites that count the number of visitors such as Google Analyitics orWebTrends.[21] This may cover, for example, session cookies required to log into a webmail platform.

Traffic Data: Article 6(3) Dealing with Marketing data

Under the amended Article 6(3), information can only be processed for the purpose of marketing by a provider of publicly available electronic communications service if the subscriber or user to whom the data relate to has given his or her prior consent, to the extent and for the duration necessary for the marketing services. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.  

Spam/Unsolicited Communications – Article 13

The new amendment to Article 13 dealing with spam provides extra protection to users through greater remedies and enforcement. The new added paragraph 6 allows legal proceedings to be brought in, in respect of infringements without prejudice to the remedial regime provided under the amended Article 15a. Where a natural or legal personal has been adversely affected by infringements of national provisions adopted pursuant to Article 13, they have a legitimate interest in brining to an end or prohibiting such infringements, including an electronic communications service provider protecting its legitimate business interests. They may bring legal proceedings in respect of such infringements. The article also gives the Member States the option to lay down specific rules on penalties pertinent to providers of electronic communications services which by their negligence contribute to infringements of national provisions adopted pursuant to this article dealing with unsolicited communications.  

Implementation and enforcement- Article 15a

Directive 2009/136 provides for a more stringent implementation and enforcement regime to regulate electronic communications. Under the added Article 15a, Member States are obliged to laydown rules on penalties, including criminal sanctions where applicable to infringements of the national provisions, which have been adopted to implement this Directive. The Member States shall also take “all measures necessary” to ensure that these are implemented. The new article further states that “the penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified”.

Article 15a(2) also grants greater power to national authorities and other bodies to have the power to order the “cessation of the infringements of the national provisions implementing the directive”. Paragraph 3 obliges the Member States to grant these bodies “necessary investigative powers and resources, including the power to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to this Directive.”  

Further information


References

  1. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF
  2. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF
  3. Neelie Kroes, Vice-President of the European Commission responsible for the Digital Agenda Online privacy – reinforcing trust and confidence Online Tracking Protection & Browsers Workshop Brussels, 22 June 2011, available at <http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/461&format=HTML&aged=0&language=EN&guiLanguage=en>
  4. Nolan P., and Tobin O., 2011, New Rules on Cookies – what they say and what omissions from the early draft tells us, DPI, 4, 5 (4)
  5. Field Fischer Waterhouse, The Cookie Consent Rule; EU Implementation, available at <http://www.ffw.com/pdf/cookie-consent-tracking-table.pdf>
  6. [6] Nolan P., and Tobin O., 2011, New Rules on Cookies – what they say and what omissions from the early draft tells us, DPI, 4, 5 (4)
  7. Cobert, R. and Cox A., 2011, News and Views, DPI, 4, 5 (17)
  8. ICO Guidelines, Advise on the New Cookie Regulations.
  9. Field Fischer Waterhouse, The Cookie Consent Rule; EU Implementation, p 13.
  10. http://www.osborneclarke.com/media/sectors/digital-business/dutch-legislation-to-require-cookie-opt-in-consent.aspx
  11. http://www.osborneclarke.com/media/sectors/digital-business/dutch-legislation-to-require-cookie-opt-in-consent.aspx
  12. Eduardo Ustaran and Victoria Hordern, 2011, Clarifying Consent, DPI 4 5 (7).
  13. http://www.osborneclarke.com/media/sectors/digital-business/dutch-legislation-to-require-cookie-opt-in-consent.aspx
  14. IAB Europe urges EU Member States to consider negative impact of an overly strict consent for cookies,  <http://www.iabeurope.eu/news/iab-europe-urges-eu-member-states-to-consider-negative-impact-of-an-overly-strict-consent-for-cookies.aspx>
  15. http://www.iabeurope.eu/news/iab-europe-urges-eu-member-states-to-consider-negative-impact-of-an-overly-strict-consent-for-cookies.aspx
  16.  http://www.iabeurope.eu/news/iab-europe-urges-eu-member-states-to-consider-negative-impact-of-an-overly-strict-consent-for-cookies.aspx
  17. Eduardo Ustaran and Victoria Hordern, 2011, Clarifying consent, DPI 4 5 (7)  
  18. Nolan, P. and Tobin O., 2011, New Rules on Cookies – what they say and what omissions from the early draft tells us, DPI 4 5 (4) 2011
  19. Nolan, P. and Tobin O., 2011, New Rules on Cookies – what they say and what omissions from the early draft tells us, DPI 4 5 (4) 2011
  20. Nolan, P. and Tobin O., 2011, New Rules on Cookies – what they say and what omissions from the early draft tells us, DPI 4 5 (4) 2011
  21. http://www.jisclegal.ac.uk/ManageContent/ManageContent/tabid/243/ID/1347/EU-Cookie-Directive--Directive-2009136EC.aspx