This article sets out the background to the new rules and the latest legal position in five key EU jurisdictions: France, Germany, Italy, Spain and the UK.
Implementation is evidently causing headaches for local privacy regulators in these countries - even in the UK, which managed to implement the revised requirements on time, the regulator has made clear that it does not expect businesses to become compliant overnight.
What are the EU's new requirements?
There is an exception to the new requirements where the storage of or access to information is either (1) for the sole purpose of carrying out a transmission of a communication over a network, or (2) strictly necessary in order for the provider of a service expressly requested by the end-user to provide that service. The "strictly necessary" exception is likely to be construed narrowly, but should cover, for example, the use of a cookie to remember the contents of a customer's on-line shopping basket when the customer clicks through to the check-out or payment page.
The revised EPD does not modify the choice of law rules under Directive 95/46/EC, and in particular the rules for determining when European data protection law applies to non-EU websites.
Situation of implementation at the national level
The UK implemented the new law on time, but the ICO (the UK's privacy regulator) has said it will not take any enforcement action until May 2012 at the earliest.
For now, cookie users in the UK should therefore consider other methods of getting consent, such as the use of pop-up pages, tick-box acceptance or otherwise . The ICO has advised businesses to go through the following three-step process:
- Check what types of cookies you currently use and how.
- Decide the best way to obtain users' consent for your particular circumstances.
Businesses frustrated by the lack of definitive guidance can take some comfort from the fact that the ICO has allowed a year-long "lead in" period: he will not take any enforcement action under the new rules until May 2012 at the earliest. The ICO may also issue further guidance in future as possible technical solutions are evaluated and developed.
As at the implementation date, the relevant French amending legislation or "Ordinance" had still not officially been issued. However, an advance draft was circulated for public consultation.
The advance draft says that end-users should receive clear and full prior information on (1) the installation of and/or access to cookies, as well as (2) the means to object to such installation and/or access. This is a reiteration of existing law. More importantly, however, the advance draft indicates that user consent is necessary, but that user consent can be validly expressed by the settings of the end-user's internet browser.
However, pending publication of the official Ordinance, the position may change (including after the outcome of a public consultation which began in May 2011, and the receipt of comments from the French privacy regulator.
For now, it seems that the most appropriate approach to take in France is:
- consider providing information and requesting consent on a one-off basis upon the user's first connection to the website. If, as it seems, the French government decides to allow service providers to rely on browser settings as a form of consent, the one-off approach is likely to be regarded as a sufficient means of providing information and procuring consent.
Implementation is late in Germany too. The relevant legislation is currently going through a parliamentary approval process. It is unclear when this process will end.
- to inform the user if cookies collecting personal information, or even pseudonymised information, are used;
- to require prior, express consent for the use of permanent cookies; and
- to allow the use of session cookies without user consent if they are necessary for providing the online service.
This current approach seems to be in line with the new EPD. So it may well be that there is no change to German law in the short to medium term.
In Italy, amending legislation has not been issued. Implementation is unlikely until the end of July 2011 at the
earliest. Italian law requires that the Italian privacy regulator (the Garante) is consulted on the changes to the EPD: the Garante's opinion may well have an impact on how the new law is implemented in Italy.
Businesses should keep an eye on the evolution of the Italian implementing legislation. It is also likely that the Italian privacy regulator will at some point issue technical guidelines on the amended EPD.
The EPD is going to be implemented in Spain by a law which modifies Law 32/2003 on Telecommunications. The relevant bill was discussed by the Spanish Council of Ministries and was presented on 13 May 2011 to the Spanish Congress of Deputies for discussion as the final step prior to its approval. However, the implementation date is as yet uncertain.
Given the uncertain position, website operators in Spain may well be best advised to follow existing Spanish law on this issue which in summary provides that:
- when a service provider employs cookies, it must inform recipients of their existence and the purposes for which cookies are used; and