E-Privacy Directive • 2002/58, amended by 136/2009 • Main amendments focus on DBN (security) and confidentiality of communications / unsolicited communications (5.3 and 13) • Emphasis on user empowerment, choice
E-Privacy directive: Transposition • Patchy transposition (all MS: January 13) • “Cookie rule” (5.3) major point of discussion (confidentiality of communications) • National divergences 1) on interpretation of “consent” for the purposes of 5.3 (not only) AND 2) on the (technical) implementation of “consent”
Cookies • “A short alphanumeric text which is stored (and later retrieved) on the data subject’s terminal equipment by a network provider” (WP29’s Opinion 2/2010 on Online Behavioural Advertising) • Cookies may or may not contain personal information (IP Address, …) • This is irrelevant for the purpose of applying Article 5.3, which only refers to storage or retrieval of “INFORMATION” in the terminal equipment of a subscriber or user
Cookies – 2002/58 + 95/46 • However, if the information contained in a cookie includes personal data, than all the principles of directive 95/46 are also applicable • So there is an interplay between the “consent” rule of 5.3 in directive 2002/58 (lex specialis) and directive 95/46 (lex generalis): that is to say, the rules on consent are those set out in directive 95/46 except where they are overridden by the “lex specialis” contained in directive 2002/58 (here: Article 5.3)
Cookies and Consent • Article 5.3 requires that storage of or access to any “information” (including cookies) in the subscriber’s/user’s terminal equipment be subject to prior informed consent (= before cookies are set) • “Prior”: “has given… consent, having been provided… (see also Recital 66) • “informed”: “… with clear and comprehensive information”
What Consent? • Article 5.3 of 2002/58 (lex specialis) sets out the specific requirements of prior informed consent for cookies • BUT this “consent” is in no way different from the “consent” of directive 95/46 (article 2.h + Article 7) see also Article 2 of 2002/58 • Specific (and informed) • Freely given • Unambiguously given
Consent: Specific • Consequences 5.3: • No blanketconsent • Purposespecification and limitation • Appropriate information • WHERE: On the landing page of the website • WHAT: Purposes of processing ; Right to accept/declineall or part of the cookies • HOW: Layeredapproach (WP100) (differentlevels of detail)
Consent: Freely Given • Consequences 5.3: • Real options must be available (e.g.: accept/decline all or part of the cookies / change browser settings) • No conditions to be placed on consent (WP185: Opinion 15/2011 on the definition of consent) Continue browsing website even after declining cookies
Consent: Unambiguously Given • Consequences 5.3: • Active behaviour: silence/inactivityis no consent • Evidence of consent must be available (to the controller) • Simple scrolling of the webpageisnotenough • Click on a field, push a button, tick a box, or go to a third-party site whereoptions can be exercised (trustedthird party?) • NOTE: Proposed DP Regulationrefers to consentassignified by «clearaffirmativeaction» No passive acceptance
Consent: Additional Food for Thought • Recital 66 of directive 136/2009: • If «technically possible and effective» consent to processing may be expressed by way of browser settings or other applications BUT «in accordance with directive 95/46» What does that mean exactly? • Interesting options, technical difficulties (browsers are not info society service providers) interoperability, technical parameters • «privacy plug-ins» ?
Consent: Additional Food for Thought - Proposed EU DP Regulation (COM/2012/11) Art. 4: “explicit” consent (rather than “unambiguous” consent) • WP29’s Opinions (in addition to “Consent” opinion): • Online Behavioural Advertising (WP171 of 2010) • Cookie Consent Exemptions (WP194 of 2012)
When Prior Consent Is Not the Rule • WP29’s Opinion on Cookie Consent Exemptions • Focuses on second part of 5.3: No prior informed consent is necessary • A) For the sole purpose of carrying out transmission of a communication over an electronic communication network • B) If storage or access is strictly necessary for provision of a service by the provider of an information society service and such service has been explicitly requested by the subscriber or user
When Prior Consent Is Not the Rule • Hence, in many cases consent is unnecessary • (technical conveyance of communications, provision of services like online shopping cart, authentication, multimedia player sessions, user interface customization,…) BUT for the duration of a session (no permanent tracking) and if cookie is strictly necessary (in the user’s perspective) • Recital 25 of e-privacy: No need to obtain consent for each reading of the cookie – providing users/subscribers are aware that such reading takes place (= once-only informed consent)
The Grey Zone • Do-not-track: discussion in progress (W3C), should mean do-not-collect (in permanence); interoperability issues, standards, … • First-party analytics cookies (audience measuring tools) • Not necessary for either technical or service provision services, but likely to cause no privacy risks (if first-party aggregated statistical purposes, adequate information, opt-out offered) Rule of thumb? First party, session-specific cookies less likely to require consent than third-party, permanent cookies (see WP’s document on cookie consent exemption)
Fortune Cookies - http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/2146935 (Guidance on cookies and consent, in English) • WP29’s Website (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm) (Opinions and Recommendations of EU DPAs, also on cookies) • http://www.w3.org/2011/tracking-protection/ (Do-not-track standards from W3C)
THANK YOU • For listening • For your attention • For not asking too many difficult questions….