HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

But how can consent be given? The Directive suggests in a recital that browser settings may be used, but does not mandate this, and largely leaves the question of the method of obtaining consent up to Member States. In recent months there has appeared to be a degree of brinkmanship amongst EU regulators, with everyone wanting to see how others would achieve implementation in practice. The UK regulations published last week (snappily titled the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) state that consent may be signified by browser settings, but the problem is that at present most browser settings are not sophisticated enough to allow a website owner to ensure that consent has been given.

In his guidance the Information Commissioner says that it is the responsibility of the website owner to determine how consent will be achieved. He expects owners to review cookie use. Some cookies may be “strictly necessary” for the receipt of a service being provided by means of a website, so will not require specific consent. Some will not intrude on the user’s privacy, so while they may fall under the terms of the new law they may not deserve priority attention. Potentially intrusive cookies should be examined to determine whether they are really necessary for the business of the website owner and, if they are, plans should be drawn up for obtaining the necessary consent from each user.

If browser settings cannot be used, then the website might be modified so that a pop-up window with a tick-box appears the first time a cookie is used, although the Commissioner recognises that this could be irritating. As an alternative, terms and conditions could be changed, allowing a whole set of cookies to be accepted at the same time, but there would need to be clear information provided to the user as well as a clear mode of giving consent – previous consent to future changes (e.g. the ubiquitous provisions allowing website owners to make changes to their terms from time to time) would not be enough. Other times for obtaining consent are where the user is setting up preferences for use of a site, or selecting features that he or she wishes to enjoy.

Nothing more specific than this is likely to emerge in the short term. The Commissioner says that he will be keeping the situation under review and will consider issuing more detailed advice, if appropriate, in the future. His message to website owners is that “we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.”

The Commissioner has not yet published his guidance on enforcement of the new law, but his current policy is clear. If an organisation has considered the new law and has drawn up a realistic plan to achieve compliance then it will be treated with much more leniency in the event of a complaint than an organisation which (for whatever reason) has done nothing.

There are other changes coming on the 26 May in the UK, some of which are caused by amendments to existing EU Directives. The Commissioner’s powers to serve monetary penalties of up £500,000 are extended to cover direct marketing activities. The Commissioner will be able to require telecommunications companies and ISPs to provide him with information that he needs to investigate breaches of the Privacy and Electronic Commerce Regulations. The same bodies will also be required to notify the Commissioner and their customers in certain circumstances when a data breach occurs (the first time such laws have become compulsory in the UK). But it’s cookies which continue to grab the headlines.

The focus of the consultation is whether the current sanctions available to the ICO are sufficient. Last month we reported on the government’s consultation on possible prison sentences for serious breaches of the DPA and this latest consultation builds on the same theme. The current maximum financial penalty the ICO can impose against a data controller for data breaches is £5,000, which is fairly negligible and seriously undermines the ICO’s authority. Other regulators, such as the FSA have much greater powers and may impose severe penalties of up to 10% of an organisation’s turnover; the disparity in approach is obvious. The government’s aim therefore, is to increase the monetary penalties available to the ICO, to increase compliance with the DPA as well as increase public confidence in the system. It is noted that incidences of data loss and other serious breaches of the DPA are increasing, yet the ICO has limited powers to address the problems.

The question posed by the consultation is very simple: “Do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?” We might predict a resounding ‘yes’ to this, but must wait and see. We do know however, that, due to the likely administrative burden, the ICO have already rejected an assessment of penalties based on a data controller’s turnover, so a fixed maximum penalty of up to £500,000, (or possibly a different sum) will be adopted.

Further details of the consultation and the proposed introduction of the maximum civil monetary penalty for serious breaches of the DPA can be accessed through the Ministry of Justice website. The link also includes the ICO’s draft guidance on the criteria and circumstances it will consider when using civil monetary penalties. As a rough guide, the seriousness of the breach and whether it was deliberate or not, will be important factors, as is the prospect of substantial damage and distress caused, or likely to be caused.