Out-Law News 5 min. read
17 Oct 2013, 3:36 pm
Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, highlighted that the different interpretations within Europe of fundamental terms, such as what is meant by 'consent', and how these interpretations are going to be enforced by the national data protection authorities (DPAs), remains a key issue for the success, or otherwise, of the EU Data Protection Regulation, one of the key aims of which is better harmonisation across Europe.
He said that the issues arise in relation to 'cookies' in the current context, but could arise under the reformed EU data protection law framework envisaged by the European Commission.
Cookies are small text files that store details of internet users' online activity. Website operators often use cookies to record user behaviour for the purpose of analytics or to deliver personalised content to those individuals, whilst advertisers also use cookies to deliver targeted ads based on users' prior interactions online.
EU rules require individuals to consent to the placing of cookies on their device by the website operators and advertisers in most circumstances.
In its guidance the Article 29 Working Party acknowledged that there were differences in the way member states had implemented changes to EU rules on cookies over the past couple of years and set out a standard of 'consent' that organisations operating across every EU member state would need to achieve to ensure any single technical solution they were reliant on was compliant with each of the rules in force within the trading bloc.
The EU's Privacy and Electronic Communications (e-Privacy) Directive permits the storing and accessing of information on users' computers "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.
The meaning of 'consent' under the e-Privacy Directive is taken from how the term is defined under the EU's Data Protection Directive. Consent to personal data processing must therefore be "freely given, specific and informed". There is no requirement that individuals' consent is explicitly given, other than where the data being processed is categorised as being sensitive.
According to the new Working Party guidance, in order for a cookie consent solution to be deemed compliant in each EU member state, the mechanism for obtaining consent should ensure that individuals are presented with "specific information" about the "exact purpose" of the cookie setting, that the consent is obtained prior to the setting of cookies, that the consent is based on the "active behaviour" of users and that those users had a free, "real" choice about whether or not to give their consent.
In the UK, the Information Commissioner's Office (ICO) previously issued guidance on cookies in which it explained that there is no absolute requirement for website operators to obtain prior consent to cookies. It said that where cookies are set upon users' entry to a website the speed with which those users are displayed options to consent to cookies, based on "clear and comprehensive", will be determinative of their compliance.
However, the Working Party has said that websites that meet that standard may not meet cookie consent requirements elsewhere in the EU.
"To achieve compliance across all EU member states consent should be sought before cookies are set or read," it said in its guidance. "As a result a website should deliver a consent solution in which no cookies are set to user’s device (other than those that may not require user’s consent) before that user has signalled their wishes regarding such cookies."
There is also a difference between what the ICO has interpreted as being an acceptable standard of implied consent, and what the Working Party has said will pass the test across each EU member state.
The ICO, which itself relies on implied consent to cookies served from its website, said that consent "might be inferred from a series of user actions which do not in isolation constitute a direct expression of the user’s thoughts about cookies".
The Working Party's guidance explains that "the process by which users could signify their consent for cookies" can be through the "positive action or other active behaviour" of those users, on the basis that those individuals were provided with information to make them "fully informed of what that action represents". However, the guidance states that "it must be clearly presented to the user, which action will signify consent to cookies", calling into question whether website operators can in fact rely on the accumulation of user actions to demonstrate that they have given consent to cookies across the whole of the EU.
Out-Law.com asked the ICO about this point. In response a spokesperson for the watchdog said: "We are confident that the ICO’s guidance explaining how organisations in the UK can comply with the cookies rules in the Privacy and Electronic Communications Regulations is consistent with the UK implementation of the EU law."
"While some European countries have adopted a slightly different approach around the issue of consent for cookies, which is reflected in the Article 29 Working Party guidance which we contributed towards, ultimately the key point is that individuals are informed about the use of cookies on a site and are able to make an informed decision on whether they are happy for their information to be processed in this way. This is central to the ICO’s guidance and that issued by the Article 29 Working Party," they added.
Marc Dautlich of Pinsent Masons said: "Whilst this new guidance relates to the concept of 'consent' only in the context of cookies, web beacons and similar technology, it again highlights the lack of harmonisation that businesses face as a result of fundamental differences as to what one of the central data protection concepts means across the EU".
"Consent, and what exactly is meant by the term, is a key concept under data protection law. With reforms in this area imminent, businesses will be rightly concerned to see clearer evidence as to how the DPAs around Europe are going to ensure a level playing field when it comes to interpretation of critical concepts such as this one, and ensuing enforcement of that interpretation," he said.
The Working Party's new guidance suggests that, to ensure compliance throughout the EU, website operators must ensure visitors to their site are presented with a cookie consent mechanism on the first page they arrive at, rather than merely on the homepage for example.
The Working Party's guidance also does not draw a distinction between the different types of cookies that exist, such as those that are used to track users' online activity for the purposes of serving targeted advertising, as opposed to, for example, data analytics cookies used by websites to measure the number of users of their site and how they use it.
The ICO has previously said that it is "highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action".
