In 2009, Directive 2002/58/EC, the so-called ePrivacy Directive, was amended. The deadline for EU Member States to implement the revised Directive in their national laws was May 25, 2011, but very few Member States met the deadline and even today, almost one month after the deadline, discussions remain ongoing in most national parliaments. The implementation efforts that have occurred vary, suggesting that that there will be variations among national outcomes rather than an EU-wide approach.
As background, the ePrivacy Directive regulates the use of “technology aimed at storing and accessing information on the user’s terminal equipment.” The 2002 Directive required that users (i) be informed about the use of such technology, and (ii) be offered the right to refuse it. This requirement, better known as “the cookie-rule” traditionally has been implemented through website privacy policies that inform visitors of the use of cookies and how they can refuse them through browser settings.
But the 2009 revision of the ePrivacy Directive calls into question the well established practice of relying on browser settings to infer user consent. The revised article 5.3 replaces the “right to refuse” of the old article 5.3 with a “consent that has been obtained” — a language change that suggests that prior consent may be required. At the same time, however, the amending Directive contains a recital stating that “user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.” The contradiction between the strengthening of the consent requirement in section 5.3 of the revised Directive, on the one hand, and the reference to the traditional browser-consent in the recital, on the other hand, has caused uncertainty for businesses and national legislators.
Given this uncertainty, national outcomes are expected to diverge from one Member State to another. The below examples of (partial) implementation of the revised article 5.3 to date illustrate the difficulty of forecasting a possible EU wide outcome:
- Denmark: In February 2011, the Danish Ministry of Science, Technology and Innovation published a draft “Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-user Terminal Equipment.” In conjunction with the publication of the draft Order, the Telecommunications Authority launched a public consultation. Responses to the consultation heavily criticized the consent and information requirements in the draft order. The latter in particular are especially onerous. While the Order should have entered into force on May 25, 2011, it was decided to postpone the adoption of the Order until the consent issue has been clarified. Danish authorities hope to have the regulation adopted by the end of the year
- France: In early May 2011, the French Government released a draft ordinance providing explicitly that consent for cookies can be obtained through browser settings. However, the “browser-consent” is only valid if the users have been informed in advance about the use of cookies. The French Data protection Authority (CNIL), responsible for enforcing the new rule, is expected to deliver an opinion.
- Germany: In early May, the Government presented its proposal for implementation of the new ePrivacy directive to Parliament. The proposal specifically states that the new cookie-rule is not included because of on-going discussions at the European level. Germany’s implementation of the new cookie rule will thus be delayed significantly.
- Netherlands: In April 2010, the Dutch Government prepared a draft law implementing the revised cookie-rule. The draft required an unambiguous consent. In the draft that was submitted to Parliament in November 2010, however, the Government had deleted the word unambiguous. The move from “unambiguous consent” to mere “consent” prompted the Dutch Data Protection Authority to address a letter to Parliament asking them to reinsert the original text referring to “unambiguous consent”. In a parliamentary report of February 2011, the Government indicated that most current browsers are not equipped to obtain an appropriate consent.
- Sweden: In May 2011, the Parliament voted in favour of the coalition government’s proposal implementing the new cookie law. The proposal is in line with the revised article 5.3 of the ePrivacy Directive and will enter into force on July 1 this year. The proposal was heavily objected to by industry and the opposition in Parliament; all sharing the view that the Swedish government has gone too far in its interpretation of the ePrivacy Directive. The new law states that information can only be collected from and/or stored on a user’s computer if such user (a) is informed about the purpose of processing the information and (b) consents to the proposed use.
- United Kingdom: On May 4, 2011, Parliament adopted the Privacy and Electronic Communications Regulation 2011. Consistent with the Directive, the Regulation amends the 2003 Regulation and replaces the “[user] is given the opportunity to refuse” by “[user] has given his or her consent.” At the same time, the Legislator introduced language into the Regulation providing that “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.” While the language of the Regulation clearly anticipates the acceptability of a browser-consent, the UK Information Commissioner’s Office (ICO) released an opinion on May 9, 2011, stating that: “At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. […] So, for now we are advising organizations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.” This position was confirmed in an open letter by the UK Minister of Culture, of May 23, 2011 which states that “[t]he UK implementing regulations text therefore does not allow for default browser settings as they currently stand to constitute consent.” Importantly, however, the Minister clearly rejects the idea of a prior consent, and accepts that some sort of consent can be obtained after the fact (i.e., after cookies have been posted).
In the few Member States that have amended their laws within the deadline set by the Directive (e.g., the UK), no one expects the new rules to have an immediate impact on companies’ practices. There is wide-spread agreement that the lack of clarity in the Directive (and the national laws) has not allowed companies to adequately prepare for change. In the UK, even the Data Protection Authority acknowledged that industry will need time to develop and implement new consent solutions. The European Commission in the meantime has indicated that it may take Member States that failed to implement the revised ePrivacy Directive on time or have implemented it incorrectly, to Court. Such procedures put pressure on Member States but have no immediate impact on industry.