The Department for Business Innovation and Skills has recently launched its proposals for implementing the revisions to the E-Privacy Directive (2002/58/EC) as part of a wider consultation on the EU Electronic Communications Framework. In particular, these proposals consider the controversial amendments to the law on the use of cookies as well as the laws on personal data breach notification. Bird & Bird plans to hold a workshop on these issues in the near future to prepare a response to the consultation on behalf of clients.

Background

The European Commission adopted changes to the E-Privacy Directive on 26 October 2009. These changes include:

  • a change in the requirement for storing information on a subscriber's or user's equipment from a "right to refuse" to obtaining consent which will impact on websites which use cookies;
  • the introduction of a duty on providers of electronic communications services to notify personal data breaches to the Information Commissioner's Office (ICO) and in certain circumstances, the data subject; and
  • the need for an effective and dissuasive enforcement regime.  

Member States are required to implement these changes by May 2011. The Government launched its proposals for looking at these changes on 13 September 2010 as part of a wider consultation of the EU Electronic Communications Framework (which also includes revisions to the "Framework" Directive (2002/21/EC), the "Access" Directive (2002/19/EC), the "Authorisation" Directive (2002/20/EC) and the "Universal Service" Directive (2002/22/EC)).

Current law on cookies

The existing E-Privacy Directive has largely been transposed in the UK in the Privacy and Electronic Communications (EC Directive) Regulations 2003. Under these Regulations, it is currently acceptable for website providers to use cookies for legitimate purposes if the user of the website is provided with:

"(a) ...clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) is given the opportunity to refuse the storage of or access to that information" (Regulation 6 (2)).

To date, businesses have tended to interpret this language to mean that it is acceptable to allow users the right to refuse the placement of a cookie "after" the delivery of the cookie. It has also become acceptable practice to provide the necessary information in the privacy policy on the website and users are directed to sites which explain how they may be able to disable or reject cookies.

Proposed changes to the law on cookies

However, the rules under the new Directive differ from the old ones as they suggest that users will now be required to provide consent to the use of cookies.

The amended Article 5(3) of the Directive reads as follows:

"Member States shall ensure that the storing or access to information already stored in the terminal equipment of a subscriber or user is only allowed on the condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the the purposes of the processing."

This new wording has caused considerable controversy for many website advertisers, publishers and other online organisations which use cookies on a regular basis because it is uncertain as to how such consent can legitimately be obtained by such organisations.

Recital 66 to the amended Directive expressly states that

"where it is technically possible and effective...the users consent to processing may be expressed by using the appropriate settings of a browser or other application"

On the face of it, this recital seems to provide a practical solution to the issue but the Article 29 Working Party has already expressed its view that opt-in consent will be required for the use of cookies and that this Recital can only suffice in limited circumstances.

It was hoped that the UK Government would seek to clarify this issue further in their proposed implementation of the new rules. However, the current proposal is that the Government will simply copy out the text of the amended Article 5(3) leaving the ICO the flexibility to adjust to changes in usage and technology. The consultation documents do make reference to Recital 66 and suggest that the Government is considering including appropriate elements of this in the implementing regulations.

The Government also acknowledges that the Directive does state that consent is not required when the cookie is strictly necessary to deliver a service which has been explicitly requested by the user. When Bird & Bird attended the Government's early stakeholder events on this issue, it was suggested that this exception could be broadly interpreted on the grounds that many websites are free to use only because they are supported by advertising and therefore if cookies are used in the serving of that advertising, it could be argued that the use of such cookies is strictly necessary for the delivery of such website. However, as the Government plans to adopt the amended Article 5(3) as is, it is not clear whether such an argument could be safely relied upon without further amendments being made.

The consultation documents are therefore seeking the public's views on the Government's proposed approach. These changes are likely to be significant because if businesses are required to ask permission before they can use cookies, there is the risk that the user experience will be impacted and businesses may suffer economic losses where users refuse them permission to service targeted adverts. There will also be a cost impact to businesses to provide users with information about cookies and how to manage them.

Personal data breach

The amended E-Privacy Directive has also introduced a new regime for notifying personal data breaches to the ICO. Further, the ICO may issue guidance on notification of data breaches and must be able to audit whether providers are complying with their obligations under the Directive, the details of which are set out in an amended Article 4 of the Directive. As with the cookie provisions, the Government's intention is to largely copy out the provisions in this Article.

Effective sanctions

Article 15a of the Directive requires that there must be effective sanctions on providers who do not comply with the Directive. The Government plans to ensure that the ICO is able to do this and is currently reviewing the existing enforcement regime with the ICO to determine its effectiveness. The Government's view is that certain elements of the regime could be more tailored to the electronic communications industry and in particular that there may be scope for a civil monetary penalty for certain breaches. The Government is seeking views as to how the provisions of the Directive could be better enforced.  

Full details of the consultation can be found at www.bis.gov.uk/ecommsframework and responses are required by 3 December 2010. The Department for Business Innovation and Skills will also organise a number of stakeholder events during the consultation period. We understand that ICO will also consult separately where changes to its guidance are required in relation to implementation of the E-Privacy Directive.