Our May 26, 2011 blog post on the new European cookies rules introduced by the revised E-Privacy Directive marked the deadline for EEA Member States to implement the Directive into national law.  As of late August, only the UK, Denmark, Estonia, Finland, Ireland, Malta and Sweden have introduced laws fully implementing the amendments contained in the revised Directive.

The delay on the part of the remaining Member States comes as no surprise, given the significant confusion and controversy surrounding the E-Privacy Directive amendments requiring site user consent to the use of cookies on a user’s device.  We have previously considered (on 3 May and 11 May 2011) the apparent lack of guidance from European governments and regulators on implementation. The majority of Member States have indicated that full implementation into national laws can only be achieved when technical and industry-lead compliance solutions become available; that is expected to happen by year’s end.  As such, these Member States remain in the discussion and planning stages, working to better understand the practical implications of the new consent requirements.

Of the Member States with updated national laws already in place, the majority accept browser settings as a means of achieving valid consent (though current browser settings might be regarded as  inadequate, since they enable the acceptance of all cookies by default). 

Following its general approach to data privacy regulation, the UK has taken this more pragmatic view. It expressly states in the revised implementing legislation that consent may be indicated through appropriate browser settings.  Ireland’s approach, with its revised legislation stating that consent to cookies may be obtained via appropriate browser settings, is similar. (It explicitly emphasizes that “the methods of providing information and giving consent should be as user-friendly as possible”.)  Finland (Finnish language only) and Sweden (Swedish language only) also have taken this approach, with both countries’ regulatory guidelines noting that consent may be expressed though browser settings and should be practical for both users and online businesses.  The Danish revised legislation (draft version, in English), though pragmatic with respect to user consent (it requires an informed expression of consent, which guidance suggests includes browser settings and continued use of the site / services, provided this use is sufficiently informed), is more onerous in terms of requiring the site user to be provided with clear and readily accessible information on what the cookie collects, who sets it, the purposes of the cookie, how long information will be stored, and how to delete it.

In light of the delay by the majority of EEA Member States, the European Commission has recently commenced legal action against 20 Member States for failure to meet the 26 May 2011 implementation deadline.  The Commission’s latest steps are a meaningful reminder to Member States that, while the revised directive may be controversial, they cannot ignore their implementation obligations and that the revised E-Privacy Directive remains a high priority on the Commission’s Digital Agenda.  The action taken against the relevant Member States-Austria, Belgium, Bulgaria, Cyprus, Czech Republic, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Luxembourg, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia and Spain-- consists of a formal request to each Member State, asking them to explain their implementation strategy to the Commission by the end of September 2011.  If a Member States fails to reply, or the reply is judged to be inadequate, the Commission may require the Member State to implement the necessary legislation and commence proceedings against the state in the Court of Justice of the European Union. 

Who will implement next?

Many Member States have drafts of their national implementing legislation, in various stages of completion.  The Netherlands is close to establishing its revised national laws, which fall at the stricter end of the interpretation scale. The proposed amendments to the Dutch Telecommunications Law (Dutch language only) were approved by the Dutch Lower House at the end of June; they still require approval by the Dutch Upper House at its next sitting. These, too,  appear to take a narrower view of the revised E-Privacy Directive’s requirements in terms of cookies consents, by requiring Dutch online businesses to obtain unambiguous, prior informed consent for any cookies collecting personal data, or which pass personal data on to third parties, and to ensure they can ‘prove’ that they received the user’s permissions to use cookies. The accompanying explanation of the revised legislation states that consent via browsers which automatically accept all cookies will not be sufficient. The revised Dutch national law also explicitly classifies the use of cookies for behavioural advertising as personal data processing, bringing this specific use of cookies within the scope of the full Dutch data protection rules. 

Proposed implementing legislation in both France and Spain indicates an intention to refer to consent via browser settings, though with varying degrees of flexibility. Spain’s draft legislation (Spanish language only) amending the General Telecommunications Act currently requires users to take active steps to configure their browser settings to accept cookies, and, in doing so, to provide consent. Article 37 of France’s draft ordinance (French language only) requires specific prior information to be provided to the user before browser settings may be relied upon; the final text of the implementing ordinance is expected to be adopted by the end of September 2011 (following a public consultation on the current draft in May – July).   

Implementation in Germany remains an open issue - the German Federal Government initially decided not to propose any implementation steps at this stage, but after a competing Bill of the Federal Council, the Federal Government announced that it will prepare wording for the German Parliament as part of the general implementation of the European Telecoms Package.

At this stage, the picture of implementation that is emerging is far from harmonious.  Many European governments and regulators are hoping for significant further guidance from the European Commission.  Any such guidance would introduce a degree of consistency across Europe in terms of interpretation of the revised Directive, for those countries yet to finalise their national laws at least.  Further guidance may not come quickly enough, however, to rescue the large number of Europe-based and global businesses, and internet users, facing an already inconsistent patchwork of requirements for cookie consent and user information.  If the current de-harmonised pattern continues, we may begin to see a negative competitive effect for online businesses from those countries taking stricter approaches (particularly in significant online markets such as the Netherlands), as well as potentially greater investment into the development of non-cookie based technologies to monitor and track user behaviour (such as advanced URL rewriting and browser ‘fingerprint’ technology which consists of a combination of the IP address, browser configuration, user agent, installed plug-ins and a variety of other factors rendering each browsing session uniquely identifiable).