Topic: Online advertising
Who: Governments of Netherlands and Poland
When: March 2013
Where:Netherlands and Poland
Law stated as at: 4 May 2013
What happened:
EU states are still in the process of implementing Directive 2009/136/EC (“2009 Directive”) which introduced amendments to the provisions of the EU Privacy and Electronic Communications Directive 2002/58/EC which impacted on the use of “cookies” and similar tracking technology.
The deadline for transposition of the 2009 Directive into local member state laws was 25 May 2011.
Poland
New cookie and data breach notification rules have been introduced in Poland under the “Polish Act of 16 November 2012″, with effect from 22 March 2013.
On the face of it, these rules follow the 2009 Directive require informed and express consent prior to the use of cookies. In practice, however, the regulators appear to have followed the approach of the data protection authority of the UK (ICO) and those of many other EU states and will accept “implied consent “. A clear notification must be given of the use of cookies and the relevant purposes. The user’s consent will be presumed if the default setting is not amended provided detailed notification has been provided.
The changes also introduce fines of up to a maximum of 3% of company profits for breach of the legislation based on annual profits of the entity in the year preceding the fine. Interestingly, the power to impose these fines is vested in the President of the Office of Electronics Communications and not the Polish data protection authority (GIODO). The GIODO has no authority for enforcing the rules on cookies but will be responsible for dealing with data breach notifications.
Netherlands
Here a much tougher line has been taken, although the enforcement picture is less clear.
Article 11.7a of the Dutch Telecommunications Act follows the 2009 Directive again and expressly requires consent before the cookie is applied.
So far, the only circumstances in which it appears that the express consent requirement will not be imposed (other than the very limited exceptions set out in the 2009 Directive) are where first party analytics cookies are used and the data gathered is anonymised.
It should be noted that this does not extend to Google Analytics, as these are third party cookies. It is possible that an amendment may be introduced to the existing law to give effect to this limited relaxation.
Having said this, the picture on enforcement of what are likely to be Europe’s strictest cookie laws is somewhat less clear. Indeed our sources indicate that the new rules are not being actively enforced at all, with uncertainty reigning amid an absence of clear official guidelines as to how the new laws should be followed.
Why this matters:
Many European organisations had initially followed the UK approach (as the first regulator to provide any guidance) and had adopted a banner approach including a cookie policy notifying users of the use of cookies and stating that continuing to use the site indicated consent.
For most organisations operating across Europe it is clearly advantageous to have a consistent approach to consent across all its websites in different locations where feasible.
Therefore the news from Poland clearly assists with this strategy.
he position in the Netherlands, however, is more troubling and clearly publishers looking to finalise a pan-European tracking technology strategy should take expert local advice in all relevant states before doing so.
