1 / 17

E-Privacy and Cookies: Legal Aspects

E-Privacy and Cookies: Legal Aspects . E-Privacy Directive. 2002/58, amended by 136/2009 Main amendments focus on DBN (security) and confidentiality of communications / unsolicited communications (5.3 and 13) Emphasis on user empowerment, choice. E-Privacy directive: Transposition.

alva
Download Presentation

E-Privacy and Cookies: Legal Aspects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Privacy and Cookies:Legal Aspects

  2. E-Privacy Directive • 2002/58, amended by 136/2009 • Main amendments focus on DBN (security) and confidentiality of communications / unsolicited communications (5.3 and 13) • Emphasis on user empowerment, choice

  3. E-Privacy directive: Transposition • Patchy transposition (all MS: January 13) • “Cookie rule” (5.3) major point of discussion (confidentiality of communications) • National divergences 1) on interpretation of “consent” for the purposes of 5.3 (not only) AND 2) on the (technical) implementation of “consent”

  4. Cookies • “A short alphanumeric text which is stored (and later retrieved) on the data subject’s terminal equipment by a network provider” (WP29’s Opinion 2/2010 on Online Behavioural Advertising) • Cookies may or may not contain personal information (IP Address, …) • This is irrelevant for the purpose of applying Article 5.3, which only refers to storage or retrieval of “INFORMATION” in the terminal equipment of a subscriber or user

  5. Cookies – 2002/58 + 95/46 • However, if the information contained in a cookie includes personal data, than all the principles of directive 95/46 are also applicable • So there is an interplay between the “consent” rule of 5.3 in directive 2002/58 (lex specialis) and directive 95/46 (lex generalis): that is to say, the rules on consent are those set out in directive 95/46 except where they are overridden by the “lex specialis” contained in directive 2002/58 (here: Article 5.3)

  6. Cookies and Consent • Article 5.3 requires that storage of or access to any “information” (including cookies) in the subscriber’s/user’s terminal equipment be subject to prior informed consent (= before cookies are set) • “Prior”: “has given… consent, having been provided… (see also Recital 66) • “informed”: “… with clear and comprehensive information”

  7. What Consent? • Article 5.3 of 2002/58 (lex specialis) sets out the specific requirements of prior informed consent for cookies • BUT this “consent” is in no way different from the “consent” of directive 95/46 (article 2.h + Article 7)  see also Article 2 of 2002/58 • Specific (and informed) • Freely given • Unambiguously given

  8. Consent: Specific • Consequences 5.3: • No blanketconsent • Purposespecification and limitation • Appropriate information  • WHERE: On the landing page of the website • WHAT: Purposes of processing ; Right to accept/declineall or part of the cookies • HOW: Layeredapproach (WP100) (differentlevels of detail)

  9. Consent: Freely Given • Consequences 5.3: • Real options must be available (e.g.: accept/decline all or part of the cookies / change browser settings) • No conditions to be placed on consent (WP185: Opinion 15/2011 on the definition of consent)  Continue browsing website even after declining cookies

  10. Consent: Unambiguously Given • Consequences 5.3: • Active behaviour: silence/inactivityis no consent • Evidence of consent must be available (to the controller) • Simple scrolling of the webpageisnotenough • Click on a field, push a button, tick a box, or go to a third-party site whereoptions can be exercised (trustedthird party?) • NOTE: Proposed DP Regulationrefers to consentassignified by «clearaffirmativeaction»  No passive acceptance

  11. Consent: Additional Food for Thought • Recital 66 of directive 136/2009: • If «technically possible and effective» consent to processing may be expressed by way of browser settings or other applications BUT «in accordance with directive 95/46»  What does that mean exactly? • Interesting options, technical difficulties (browsers are not info society service providers)  interoperability, technical parameters • «privacy plug-ins» ?

  12. Consent: Additional Food for Thought - Proposed EU DP Regulation (COM/2012/11)  Art. 4: “explicit” consent (rather than “unambiguous” consent) • WP29’s Opinions (in addition to “Consent” opinion): • Online Behavioural Advertising (WP171 of 2010) • Cookie Consent Exemptions (WP194 of 2012)

  13. When Prior Consent Is Not the Rule • WP29’s Opinion on Cookie Consent Exemptions • Focuses on second part of 5.3: No prior informed consent is necessary • A) For the sole purpose of carrying out transmission of a communication over an electronic communication network • B) If storage or access is strictly necessary for provision of a service by the provider of an information society service and such service has been explicitly requested by the subscriber or user

  14. When Prior Consent Is Not the Rule • Hence, in many cases consent is unnecessary • (technical conveyance of communications, provision of services like online shopping cart, authentication, multimedia player sessions, user interface customization,…) BUT for the duration of a session (no permanent tracking) and if cookie is strictly necessary (in the user’s perspective) • Recital 25 of e-privacy: No need to obtain consent for each reading of the cookie – providing users/subscribers are aware that such reading takes place (= once-only informed consent)

  15. The Grey Zone • Do-not-track: discussion in progress (W3C), should mean do-not-collect (in permanence); interoperability issues, standards, … • First-party analytics cookies (audience measuring tools) • Not necessary for either technical or service provision services, but likely to cause no privacy risks (if first-party aggregated statistical purposes, adequate information, opt-out offered)  Rule of thumb? First party, session-specific cookies less likely to require consent than third-party, permanent cookies (see WP’s document on cookie consent exemption)

  16. Fortune Cookies - http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/2146935 (Guidance on cookies and consent, in English) • WP29’s Website (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm) (Opinions and Recommendations of EU DPAs, also on cookies) • http://www.w3.org/2011/tracking-protection/ (Do-not-track standards from W3C)

  17. THANK YOU • For listening • For your attention • For not asking too many difficult questions….

More Related