What are other EU states doing about new cookie consent laws? And which country’s law applies if a website in one country drops a cookie on a computer in another? Osborne Clarke put these questions to digital lawyers across Europe. Stephen Groom reports the worrying results.
Topic: Online advertising
Who: EU member states
When: 26 May 2011
Where: the EU
Law stated as at: 26 May 2011
Just before the deadline for implementation of the EU "Citizens' Rights Directive" 2009/136/EC ("CRD") amending amongst other things the Privacy and Electric Communications Directive ("PECD"), Osborne Clarke conducted a spot check across its European network of specialist advertising lawyers.
The focus of the check was the provisions of the PECD as amended by the CRD which change the law on the dropping of "cookies" on the "terminal equipment" of a "subscriber or user." From now on in this article, we will call the PECD as amended by the CRD the "ePrivacy Directive."
Whereas the original PECD was satisfied with the provision of clear and comprehensive information about cookies and their purposes and the provision of an opportunity to opt out, the ePrivacy Directive now requires that:
"the storing of information or the gaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent."
Recital 66 puts gloss on "consent" requirement
A gloss on this is provided by Recital 66 of the ePrivacy Directive, part of which was clearly drafted before the new consent requirement was introduced into the draft and was not updated. This reads as follows:
"Third parties may wish to store information on the terminal equipment of a user, gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible.
Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application."
The UK Government has picked up on Recital 66 and although it accepts that browser settings on their own cannot provide a complete solution, it is talking to industry about developing more sophisticated browser technology which can hopefully help save the internet from a nightmare scenario in which no website can be entered until users are provided with copious disclosures regarding each cookie used by the site and ticking numerous boxes to confirm their understanding and consent.
This process will take time, however, and in light of this, as reported elsewhere on marketinglaw, the enforcement authorities have announced a delay of a year before the full rigour of the law change is enforced. (It should be noted, however, that according to ICO, inaction by cookie users in the interim could still lay them open to enforcement action-see other marketinglaw reports).
It is encouraging that the UK is taking this path, but how many other EU states will do the same? And how many other EU states have been as punctilious as the UK in meeting the 26th May 2011 deadline for implementation?
Also, if there are going to be differences from state to state, either because of delays by states in transposing the law or because of different approaches to which country's law applies, it will be crucial for those using cookies to know which country's law applies to their deployment.
For instance picture a UK website visited by a web user resident in another EU state. During that visit the UK site drops one or more cookies on the web user's PC.
Which country's law applies to the act of dropping that cookie on that PC? Is it UK law, in other words the "country of origin"? Or is it the law of the other EU state where the PC is located i.e the country of destination. Or could it conceivably be both?
Three simple aims of spot check
Against this backdrop, our EU spot check had three simple aims:
- find out which other EU member States if any looked likely to follow the UK example and allow a less strict, "browser-based" approach to adoption of the ePrivacy Directive;
- establish which other EU states had met the implementation deadline of 26 May 2011; and
- asking the lawyers surveyed which country's law they thought applied to our cross border cookie-dropping scenario above, assuming that the PC on which the cookie was dropped was located in their country.
The answers received from all other EU member states except Cyprus, Latvia and Luxembourg can be summarised as follows
- the UK is in a distinct minority in having implemented by the EU deadline. Out of the 22 other responding states, only five others appeared to be implementing on 26 May 2011 or a date close to it: Estonia, Finland, France, Ireland and Lithuania;
- as things currently stand, again the UK looks to be in a distinct minority in adopting the more flexible, "browser-settings-based" approach to implementation. Of the 22 other responding states only four indicated that an approach similar to that of the UK might be adopted: Finland, Ireland, Netherlands and Spain; and
- on the question of which country's law applies to the cookie being dropped in our scenario above, respondents in 4 states took the view that the local cookie law applied, in other words the law of the country where the PC was sitting when the cookie is dropped on it. The countries in question were Czech Republic, Estonia, Finland and Spain.
Why this matters:
The finding that the vast majority of EU Member States are taking their time and will miss the deadline by at least months if not years makes the UK Government's position look rather daft.
Why has the UK rushed ahead with transposition of the new laws before development of the technology it states will be key to compliance?
This unprecedented move has forced it to cause wholesale confusion by indicating that the law of the land will not be enforced for at least a year.
Wouldn’t it have been better to take a leaf out of the book of most other member states and delay implementation, allowing time:
- for suitable browser technology to be developed;
- for the IAB-promoted EU "OBA self regulatory Framework" to gain acceptance; and
- to see how other Member States were approaching compliance and enforcement and perhaps learn from them rather than forging ahead regardless?
Given that the previous cookie laws were hardly enforced and delay in implementing EU directives by a few months is commonplace, with tardy states suffering no major penalties, what practical benefits have been derived from being in the vanguard of those implementing and how can these possibly compensate for the confusion and disrespect for the law that has been potentially engendered by bringing into force laws that will not be enforced and offering compliance solutions that are not yet available?
We think we should be told.
Applicable law findings
In light of the disarray amongst EU Member States on when and how to implement the ePrivacy Directive, our initial concerns on applicable law appear to have been more than justified.
The view has been expressed, supported by the recent Article 29 Working Party ("WP") opinion on applicable law in the context of data protection, that where the Data Protection Directive 95/46/EC ("DPD") applies, the dropping of a cookie on a computer located in the EEA could be regarded as the use of systems located in the EU (i.e. the computer) to process personal data.
So where data contained in the cookie can be linked to a name, postal address or an email address of an identifiable individual, the DPD applies and under Article 4 (1), if the data controller is outside the EEA, then the law of the EU state where the computer is located will apply.
However if the personal data in question is processed "in the context" of activities of an establishment of the data controller in the EU, then it will be the law of the country where the data controller is established that applies.
In our scenario, this will likely be the UK if the website is controlled by a UK-established entity. But where this analysis comes potentially unstuck in terms of offering a solution to our applicable law quandary is:
- the rules we are dealing with here are not the rules in the DPD but rules in a different measure, the ePrivacy Directive, which does not impose the cookie consent requirements on "data controllers" as such;
- the DPD will only apply if the cookie in question contains "personal data," whereas the ePrivacy Directive consent rules apply regardless of whether personal data is involved.
Whatever the correct answer to this conundrum for the UK or the other EU states surveyed, the current picture, with differences of opinion amongst local experts and a dearth of official guidance on the point, is unsatisfactory in the extreme.
This means that UK cookie users, all of whom should be auditing their relevant practices now in light of the new UK regulations implementing the ePrivacy Directive (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011), should include in their audit an analysis of international use of their sites and if this indicates usage in other EU states, consider taking advice from local counsel as appropriate.
For the full OC EU cookie survey report contact email@example.com.