The European Commission adopted changes to the E-Privacy Directive on 26 October 2009. These changes include:
- the introduction of a duty on providers of electronic communications services to notify personal data breaches to the Information Commissioner's Office (ICO) and in certain circumstances, the data subject; and
- the need for an effective and dissuasive enforcement regime.
Member States are required to implement these changes by May 2011. The Government launched its proposals for looking at these changes on 13 September 2010 as part of a wider consultation of the EU Electronic Communications Framework (which also includes revisions to the "Framework" Directive (2002/21/EC), the "Access" Directive (2002/19/EC), the "Authorisation" Directive (2002/20/EC) and the "Universal Service" Directive (2002/22/EC)).
Current law on cookies
"(a) ...clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) is given the opportunity to refuse the storage of or access to that information" (Regulation 6 (2)).
Proposed changes to the law on cookies
The amended Article 5(3) of the Directive reads as follows:
"Member States shall ensure that the storing or access to information already stored in the terminal equipment of a subscriber or user is only allowed on the condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the the purposes of the processing."
Recital 66 to the amended Directive expressly states that
"where it is technically possible and effective...the users consent to processing may be expressed by using the appropriate settings of a browser or other application"
It was hoped that the UK Government would seek to clarify this issue further in their proposed implementation of the new rules. However, the current proposal is that the Government will simply copy out the text of the amended Article 5(3) leaving the ICO the flexibility to adjust to changes in usage and technology. The consultation documents do make reference to Recital 66 and suggest that the Government is considering including appropriate elements of this in the implementing regulations.
The Government also acknowledges that the Directive does state that consent is not required when the cookie is strictly necessary to deliver a service which has been explicitly requested by the user. When Bird & Bird attended the Government's early stakeholder events on this issue, it was suggested that this exception could be broadly interpreted on the grounds that many websites are free to use only because they are supported by advertising and therefore if cookies are used in the serving of that advertising, it could be argued that the use of such cookies is strictly necessary for the delivery of such website. However, as the Government plans to adopt the amended Article 5(3) as is, it is not clear whether such an argument could be safely relied upon without further amendments being made.
Personal data breach
The amended E-Privacy Directive has also introduced a new regime for notifying personal data breaches to the ICO. Further, the ICO may issue guidance on notification of data breaches and must be able to audit whether providers are complying with their obligations under the Directive, the details of which are set out in an amended Article 4 of the Directive. As with the cookie provisions, the Government's intention is to largely copy out the provisions in this Article.
Article 15a of the Directive requires that there must be effective sanctions on providers who do not comply with the Directive. The Government plans to ensure that the ICO is able to do this and is currently reviewing the existing enforcement regime with the ICO to determine its effectiveness. The Government's view is that certain elements of the regime could be more tailored to the electronic communications industry and in particular that there may be scope for a civil monetary penalty for certain breaches. The Government is seeking views as to how the provisions of the Directive could be better enforced.
Full details of the consultation can be found at www.bis.gov.uk/ecommsframework and responses are required by 3 December 2010. The Department for Business Innovation and Skills will also organise a number of stakeholder events during the consultation period. We understand that ICO will also consult separately where changes to its guidance are required in relation to implementation of the E-Privacy Directive.