On 1 April last, The Irish Times reported on the results of its investigation, based on research compiled by Danish firm CookieBot, on the use of tracking technologies on the websites of state departments and agencies. The results of this research showed widespread and intensive use of such technology, including cookies, by almost all departmental and local authority websites. The results of the research caused a complaint to be lodged with the Office of the Data Protection Commission by e-privacy firm Castlebridge.
The “Cookie Law”
The General Data Protection Regulation (“GDPR”) strengthened the requirements for a valid “consent”, important as the Directive gave “consent” the meaning as set out under the previous data protection legislation and, following the repeal of that legislation and replacement with the GDPR, “consent” for the purposes of the Directive now bears the meaning under the GDPR.
The Directive v GDPR
The provisions of the Directive apply irrespective of whether the cookies collect any “personal data” or not. Clearly, however, there is an overlap between the scope of the Directive and data protection legislation. The Directive (supported by an opinion of the Article 29 Working Party (“WP29”) provides that data protection laws will apply to the collection of personal data by cookies to the extent not specifically covered by the provisions of the Directive. The GDPR itself also addresses its interplay with the Directive in the same manner, stating, at Recital 173, that it applies to all matters concerning personal data not specifically covered by the Directive.
Nonetheless, the question often arose: to what extent was it possible to rely on another legal basis for processing personal data, as set out under the GDPR, when the processing of such personal data took place via cookies, such as the legitimate interests of the controller? Was the full scope of legal bases open to website users, or was consent (now strengthened under GDPR) the only possible ground? This has been put beyond doubt by the European Data Protection Board (the “EDPB”, being the successor to WP29) in its recent opinion on the interplay between the GDPR and the Directive (the “Opinion”).
In addition, other protections for personal data not trumped by specific provisions under the Directive continue to apply to personal data gathered by cookies, meaning that to the extent that a cookie processes personal data, that data is subject to all of the other protections offered by the GDPR, such as rights of access, erasure, etc.
Finally, although it was not addressed by the Opinion, the fact of the replacement of the old data protection legislation by the GDPR, and the consequent amendment of the meaning of “consent” under Article 2(f) to refer to the GDPR, leads to a conclusion that any type of cookie, whether collecting personal data or not, must only be used when the consent obtained meets the new definition of “consent” under the GDPR. This helps to explain the increased prominence of cookie banners and notices on websites post-25 May 2018.
Do as I Do, Not as I Say
Assuming the level of consent obtained meets legal requirements, the widespread use of tracking technologies on governmental websites does not, in and of itself, contravene of any rules relating to the processing of personal data or the monitoring of website users. Nonetheless, it clearly undermines governmental efforts to protect personal data and promote online privacy as a concept. In terms of cookies specifically, the forthcoming European e-privacy regulation, intended to replace the Directive with an even more robust regime and complement/sit more comfortably alongside the provisions of the GDPR, may offer website users the greater transparency required in order to make informed and deliberate decisions around the data we allow the website to collect from us and from which it may profit. In the meantime, this investigation demonstrates that the state needs to promote online privacy, not just by its words, but by its actions.