Posted on December 16, 2011 by Bret Cohen

Article 29 Working Party Rebuffs European OBA Industry... Again

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.

What Went Wrong

Much of the opinion is dedicated to describing what elements of self-regulatory proposal, in the opinion of the Working Party, violate EU law, particularly in the areas of notice, choice, and data retention. Though some of these criticisms are not new, the Working Party crystallized its viewpoints on the issue, including the following.

(1)    An icon accompanying targeted ads that is linked to the information website www.youronlinechoices.eu does not provide adequate notice. 

In its June 2010 OBA opinion, the Working Party cited the use of contextual icons attached to ads that can be clicked to learn about cookies and express preferences as an example “which the Working Party finds both positive and necessary.” The current opinion, however, made clear that icons are not sufficient to provide notice because consumers today don’t know what they mean. That said, the Working Party recognized the usefulness of icons as a means to complement other forms of notice, but only after the user has provided consent to process data for OBA purposes (or if used to direct the user to a more fulsome mechanism to obtain consent). In that context, the Working Party suggested that the word “advertising” alongside the icon is not sufficient even to inform users that the ad uses cookies for OBA purposes, and stated “at minimum” the language should include the phrase “personalized advertising.”

The Working Party also took the opportunity to reiterate its position from its 2010 OBA opinion that at minimum, notice for OBA should include:

  • what entity is responsible for serving the cookie and collecting the related information;
  • that the cookie will be used to create profiles;
  • what type of information will be collected to build such profiles;
  • the fact that the profiles will be used to deliver targeted advertising; and
  • the fact that the cookie will enable the user’s identification across multiple websites.

(2)    The use of an opt-out cookie is not sufficient to provide consent.

The industry proposal would permit consumers who visit the www.youronlinechoices.eu website to download an opt-out cookie to record their refusal to participate in OBA. In addition to criticizing the proposal for not following an opt-in approach, the Working Party noted other aspects of the opt-out system that it believed violated EU law, including that:

  • “it has been demonstrated that” ad networks continue to collect information from users’ computers even after the opt-out cookie is downloaded;
  • the approach does not offer the possibility of managing and deleting previously installed tracking cookies; and
  • the www.youronlinechoices.eu website itself contains links to a number of JavaScript functions that collect personal data (such as IP addresses) without consent.

(3)    The notice to users lacks necessary provisions on the scope of data collection and data retention.

The Working Party took the position that notice to users about OBA must disclose how much data is collected by the different advertising networks, how long it is stored, and for what purposes it is processed. At minimum, the notice should address the period during which consent can be considered valid, and after which data must then be deleted.

What Went Right

The Working Party did commend the industry proposal in a couple areas. It noted the proposal’s “interesting approaches” on how to make consent mechanisms more effective, such as industry’s commitment to engaging in educational initiatives to inform individuals and businesses about OBA. The opinion also, unsurprisingly, welcomed the proposal’s principle that a user’s explicit consent is required prior to creating or targeting OBA segments that make use of sensitive data (i.e., data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life).

Suggestions for Consent

One of the most frequent complaints about the Working Party’s position on OBA has been that by requiring opt-in consent for targeted advertisements, users will be subjected to countless pop-up requests whenever a website wishes to place a cookie. The Working Party opinion attempted to dispel this notion by proposing a number of alternatives to or ways to mitigate the annoyance of pop-ups, including:

  • An opt-in cookie approach: Under such an approach, the first time a user visits a website served by an ad network, the ad network can display a message on the page prompting the user for consent to participate in OBA (the Working Party suggests that this message can be where the ad normally would appear). If the user then opts in, he or she can receive targeted advertising on all websites associated with that ad network without having to be prompted again for consent. If the user declines, the ad network should place an opt-out cookie.
  • A static information banner on the top of a website: Such a banner, like the one present on the website of the UK Information Commissioner Office, would request the user’s consent to set cookies, with a hyperlink to a privacy policy containing a full notice.
  • A splash screen upon entering a website: Users would be presented with the option to consent before entering the website, such as when breweries require users to confirm they are of age before they enter the site.
  • Click-to-consent: The Working Party singled out the method used by the German e-zine Heise that defaults a button associated with cookies to light grey. Only once the user clicks on and “activates” the button will the cookie be placed and the third party be able to send and receive user data. This process, however, would need to be transparent to users.
  • Browser plug-ins: Though the Working party repeatedly has said that browser settings permitting users to opt out of cookies are not sufficient to provide informed consent, it would support default opt-out browser settings accompanied by ad network plug-ins and extensions through which users would indicate their wish to opt in to online tracking. Interestingly, this is the polar opposite of the opt-out browser plug-ins available today, which assume tracking as the default and permit users to opt out of OBA.
  • Where a website uses several ad providers, group together all necessary consent requests in one presentation: This would the need for users to confront multiple, serial pop-ups. As an example, the Working Party cited the interface on www.youronlinechoices.eu, which provides a single interface to permit users to opt out of multiple ad networks.

The Working Party also noted that EU law does not require informed consent for certain cookies necessary to facilitate the user’s requested services, such as session cookies, shopping basket cookies, and security cookies (though notice is required before placing these cookies). Therefore, no additional consent mechanisms are required to place these cookies.

 
Tags: , , , , , ,
Posted on December 8, 2011 by Bret Cohen

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

EU privacy law is under scrutiny and proposals for change are coming.  The European Commission (EC) last year announced an upcoming reform of the EU Data Protection Directive (95/46/EC), which was a hot topic of last week’s IAPP Europe Data Protection Congress in Paris (in which Hogan Lovells privacy lawyers from around the world participated).  Changes are anticipated near the end of January. Some of the details of those changes, however, have emerged earlier than expected, as this week the EC circulated for comment two proposed legal instruments that likely will form the baseline of the EU’s data protection framework for years to come.

The first legal instrument is a draft General Data Protection Regulation, which sets forth a general framework for EU data protection and is intended to replace the 16-year-old Data Protection Directive with a region-wide regulation.  The fact that the instrument is fashioned as a regulation is significant. Under EU law, regulations have binding legal force as soon as they are passed, whereas directives must be enacted into law by each individual EU Member State.   A frequent criticism of the Data Protection Directive was that the EU Member States enacted and applied it differently, leading to uneven implementation and forum shopping. By changing the format to a regulation, there is less room for variation between the Member States, which in theory should lead to greater certainty for EU citizens and organizations. 

The draft Regulation contains a number of significant changes to the Data Protection Directive, particularly in the areas of (1) jurisdiction, governance, and cross-border transfers, (2) data subject rights, (3) data controller/processor obligations, and (4) remedies, liability, and sanctions. These changes include:

Jurisdiction / Governance / Cross-Border Transfers

  • The declaration that EU data protection law applies to data controllers outside of the EU when processing activities are “directed to” or “serve to monitor the behaviour of” EU data subjects, including for commercial or professional services such as offering products or services. Factors to be considered when determining whether processing activities are “directed to” EU data subjects include (a) the international nature of the activities; (b) the use of a language or a currency other than the language or currency generally used in the country in which the controller is established; and (c) the use of a top-level domain (e.g., “.co.uk” or “.com”) other than that of the country in which the controller is established.
  • The use of Binding Corporate Rules (BCRs) to legitimize intra-company cross-border data transfers to countries without data protection laws deemed “adequate” by the EC would be streamlined and extended, including the use of BCRs to cover data processors and groups of companies, and with an eye to covering cloud computing. Unlike the current process, in which BCRs must be reviewed by at least three DPAs (one “lead” and two “reviewers”) and some Member States require additional authorization, BCRs would be validated only by one lead DPA. Once a BCR is validated by the lead DPA, it would be valid for the whole EU without needing authorization from any other Member State.
  • Each data controller or processor only will be subject to the enforcement jurisdiction of the one data protection authority (DPA) of the Member State in which the organization has its “main establishment,” which is where the organization’s “central administration” in the EU is located. This usually will be where the organization makes its management decisions regarding the purposes, conditions, and means of processing personal data.
  • DPAs would be obligated to carry out investigations and inspections upon request from other DPAs and to mutually recognize each others’ decisions. Rules are provided for joint operations and operations by one Member State within another Member State’s territory.
  • To ensure consistent application of the directive, the Article 29 Working Party would be updated to an independent “European Data Protection Board” that, in addition to its current duties, would have the authority to issue official opinions regarding the interpretation of the Regulation. These opinions would be subject to the review of the EC.

Data Subject Rights

  • To process personal data for any commercial direct marketing purpose, organizations would need to obtain the explicit, opt-in consent of the data subject.
  • Where consent is used to legitimize data processing (even outside the marketing context), it would need to be explicit, opt-in consent. Moreover, consent would not be valid where there is a “significant imbalance” in power between the data subject and data controller. The prime example of this is in the employment relationship. These rules essentially would be a codification of parts of this past summer’s Article 29 Working Party opinion on consent.
  • The creation of a “right to be forgotten” that would permit data subjects to request that data controllers erase all personal data relating to them and abstain from further disseminating that information, unless there are legitimate grounds to retain the data. In a particularly controversial portion of this proposal, data controllers would be required to “ensure the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data.” This proposal is in line with recent statements made by EU authorities regarding the retention of data on social networking sites. Some have doubted the ability to “ensure” such complete erasure, especially when much of the content on the public Internet is shared and backed up.
  • The creation of a right to portability, through which data subjects would be able to request a copy of their stored data and move it from one service provider to another, without hindrance.

Data Controller/Processor Obligations

  • Data controllers would be required to notify data breaches to both the individuals concerned and data protection authorities within 24 hours of the breach being discovered (although notification to individuals would be required only when the breach "is likely to adversely affect the protection of the personal data or privacy" of the individual, a limitation not present in obligation to notify the data protection authority).  Currently, EU law only requires Member States to enact laws creating a breach notification obligation for telecommunications operators (which some Member States have yet to enact), although some Member States (such as Austria and Germany) do have security breach notification requirements for data controllers other than telecom operators.
  • Data controllers would be required to minimize the volume of personal data that they collect and process, and to set default settings so that user personal data will not be made public by default.
  • Data controllers and data processors would be required to appoint a data protection officer if (a) they employ over 250 employees or (b) their “core activities” require “regular and systematic” monitoring of data subjects.
  • Prior to processing personal data in a way that is “likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” organizations would be required to conduct a data protection impact assessment. The draft Regulation does not define exactly what processing would fall into this definition, though it does list a few examples that “likely” would, including (a) running automated models to analyze or predict a person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability, or behavior, where the result will affect the data subject; (b) the processing of certain types of sensitive data; (c) conducting video surveillance; and (d) utilizing large-scale filing systems containing genetic, biometric, or children’s data.
  • The elimination of the obligation of organizations to generally notify data protection authorities of any automatic processing of personal data, replacing it with an obligation to maintain documentation on processing operations under their responsibility.

Remedies, Liability, and Sanctions

  • Data subjects, and qualified public interest groups on behalf of data subjects or themselves, would have the right to lodge complaints either with DPAs or courts for violations of the Regulation. Currently, some Member States’ DPAs do not have such authority.
  • The creation of three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.

Besides the Regulation, the second legal instrument released is a draft Police and Criminal Justice Data Protection Directive. This directive sets forth rules relating to cross-border transfer and other processing of personal data for law enforcement purposes, with an eye toward facilitating the sharing of this information between law enforcement agencies while still complying with data protection law. Though this Directive is directed toward law enforcement and not the private sector, it does apply where personal data may be required and used by law enforcement authorities (e.g., data related to bank transfers, data collected when buying an airline ticket, traffic and telecommunications data), so it will have at least a tangential effect on the private sector.

Notably, these instruments are just preliminary drafts, and may differ when the EC releases the official drafts, which is still slated to happen in January. Even then, the drafts still will need to be debated and passed before coming into law, a process which is likely to at least a couple years. Therefore, there is still time for these legal instruments to be significantly modified before they are ultimately adopted.
Tags: , , , , , , , , , ,
Posted on November 28, 2011 by Winston Maxwell

Geolocation services: a five country survey

Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong.  Privacy laws in each jurisdiction differ, including on the definition of "personal data," and on the degree of user consent that is required.  The article also examines the WP Art. 29 opinion 13/2011 on "Geolocation services on smart mobile devices."  See the full article here

Tags: , , , , , , , , , , , , , , , , , , , ,
Posted on August 29, 2011 by Winston Maxwell

France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers

This entry was drafted by Winston Maxwell and Lionel de Souza.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

Sanctions: The criminal sanction for failing to notify data breaches is up to 5 years in prison and three hundred thousand euro (300,000 €) fine. The sanction is in line with other criminal sanctions for failure to comply with French data protection legislation. With regards to the fine, it should be noted that the maximum sanction for companies is multiplied by five (5), thus bringing the maximum sanction to up to one and a half million euro (1,500,000 €).  

Security Audits. The Ordonnance empowers the French government to order security audits of any operator's networks, systems and services. The operator must bear the cost of the audit, and must give the government approved auditors access to all relevant equipment and to the operator's "documents relating to its security policy." A future decree will be adopted to provide details on these requirements. However, one takeaway from this new provision is that operators should probably conduct preventive data and network security audits and make sure their security policies are up to date and applied.

Cookies. Implementing the revised ePrivacy Directive, the Ordonnance provides that users of electronic communications services must not only receive clear information about the use of cookies and tools available to block them (this was already a requirement under French law), but also that users give their consent before the cookies or similar measures are implemented. The Ordonnance states that "the consent can result from appropriate parameters in [the user's or subscriber's] connection system or any other system under [the user's or subscriber's] control." This suggests that browser settings might constitute sufficient prior consent, although the recent Article 29 Working Party opinion on consent (Opinion 15/2011) appears to take a different view.

As before, an exception exists for cookies that are designed to facilitate the communication, or that are strictly necessary for the provision of the Internet application or service requested by the user.
Tags: , , , , , , , , , , , , , ,
Posted on July 19, 2011 by Winston Maxwell

Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups

On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on the notion of consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee. 

What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. It is tempting in some cases to apply a “belt and suspenders” approach by asking data subjects for their consent even when another legal justification for the processing would suffice by itself. The guidelines point out that requesting consent in these circumstances might be a “false good solution”, and create awkward situations when a consent is withdrawn while the data controller still has legitimate grounds to pursue the processing of data.

Another important lesson that emerges from the consent guidelines is that consent must be sufficiently granular to show that the individual specifically gave his or her consent to each type of processing that is envisaged by the data controller. According to their Article 29 Working Party, a general consent to any and all transfers to unspecified third parties would not be sufficiently specific to constitute valid consent. The Article 29 Working Party pointed to the 2010 opinion of the Advocate General in a case involving agricultural funds in Europe, in which the Advocate General held that a broad consent in the fund’s terms and conditions was not sufficiently precise to conclude that the beneficiary of the fund had given unambiguous consent to the publication of his or her name. 

Another conclusion that we can draw from the guidelines is that silence or the failure to act can never be considered valid consent. The Article 29 Working Party heavily relies on the notion of "indication" of the data subject's wishes, which is featured in the definition of consent laid out by the 1995 Directive, to conclude that positive action would be required to demonstrate consent.  Consequently the sending of an e-mail to a consumer informing him or her of changes to the privacy policy or stating that the processing of his/her data will be undertaken unless he/she objects within a defined period of time would not be sufficient to constitute the consumer’s consent to the new policy or the contemplated processing. The consent would have to be evidenced by an affirmative clicking of a box or any other relevant positive act. Similarly, the Article 29 Working Party states that browser settings in themselves cannot constitute valid consent. This raises questions in the context of the new European rules requiring prior consent to cookies. Some Member States are studying the extent to which browser settings can be used as a manifestation of prior consent to cookies.

The guidelines helpfully remind us also that consent can, in some cases, be implicit. For example, if an online merchant asks a consumer to provide personal information and the consumer provides it, the consumer will have implicitly consented to the merchant’s use of that information in order to process orders and deliver the goods and services ordered by the consumer. There is no need for a separate consent because the purpose for which the consumer provided the information is obviously to permit the merchant to provide the online goods and services and such processing is therefore reasonably expected by the consumer. On the other hand, if the merchant wishes to use the data for another purpose, such as selling behavioural advertising, a separate specific consent would be needed. 

From a general and practical standpoint, implementing the rules as foreseen by the Article 29 Working Party will, in many instances, require companies to initiate a complete review of the conditions under which they use consent to evaluate whether other grounds are available to legitimize their processes and whether consents they have obtained present a sufficient level of granularity to provide accurate and satisfactory information for data subjects. For online service providers, European requirements for consent will lead necessarily to multiple pop-up windows and separate check-the-box consent options. The more granular and affirmative each consent is, the more likely it is to be valid. On the other hand, grouping all data protection consents together in the terms of use is likely to prove risky in light of the Article 29 Working Party guidelines and applicable case law.
Tags: , , , , , , , ,
Posted on December 22, 2010 by Winston Maxwell

Court Finds NebuAd Users Gave Valid Consent to Monitoring

In 2008, when several network operators began experiments with behavioral advertising firms NebuAd and Phorm, privacy advocates cried foul, arguing that network operators should never be allowed to monitor traffic for advertising purposes because the threats to privacy are too great.  In testimony before the U.S. Congress, some network operators retorted that what certain network operators and NebuAd proposed to do is similar to what large Internet advertising networks already do when they plant cookies on users' terminals to track behavior.  Why should network operators be held to a different standard than advertising networks at the edge of the network? 

Everyone agrees that monitoring online behavior can constitute a serious violation of privacy, and that user consent is critical. But what kind of consent: opt-in or opt-out?  In Europe the recently amended e-Privacy directive appears to require an opt-in regime for cookies, but many wonder how an opt-in regime can work in practice.  The 2008 NebuAd and Phorm turmoil did not focus on consent but on whether behavioral advertising can ever be done by network operators, regardless of the users' consent.  For some, it is unthinkable that network operators could get into the behavioral advertising business, regardless of the safeguards put in place

One of the telecom operators who experimented with NebuAd in 2008 was sued in federal court for illegally monitoring user traffic.  Users brought a class action for illegal interceptions and invasion of privacy.  On December 13, 2010 a U.S. District Court in Montana held that users of the network had consented to the operator's use of NebuAd monitoring technology.  The court found that the operator "gave Plaintiffs specific notice of when the NebuAd Appliance trial would commence and provided a link for its customers to opt out of the NebuAd Appliance if they so chose."  It is not clear in the decision whether users got individual e-mails, or whether the specific notice was only posted on the operator's website.

The court held that user consent adequately covered the monitoring activities, but that the consent may not have been sufficiently broad to cover alleged modifications made to users' computer settings by the cookies sent by the NebuAd appliance.  The court therefore allowed these issues to go to trial, while dismissing most of the other claims against the network operator.

The NebuAd case focuses the debate on whether valid consent was given or not.  In France there are debates about whether ISPs may in some circumstances block certain kinds of content.  Staunch net neutrality advocates argue that operators should under no circumstances be allowed to monitor, slow or block certain content, unless they are ordered to do so by a court.  But in fact there are other circumstances where operators can legitimately monitor traffic: reasonable network management of course, but also cases where the user has unambiguously consented.  If adequate consent is given, operators could install tools to limit access to certain content, or even propose discounted Internet subscriptions for users who accept to be monitored for targeted advertising purposes. In Europe, this kind of regime already exists for location based services provided by mobile operators: operators are alllowed to use precise location information generated by their network to provided value-added services to subscribers, as long as the subscribers consent in advance and have an easy way to opt-out. 

In the context of the current focus on improvements to privacy protection, adequate safeguards need to be put in place to ensure that the tools installed by operators are not misused, and do not collect or store any more data than is necessary.  Data minimisation and anonymisation are key, and can be achieved through privacy by design. 

The NebuAd case confirms that there need not be any distinction between a network operator and a service provider at the edge of the network providing targeting advertising. In both cases, there exist potential privacy risks for the user. The key issue is what kind of consent is sufficient for these potentially invasive monitoring tools to be used, and what kind of privacy protections should be integrated into the technology through privacy by design. 
Tags: , , , , , , , , ,
Posted on November 16, 2009 by Wim Nauwelaerts

EU ePrivacy Directive and Cookies: The Consent Requirement May Not Be as Broad as Believed

The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.”   But it is not quite as clear-cut as that quote suggests.  The consent requirement relates cookies that collect personal data  -- an important qualification -- and some cookies appear to fall outside of the consent requirement. 

Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.

The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party has earlier expressed the view that the “neutral” wording chosen is not limited to cookies but implies any other new technology that could be used to track users’ behavior using their browser.               

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.

As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to “prior” consent, but the use of the past tense (“has given”) suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users’ computers.

So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application”.

Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.                   

Tags: , , ,