By: Heidi Salow | Erik Vollebregt
In November 2009, the European
Parliament amended the 2003 Privacy and Electronic Communications
("e-Privacy") Directive. These revisions have caused considerable
uncertainty about the obligations of companies that engage in e-commerce,
particularly with respect to "cookies." The new provisions were supposed to
have been implemented into national law by all EU member states no later
than May 25, 2011.
In terms of scope, the e-Privacy
Directive applies to the processing of personal data in connection with the
"provision of publicly available electronic communication services" within
the EU. Thus, there may be an argument that only telecommunications and
Internet service providers are covered. The amendments do not target
particular types of companies, however, but rather the use of public
communications networks for the purpose of providing services via such
networks to the public. For this reason, most commentators and EU
regulators such as the UK Information Commissioner's Office (UK ICO) have
interpreted the new rules to cover all websites that place cookies
(small text files sent by a website to a user's web browser that collect
information about the user's web usage) on computers located in
As for the types of technologies
covered, the provisions are aimed at cookies. They may also apply, however,
to other technologies used to store or access information on a user's
computer or other device, such as web beacons, advertisement tags,
of websites or used for online advertising.
Cookies and Consent
Among other things, the amended
e-Privacy Directive requires website operators to obtain consent from site
visitors before storing and retrieving "information" from
visitors' computers or otherwise gaining access to a computer located in
the EU. There are still questions about how the consent should be obtained.
EU Member State laws can - and are expected to - differ in terms of how
they implement the consent requirement. Thus, no one knows for sure how
this requirement will be implemented in all of the Member States.
For example, in some Member
States, consent may be implied by settings on a web browser, system or
particular software application. Other Member States, however, have already
indicated that implied consent is not sufficient. The EU's article 29
Working Party - an advisory body that interprets EU data protection laws -
has advised that users of cookies should "create prior opt-in mechanisms
requiring an affirmative action by the data subjects indicating their
willingness to receive cookies or similar devices and the subsequent
monitoring of their surfing behavior for the purposes of serving tailored
advertising." Many current browsers and websites clearly do not meet
the requirements of this standard.
The amended e-Privacy Directive
requires that the notice and consent options be made as user-friendly as
possible. Access to specific website content may still be conditioned on
the acceptance of a cookie, but only if clear and explicit notice is
provided and the cookie is used for a "legitimate purpose."
The e-Privacy Directive
article 5 required Member States to ensure that "the use of electronic
communications networks to store information or to gain access to
information stored in the terminal equipment of a subscriber or user is
only allowed on condition that the subscriber or user concerned is provided
with clear and comprehensive information in accordance with [the Data
Protection Directive] about the purposes of the processing, and is offered
the right to refuse such processing by the data controller...."
The amended Directive now states
that a cookie can be stored on a user's computer, or accessed from that
computer, only if the user "has given his or her consent, having been
provided with clear and comprehensive information." It still contains an
exception if the cookie is "strictly necessary" for the provision of a
service "explicitly requested" by the user. Thus, cookies can take a user
from a page listing goods or services for sale to an online checkout page
without the need for consent. Likewise, cookies needed for technical or
security reasons are still permitted without consent. Other types of
cookies - such as those used for advertising - will require prior consent.
The implications for cookies used by web analytics services to evaluate
anonymous clickstream data, such as Google Analytics, are less clear.
Preliminary Cookie Guidance from
the United Kingdom
As of the date of this Alert,
only two Member States (Estonia and Denmark) have notified the European
Commission that they have fully implemented the amended Directive. The UK,
France, Slovenia, Luxembourg, Latvia and Lithuania have notified the
Commission that they have partially implemented the Directive. Meanwhile,
UK Information Commissioner Christopher Graham recently directed businesses
to get ready for the EU law on cookies, but gave a reprieve of one year
before the UK ICO will begin enforcing the new law.
How the UK Government Proposes
to Implement the Law
Phased implementation. The UK ICO has made it clear that industry is much
better placed than itself to develop appropriate technical solutions.
Therefore, it will not mandate a technical solution. Rather, the UK ICO
supports a phased implementation of the new rules so that meaningful
solutions can be developed. It will not take enforcement action against
engaged in development work on browsers or other technical solutions. It
will, however, take action against entities not taking steps to comply with
the new ICO regulations.
Enhanced Browser Settings. The UK ICO rejects the use of currently-configured
browser settings, given the variety of web browsers that currently exist,
the lack of familiarity with such settings by most site visitors, and the increased
use of mobile devices to access the Internet. The UK ICO, however, does
support the development of enhanced browser software settings that will
this regard, the UK ICO pledges to work with browser setting manufacturers
to see if browser settings can be enhanced to meet the new opt-in consent
Some Cookies are Different than
Others. Recital 66 of the amended
necessary" for a service requested by a website visitor. The UK ICO
without consent to make a website more visually attractive or to collect
statistics about usage of the site.
Behavioral Advertising. The UK ICO supports the development of cross-industry
policies for the use of third-party cookies for behavioral advertising.
Websites hosted in the European
Economic Area (EEA) and data controllers established in the EEA will be
subject to the new Member State laws. Determining the applicability of EU
laws to entities not established in the EEA, however, is always a
complicated task. To further complicate matters, the amended e-Privacy
Directive does not contain an "applicable law" or jurisdiction-related
provision, but instead refers to article 4 of the 1995 EU Data Protection
Generally speaking, under article
4, EU data protection laws apply only if the processing of personal data
has sufficient nexus with an EEA territory, either because the data
controller has an "establishment" in the EEA or it uses data processing
equipment located in the EEA. The article 29 Working Party has emphasized
that EU data
protection laws apply even when the "data subjects" (individuals) in
question are not EU citizens or physically present in the EEA.
By way of example, on Dec. 16,
2010, the article 29 Working Party released an opinion regarding the
applicability of EU Directive 95/46/EC. This opinion identifies a number of
shortcomings in the current wording of article 4 and recommends changes to
such wording. The opinion suggests that the new wording take into account
new criteria, such as whether an entity's activities are "targeted" at
individuals in the EU. This new criteria would mean that if a data
controller collects personal data and offers goods or services explicitly
accessible or directed to EU residents, it would be more likely that an EU
regulator would to exercise jurisdiction over that controller. Examples
include: 1) displaying information in one or more EU languages, 2)
delivering goods or services to physical addresses in EU countries, 3)
making goods or services available with the use of an EU credit card and 4)
sending advertisements in an EU language.
Despite this uncertainty, we can
expect that some Member State laws will apply the new provisions in the EU
e-Privacy Directive broadly. Thus, data controllers established in the EEA,
but that process personal data outside the EEA and data controllers
established outside the EEA, but that use "equipment" (including the
placement of cookies on end-user devices) located in the EEA, should plan
to comply with the new provisions.
Actions to Address the New 'Cookie Consent' Requirements
Although the specific treatment
of the new "cookie consent" by various national authorities will not be
understood for some time, if you operate a website located in the EEA and
your servers knowingly place cookies on computers and other devices in the
EEA, or if your site "targets" Europeans in some manner, here are some
potential actions you can take to lower the risk that you will be subject
to legal action under the new rules:
Let's Not Forget about Data
The revised e-Privacy Directive
establishes, for the first time in the EU, a mandatory personal data breach
notification framework. This framework applies only to providers of
publicly available electronic communications services (e.g., communications
and Internet access providers). However, the EU Commission has already
indicated that it will soon propose legislation that will cover the entire
scope of the providers regulated under the broader Data Protection
Directive (95/46/EC). Furthermore, recital 59 of the e-Privacy Directive
encourages EU member states, while new EU Commission rules are pending, to
apply the new data breach rules very liberally, "regardless of the sector,
or the type, of data concerned."
Under the new rules, providers
must notify - without undue delay - individuals and authorities when they
suffer a breach. Individuals must be notified if the breach is likely to
adversely affect the personal data or privacy of such individual.
Regardless of the potential harm, all data breaches must be reported to the
authorities. The notification should describe the nature of the breach,
list the provider's contact information and recommend measures to mitigate
possible adverse effects. The notification to the competent national
authority must also describe steps taken by the provider to address the
Notification of a personal data
breach to an individual is not required, however, if:
Both the scope of providers
covered by the reporting requirements and the appropriateness of the
technological protection measures are expected to diverge in implementation
by the various Member States, making the jurisdictional issues described
above very important because forum shopping may become an attractive option
until these concepts are further harmonized.
Please click on the Attachment: link at the top of the post to view or
download the entire article
For more information about LexisNexis products and solutions connect with
us through our corporate site.
Great article. Keep posting!