Prohibition of “Cookie Walls”. The Dutch Data Protection Authority issued an opinion stating that websites that block the access of users that do not consent to install cookies, violate European data protection regulations. The opinion was published after receiving many complaints and explained that tracking behavior on the web using a cookies or similar technology is currently the most extensive personal data processing activity.
Since users do not have a free and equivalent alternative in which they can refuse to accept cookies and still have full access to content, the “cookie wall” practice forces users to consent to the use of their personal information for targeted advertising purposes. The consent obtained cannot therefore be considered free-will consent as required under Article 7(4) of the GDPR. The regulator issued letters to infringing organizations with instructions and declared its intention to increase enforcement on this matter in the near future.
GDPR Interplay with ePrivacy Directive. The European Data Protection Board (EDPB) published an opinion detailing the relationship between the GDPR and the ePrivacy directive, which have a different, but overlapping, material scope. The opinion reiterated the accepted principle - lex specialis derogate legi generali - special provisions prevail over general rules in situations which they specifically seek to regulate. An example of this is the overlap on the issue of cookies that collect personal data, between article 6 of the GDPR that provides various lawful grounds for this processing, and Article 5(3) of the ePrivacy directive that requires consent to be obtained from individuals before cookies are placed on their devices. The opinion states that Article 5(3) prevails as it is the more specific rule, and therefore consent must be obtained for the collection of personal data via cookies, instead of relying on one of the other lawful grounds for possessing data under the GDPR. In addition, the opinion clarifies that Data Protection Authorities are authorized to act on ePrivacy matters only if the national laws of the relevant member state give them explicit enforcement powers.
UK Post-Brexit Regulations. Two regulations readying UK data protection law for a post-Brexit world have been promulgated in recent weeks. These regulations will only come into force upon the UK’s withdrawal from the EU. The regulations are intended to preserve the status quo post-Brexit by amending certain provisions of the GDPR to allow it to become UK domestic law and by gradually adopting certain key decisions of EU institutions that would, collectively, allow continued lawful personal data flows into the UK.
While much of the adaptation of the GDPR to UK law is semantic, some of it has the effect of imposing new requirements on entities that process personal data in the UK. Most notably, Article 27 of the GDPR, which required appointing a representative in the UK post-Brexit. The second set of regulations supplement the first set of regulations with respect to the EU-US Privacy Shield, and will require, in essence, that Privacy Shield-certified companies in the U.S. include in their privacy policies a commitment to comply with the Privacy Shield principles with respect to personal data that originated in the UK.
CLICK HERE to read the first set of regulations and CLICK HERE to read the second set of regulations