In 2009, Directive 2002/58/EC, the so-called ePrivacy Directive, was amended. The deadline for EU Member States to implement the revised Directive in their national laws was May 25, 2011, but very few Member States met the deadline and even today, almost one month after the deadline, discussions remain ongoing in most national parliaments. The implementation efforts that have occurred vary, suggesting that that there will be variations among national outcomes rather than an EU-wide approach.
But the 2009 revision of the ePrivacy Directive calls into question the well established practice of relying on browser settings to infer user consent. The revised article 5.3 replaces the “right to refuse” of the old article 5.3 with a “consent that has been obtained” — a language change that suggests that prior consent may be required. At the same time, however, the amending Directive contains a recital stating that “user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.” The contradiction between the strengthening of the consent requirement in section 5.3 of the revised Directive, on the one hand, and the reference to the traditional browser-consent in the recital, on the other hand, has caused uncertainty for businesses and national legislators.
Given this uncertainty, national outcomes are expected to diverge from one Member State to another. The below examples of (partial) implementation of the revised article 5.3 to date illustrate the difficulty of forecasting a possible EU wide outcome:
- Denmark: In February 2011, the Danish Ministry of Science, Technology and Innovation published a draft “Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-user Terminal Equipment.” In conjunction with the publication of the draft Order, the Telecommunications Authority launched a public consultation. Responses to the consultation heavily criticized the consent and information requirements in the draft order. The latter in particular are especially onerous. While the Order should have entered into force on May 25, 2011, it was decided to postpone the adoption of the Order until the consent issue has been clarified. Danish authorities hope to have the regulation adopted by the end of the year
- Germany: In early May, the Government presented its proposal for implementation of the new ePrivacy directive to Parliament. The proposal specifically states that the new cookie-rule is not included because of on-going discussions at the European level. Germany’s implementation of the new cookie rule will thus be delayed significantly.
- Netherlands: In April 2010, the Dutch Government prepared a draft law implementing the revised cookie-rule. The draft required an unambiguous consent. In the draft that was submitted to Parliament in November 2010, however, the Government had deleted the word unambiguous. The move from “unambiguous consent” to mere “consent” prompted the Dutch Data Protection Authority to address a letter to Parliament asking them to reinsert the original text referring to “unambiguous consent”. In a parliamentary report of February 2011, the Government indicated that most current browsers are not equipped to obtain an appropriate consent.
- Sweden: In May 2011, the Parliament voted in favour of the coalition government’s proposal implementing the new cookie law. The proposal is in line with the revised article 5.3 of the ePrivacy Directive and will enter into force on July 1 this year. The proposal was heavily objected to by industry and the opposition in Parliament; all sharing the view that the Swedish government has gone too far in its interpretation of the ePrivacy Directive. The new law states that information can only be collected from and/or stored on a user’s computer if such user (a) is informed about the purpose of processing the information and (b) consents to the proposed use.
In the few Member States that have amended their laws within the deadline set by the Directive (e.g., the UK), no one expects the new rules to have an immediate impact on companies’ practices. There is wide-spread agreement that the lack of clarity in the Directive (and the national laws) has not allowed companies to adequately prepare for change. In the UK, even the Data Protection Authority acknowledged that industry will need time to develop and implement new consent solutions. The European Commission in the meantime has indicated that it may take Member States that failed to implement the revised ePrivacy Directive on time or have implemented it incorrectly, to Court. Such procedures put pressure on Member States but have no immediate impact on industry.