Recently, new rules on cookies came into force in the Netherlands. In addition, the Dutch Second Chamber approved a draft bill to introduce a mandatory data breach notification requirement and to strengthen the Dutch Data Protection Authority’s investigative and fining powers. The new rules apply to all companies acting as a “data controller” within the meaning of the Dutch Data Protection Act. The Dutch First Chamber has announced that it plans to review this draft bill as soon as possible.
In a decision of 16 December, the French data protection authority (the “CNIL”) issued new recommendations with regards to the appropriate fashion in which businesses should implement the so-called “cookie consent law”.
For over a year companies have been trying to determine how to achieve compliance with the UK Information Commissioner’s Office’s (ICO) amended Privacy and Electronic Communications Regulations (the “cookies law”), which implemented 2009 amendments to the EU’s Privacy and Electronic Communications Directive of 2002. Last week, the ICO made it clear that reliance on implied consent would be an acceptable form of consent.
The Article 29 Working Party in the EU has thrown cold water on proposals by the OBA industry to avoid the literal application of the so-called Cookie Directive for specific opt-in consent to the placement of tracking cookies, whether personal data is tracked or not. In a letter sent in advance of a September meeting between the parties, the Working Party rejects a range of proposals from the OBA industry.