On 1 April last, The Irish Times reported on the results of its investigation, based on research compiled by Danish firm CookieBot, on the use of tracking technologies on the websites of state departments and agencies. The results of this research showed widespread and intensive use of such technology, including cookies, by almost all departmental and local authority websites. The results of the research caused a complaint to be lodged with the Office of the Data Protection Commission by e-privacy firm Castlebridge.

This type of technology enables websites to gather information on website users that may then be used for commercial purposes by it/third parties, including preparing profiles of users for use in targeted advertising. Whilst the use of cookies is nothing new, it is the extent of the use of such technology by state and local authorities that has drawn the ire of privacy advocates.

With the complicated adtech industry ever evolving and becoming more sophisticated, the value attached to the industry increases by billions of dollars on a yearly basis. Neither the use of cookies, nor digital advertising technology, are going anywhere soon, and thus both website users and website owners should welcome more clarity and transparency around how these technologies are used to generate information, and money, from users’ data.

The “Cookie Law”

The ePrivacy Directive, dating from 2002 (the “Directive”) and as amended in 2009, was the first attempt to address matters of online privacy in Europe. Article 5 of the Directive introduced the concept of consent to the use of cookies on a website other than those that are strictly necessary for the delivery of a service requested by a user. Under the Directive, users must be provided with “clear and comprehensive information” about the purposes for the access to that data by the use of the tracker and give their consent to such use.

The General Data Protection Regulation (“GDPR”) strengthened the requirements for a valid “consent”, important as the Directive gave “consent” the meaning as set out under the previous data protection legislation and, following the repeal of that legislation and replacement with the GDPR, “consent” for the purposes of the Directive now bears the meaning under the GDPR.

The Directive v GDPR

The provisions of the Directive apply irrespective of whether the cookies collect any “personal data” or not. Clearly, however, there is an overlap between the scope of the Directive and data protection legislation. The Directive (supported by an opinion of the Article 29 Working Party (“WP29”) provides that data protection laws will apply to the collection of personal data by cookies to the extent not specifically covered by the provisions of the Directive. The GDPR itself also addresses its interplay with the Directive in the same manner, stating, at Recital 173, that it applies to all matters concerning personal data not specifically covered by the Directive.

Nonetheless, the question often arose: to what extent was it possible to rely on another legal basis for processing personal data, as set out under the GDPR, when the processing of such personal data took place via cookies, such as the legitimate interests of the controller? Was the full scope of legal bases open to website users, or was consent (now strengthened under GDPR) the only possible ground? This has been put beyond doubt by the European Data Protection Board (the “EDPB”, being the successor to WP29) in its recent opinion on the interplay between the GDPR and the Directive (the “Opinion”).

The Opinion

The Opinion notes that many processing activities can fall under the provisions of both the Directive and the GDPR, including the use of cookies. According to the EDPB, where a provision of the Directive provides more specific rules than the GDPR, these specific rules take precedence. This means that because the Directive requires prior consent of users to “the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a user” (i.e. cookies), this rule shall take precedence over Article 6 of the GDPR, thereby preventing reliance on any of the other grounds for processing personal data under that Article.

In addition, other protections for personal data not trumped by specific provisions under the Directive continue to apply to personal data gathered by cookies, meaning that to the extent that a cookie processes personal data, that data is subject to all of the other protections offered by the GDPR, such as rights of access, erasure, etc.

Finally, although it was not addressed by the Opinion, the fact of the replacement of the old data protection legislation by the GDPR, and the consequent amendment of the meaning of “consent” under Article 2(f) to refer to the GDPR, leads to a conclusion that any type of cookie, whether collecting personal data or not, must only be used when the consent obtained meets the new definition of “consent” under the GDPR. This helps to explain the increased prominence of cookie banners and notices on websites post-25 May 2018.

Do as I Do, Not as I Say

Assuming the level of consent obtained meets legal requirements, the widespread use of tracking technologies on governmental websites does not, in and of itself, contravene of any rules relating to the processing of personal data or the monitoring of website users. Nonetheless, it clearly undermines governmental efforts to protect personal data and promote online privacy as a concept. In terms of cookies specifically, the forthcoming European e-privacy regulation, intended to replace the Directive with an even more robust regime and complement/sit more comfortably alongside the provisions of the GDPR, may offer website users the greater transparency required in order to make informed and deliberate decisions around the data we allow the website to collect from us and from which it may profit. In the meantime, this investigation demonstrates that the state needs to promote online privacy, not just by its words, but by its actions.