In 2014, the Czech Office for Personal Data Protection (DPA) participated in a joint programme testing the ‘cookies’ technology, which was organized by the Article 29 Data Protection Working Party (WP29) and involved six Member States’ data protection authorities and two European regulators; this test focused on 478 most visited websites within Europe, where the ‘sweep’ was undertaken. The results were published at the beginning of February 2015 in the report on “Cookie sweep combined analysis” – the full text is available here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp229_en.pdf, or its abridged version in Czech here.

The Czech DPA logically focused on the Czech websites in three areas: public sector (9), media (16), e-shops (25) – all in all, the ODPD swept 50 websites. DPA primarily focused on the so-called ‘third party cookies’ that are different from operators’ cookies on websites that are necessary to deliver basic functionality of the website – first party cookies; in addition DPA also focused on the term of validity / use of the cookies (minimal / temporary / session cookies), and on average and maximum term of validity of the cookies stored. The subsequent analysis was reported to and reviewed by WP29 and results had been outlined in its report.

DPA also collected data on users’ awareness regarding function of cookies at these specific websites (servers). This data confirmed the long-term experience that provision of information on the use of cookies remains insufficient or, at worst, unavailable; this information is often missing completely or not provided to users. DPA found relevant information on cookies for users only on one-fifth of the servers being swept.

In this connection, it may be appropriate to go over how cookies are regulated in the Czech Republic. The e-Privacy Directive (Directive 2002/58/EC amended by Directive 2009/136/EC) defines the obligation on the part of service providers that cookies can be used as long as users are provided with clear and precise information on the purposes of cookies, or similar devices, so as to ensure that users are made aware of information being placed on the terminal equipment they use. Users should also have the opportunity to refuse to have a cookie or similar device stored on their equipment; in addition this information, and the offer to refuse or give consent, should be made as user-friendly as possible. The consent with data processing through cookies must be obtained before the cookies are stored in user’s equipment (the so-called opt-in principle). The only exemption (to the informed and revocable prior consent) applies to cookies that are necessary for provisions of the service itself, for delivery of messages or for the basic functionality of the website – the so-called ‘session cookies’. The obligation to inform however applies to all types of cookies without exception.

However, in the Czech Republic, the insufficient and incorrect national transposition of the Directive by Act No. 127/2000 Coll., on Electronic Communications, resulted in continued existence of the opposite approach, the so-called ‘opt-out’ principle where the prior consent of the user with storage of the cookies is not required or enforced. This means that all cookies may be used without the user’s consent until this assumed consent is revoked by a respective statement to service provider. The obligation to inform does not apply to session cookies. The Czech Electronic Communications Act does not establish breaches in the use of cookies (failure to observe the required and prior obligation to inform users by service provider about the extent and purpose for which cookies are used and failure to allow users to opt-out from such cookie-driven data processing) as an administrative tort regardless of the fact that even in the Czech legal environment the users are to be informed, prior to storage of cookies, in clear and comprehensive manner, as to what data are collected (what data on their equipment will be accessed, the reason for their collection and on the users’ right to refuse the cookie).

The question remains, and a theoretical one at best, how, under what conditions and with what effect could a competent data protection authority / court or the European Commission infer direct application of the e-Privacy Directive within the Czech Republic’s legal framework. It will also remain debatable, how would the Euro-conformist interpretation of the Direction enforce the obligation to inform and / or to obtain prior consent with the session cookies.

The existing Czech regulatory framework does not currently explicitly define cookies (or other technical identifiers) as personal data. Nevertheless, if the cookies were used to collect information on an identified or identifiable natural person / individual and the service provider could, on the basis of such collected data alone or in connection with using other data available to him or to which he has access, identify a specific natural person, these ‘devices’ could then fall within the domain of personal data within the meaning of Act No. 101/2000 Coll., on Protection of Personal Data. In such case the cookies would be subject to provisions of this Act, including the requirement to obtain consent with processing of data thus collected and related exceptions for processing without consent etc., and the service provider would be considered to act as administrator of personal data with all associated obligations; needless to say this approach would be clearly unpopular with most of the service providers.

Cookies remain subject to much debate also in negotiations on the draft Regulation of the European Parliament and the Council on protection of individuals with regard to processing of personal data and on free movement of such data (General Data Protection Regulation). Cookies are now mentioned only in Recital 24: “When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, when combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. Identification numbers, location data, online identifiers or other specific factors as such should not (…) be considered as personal data if they do not identify an individual or make an individual identifiable.” (wording as of 26 March 2015), and some Member States have objections even to this wording. We may therefore expect additional changes in this matter.