got privacy? Musings on the state of Privacy in a connected world.
Analysis of the EC "Cookie Directive" 07/01/2010
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
e-Privacy Directive 2009/136/EC (cookie directive)[1]
The Cookie Directive is the most recent amendment of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation. This particular directive has to be included into the member States' laws by May of 2011.
Even though the cookie directive is yet to be enforced and adopted by all of the Member States, it is necessary for all Data Controllers and Data Processors to be prepared. It is imperative and urgent that ad networks, publishers and browser makers coordinate their efforts at reaching a solution which complies with the cookie directive.
THE COOKIE DIRECTIVE'S ORIGINS
In this author's opinion, the cookie directive may be traced from two events:
1) the enactment of the Lisbon Treaty.[2]
2) the Working Party's contentions.
THE LISBON TREATY.
The Lisbon Treaty became fully enacted on 1 December 2009, and the Charter of Fundamental Rights is now binding upon all European Union Members. Article 8 of the Charter provides a right of protection of personal data. Thus, it is the duty of European Parliament and the Council to enact rules relating to the protection of individuals when their personal data is processed by Union institutions, bodies, offices, agencies, and Member States.
The European Union has a strong tradition for the protection of Human Rights. This tradition has been embedded in the directives. Before the enactment of the Lisbon Treaty, the Working party had expressed that the Privacy Directive had a broader protection than the Charter of Human Rights in the fields of private and family life.[3] The Working Party has also expressed that the " Charter of Fundamental Rights of the European Union enshrines the protection of personal data in Article 8 as an autonomous right, separate and different from the right to private life."[4]
WORKING PARTY'S CONTENTIONS
One may say that the cookie directive is the latest attempt, by the European Union, to make Data Controllers and Data Processors comply with the privacy directives.[5] Since its inception, the Working Party has insisted that the use of cookies is regulated by the Privacy Directives. The Working Party has also tried to rally cooperation between the hardware and software makers in order to adapt their products to the European Union Privacy Directives.
On February 23rd, 1999 the Working Party adopted Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware."[6] The recommendation was a polite call for the software and hardware industry to adapt their products to do the following :
" 1. The Working Party encourages the software and hardware industry to work on Internet privacy-compliant products that provide the necessary tools to follow the European data protection rules;"[7]
"2. Internet software and hardware products should provide the Internet users information about the data that they intend to collect, store or transmit and the purpose for which they are necessary."[8]
"3. The configuration of hard- and software products should not, by default, allow for collecting, storing or sending of client persistent information;"[9]
"4. Internet hard- and software products should allow the data subject to freely decide about the processing of his/her personal data by offering user-friendly tools to filter (i.e. to reject or to modify) the reception, storage or sending of client persistent information following certain criteria (including profiles, the domain or the identity of the Internet server, the kind and the duration of the information being collected, stored or sent and so on)."[10]
"5. Internet software and hardware products should allow the users to remove client persistent information in a simple way and without involving the sender."[11]
Recommendation 1/99 is almost a mirror image of the new cookie directive, and it was solely directed to the hardware and software industry. The new cookie directive, on the other hand, is a direct demand for compliance made to Data Controllers and Data Processors. The cookie Directive creates a series of rights obligations and specific duties applied to the Data controllers and Data Processors. Before analyzing the specific requirements of the cookie directive one must evaluate what are the current duties and obligations are for Data Controllers and Data Processors.
DUTIES REQUIRED BEFORE THE COOKIE DIRECTIVE
Generally, before the cookie directive, the owner of a webpage had to inform the user of the following:
1) without any jargon, explain to the user that cookies were about to be installed and fully explain how the cookies are used and for what purposes the cookies were about to be installed. This information was supposed to be included in the Privacy Policy;
2) request permission to install the cookies in the of user's computer;
3) inform the user about her right to refuse the cookies, and explain how to refuse them using the browser.
Of course, all the requirements only applied when there was an exchange of data which was protected by the Privacy Directives.
DUTIES REQUIRED BY THE NEW COOKIE DIRECTIVE
The new Cookie Directive applies in a addition to the privacy directives. It does not matter if protected data is exchanged or not. Thus the new directive applies at all times.
The most problematic aspect of the new directive is that there has to be consent before any Cookie is sent. Today, the cookie is sent, and then the permission is requested. Under the new directive, the consent has to be provided before any cookie is sent. Article 5(3) states that:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”[12]
Thus, the visitors of a webpage must now be advised of their privacy rights in a two tier framework designed to protect the privacy rights of the users. The first one requires the clear and comprehensive waiver of the cookie refusal rights.
The elements of valid cookie consent are :
i) it has provided the user with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing and;
ii ) it has obtained the user's consent to the storage of or access to information on his or her terminal equipment, after having provided the information requested under i).[13]
Assuming that the user waived her rights in the first step, the user must still be informed of her privacy rights if any protected data is to be exchanged.
RECITAL 66 (browser privacy settings)
It is necessary to point out that there is a way a user may express an implied waiver of the first tier requirement. Recital 66, of the new cookie directive says that the browser filter settings may be sufficient indication of consent. The caveat is that this may only apply when technically possible.[14]
According to the Working Party, in WP171, browser settings is not an exception. It is just a presumption that could not be solely replied upon. The WP indicates that, from all the four major browsers, only one may qualify under the provisions of recital 66.[15]
Assuming that the browser settings are technologically available, and set by the user to allow all cookies, consent under the Privacy Directives still has to be requested.
The browser settings' possible assumption of acceptance is only good for the first phase. The Working Party still holds the position that further waivers have to be requested for the exchange of protected data. On page 14, of WP171, the Working Party expressed, "[t]he responsibility for [cookie] processing cannot be reduced to the responsibility of the user for taking or not taking certain precautions in his browser settings."[16] Additionally, the Working Party requests that browser makers and advertising agencies take urgent action before May 2011. [17]
CHILDREN ARE NOT CAPABLE OF GIVING INFORMED CONSENT
THEREFORE: NO MORE BEHAVIORAL ADVERTISING FOR CHILDREN
One disturbing factor expressed by the working Party is the one found in 4.1.4. In this section, the working party indicates that " In the light of the above and also taking into account the vulnerability of children, the Article 29 Working Party is of the view that ad network providers should not offer interest categories intended to serve behavioural advertising or influence children."[18]
Today, ad networks request parents' consent when the child will engage in some Social Network or the like. This comment seems to say that behavioural advertising can only be used when interest category are those which are not intended for children. In addition, no more influencing of children. Potentially one may no longer be able to create campaigns which influence children to say no to drugs, no to smoking and no to drinking and driving.
PARTIES
According to the Working Party, there are several possible actors, Ad Networks, publishers and advertisers. WP 171 is solely directed at Ad networks, and Publishers.
The Working Party states the following:
"• Ad network providers are bound by the obligations of Article 5(3) of the ePrivacy Directive insofar as they place cookies and/or retrieve information from cookies already stored in the data subjects' terminal equipment. They are also data controllers insofar as they determine the purposes and the essential means of the processing of data.
• Publishershave certain data controller related responsibilities regarding the processing that takes place in the first phase of the processing, i.e., when by virtue of the way they set up their web sites they trigger the transfer of the IP address to ad network providers (which enable the further processing). Such responsibility entails"[19]
TORTS AND CONSUMER PROTECTION ADDITIONAL OBLIGATIONS
The Working Party has also expressed that the failure to provide adequate notice and permission may create liabilities. These liabilities are in the tort, contract and consumer protection areas. The Working Party specifically mentions "Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive)."[20]
WHAT THE FUTURE HOLDS
The Working Party has advised that that "[a]t the end of a certain "discussion" period, the Article 29 Working Party will evaluate the situation and take the necessary and appropriate measures."[21]
The appropriate measures are difficult to imagine since the Working Party does not have any Judicial, Prosecutorial, or legislative powers.
For the time being, the Working Party proposes the following courses of action
I to limit the scope of the consent in terms of time;
II mitigation by providing additional information;
III freely given consent can always be revoked.
Let us hope that all the issues may be resolved.
[1]Directive 2009/136/EC of the European Parliament and of the Council (of 25 November 2009) amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
[2] Supra, Footnote 90.
[3] Opinion 4/2007 on the concept of personal data, Page 7 "On the other hand, the rules on protection of personal data go beyond the protection of the broad concept of the right to respect for private and family life."
[4] Id..
[5] Opinion 2/2010 on online behavioural advertising, Adopted on 22 June 2010, WP171
[6] Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware"
[7] Id..
[8] Id..
[9] Id..
[10] Id..
[11] Id..
[12] Supra, Footnote 5, at 48.
[13] Supra, Footnote 5, at 14.
[14] Supra, Footnote 5, 48
[15] Supra, Footnote 5
[16] Supra, Footnote 5
[17] Supra, Footnote 5, at page 15.
[18] Supra, Footnote 5, at page 17
[19] Supra, Footnote 5, at 22
[20] Supra, Footnote 5, at Footnote 29.
[21] Supra, Footnote 5, at 22
If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.
e-Privacy Directive 2009/136/EC (cookie directive)[1]
The Cookie Directive is the most recent amendment of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation. This particular directive has to be included into the member States' laws by May of 2011.
Even though the cookie directive is yet to be enforced and adopted by all of the Member States, it is necessary for all Data Controllers and Data Processors to be prepared. It is imperative and urgent that ad networks, publishers and browser makers coordinate their efforts at reaching a solution which complies with the cookie directive.
THE COOKIE DIRECTIVE'S ORIGINS
In this author's opinion, the cookie directive may be traced from two events:
1) the enactment of the Lisbon Treaty.[2]
2) the Working Party's contentions.
THE LISBON TREATY.
The Lisbon Treaty became fully enacted on 1 December 2009, and the Charter of Fundamental Rights is now binding upon all European Union Members. Article 8 of the Charter provides a right of protection of personal data. Thus, it is the duty of European Parliament and the Council to enact rules relating to the protection of individuals when their personal data is processed by Union institutions, bodies, offices, agencies, and Member States.
The European Union has a strong tradition for the protection of Human Rights. This tradition has been embedded in the directives. Before the enactment of the Lisbon Treaty, the Working party had expressed that the Privacy Directive had a broader protection than the Charter of Human Rights in the fields of private and family life.[3] The Working Party has also expressed that the " Charter of Fundamental Rights of the European Union enshrines the protection of personal data in Article 8 as an autonomous right, separate and different from the right to private life."[4]
WORKING PARTY'S CONTENTIONS
One may say that the cookie directive is the latest attempt, by the European Union, to make Data Controllers and Data Processors comply with the privacy directives.[5] Since its inception, the Working Party has insisted that the use of cookies is regulated by the Privacy Directives. The Working Party has also tried to rally cooperation between the hardware and software makers in order to adapt their products to the European Union Privacy Directives.
On February 23rd, 1999 the Working Party adopted Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware."[6] The recommendation was a polite call for the software and hardware industry to adapt their products to do the following :
" 1. The Working Party encourages the software and hardware industry to work on Internet privacy-compliant products that provide the necessary tools to follow the European data protection rules;"[7]
"2. Internet software and hardware products should provide the Internet users information about the data that they intend to collect, store or transmit and the purpose for which they are necessary."[8]
"3. The configuration of hard- and software products should not, by default, allow for collecting, storing or sending of client persistent information;"[9]
"4. Internet hard- and software products should allow the data subject to freely decide about the processing of his/her personal data by offering user-friendly tools to filter (i.e. to reject or to modify) the reception, storage or sending of client persistent information following certain criteria (including profiles, the domain or the identity of the Internet server, the kind and the duration of the information being collected, stored or sent and so on)."[10]
"5. Internet software and hardware products should allow the users to remove client persistent information in a simple way and without involving the sender."[11]
Recommendation 1/99 is almost a mirror image of the new cookie directive, and it was solely directed to the hardware and software industry. The new cookie directive, on the other hand, is a direct demand for compliance made to Data Controllers and Data Processors. The cookie Directive creates a series of rights obligations and specific duties applied to the Data controllers and Data Processors. Before analyzing the specific requirements of the cookie directive one must evaluate what are the current duties and obligations are for Data Controllers and Data Processors.
DUTIES REQUIRED BEFORE THE COOKIE DIRECTIVE
Generally, before the cookie directive, the owner of a webpage had to inform the user of the following:
1) without any jargon, explain to the user that cookies were about to be installed and fully explain how the cookies are used and for what purposes the cookies were about to be installed. This information was supposed to be included in the Privacy Policy;
2) request permission to install the cookies in the of user's computer;
3) inform the user about her right to refuse the cookies, and explain how to refuse them using the browser.
Of course, all the requirements only applied when there was an exchange of data which was protected by the Privacy Directives.
DUTIES REQUIRED BY THE NEW COOKIE DIRECTIVE
The new Cookie Directive applies in a addition to the privacy directives. It does not matter if protected data is exchanged or not. Thus the new directive applies at all times.
The most problematic aspect of the new directive is that there has to be consent before any Cookie is sent. Today, the cookie is sent, and then the permission is requested. Under the new directive, the consent has to be provided before any cookie is sent. Article 5(3) states that:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”[12]
Thus, the visitors of a webpage must now be advised of their privacy rights in a two tier framework designed to protect the privacy rights of the users. The first one requires the clear and comprehensive waiver of the cookie refusal rights.
The elements of valid cookie consent are :
i) it has provided the user with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing and;
ii ) it has obtained the user's consent to the storage of or access to information on his or her terminal equipment, after having provided the information requested under i).[13]
Assuming that the user waived her rights in the first step, the user must still be informed of her privacy rights if any protected data is to be exchanged.
RECITAL 66 (browser privacy settings)
It is necessary to point out that there is a way a user may express an implied waiver of the first tier requirement. Recital 66, of the new cookie directive says that the browser filter settings may be sufficient indication of consent. The caveat is that this may only apply when technically possible.[14]
According to the Working Party, in WP171, browser settings is not an exception. It is just a presumption that could not be solely replied upon. The WP indicates that, from all the four major browsers, only one may qualify under the provisions of recital 66.[15]
Assuming that the browser settings are technologically available, and set by the user to allow all cookies, consent under the Privacy Directives still has to be requested.
The browser settings' possible assumption of acceptance is only good for the first phase. The Working Party still holds the position that further waivers have to be requested for the exchange of protected data. On page 14, of WP171, the Working Party expressed, "[t]he responsibility for [cookie] processing cannot be reduced to the responsibility of the user for taking or not taking certain precautions in his browser settings."[16] Additionally, the Working Party requests that browser makers and advertising agencies take urgent action before May 2011. [17]
CHILDREN ARE NOT CAPABLE OF GIVING INFORMED CONSENT
THEREFORE: NO MORE BEHAVIORAL ADVERTISING FOR CHILDREN
One disturbing factor expressed by the working Party is the one found in 4.1.4. In this section, the working party indicates that " In the light of the above and also taking into account the vulnerability of children, the Article 29 Working Party is of the view that ad network providers should not offer interest categories intended to serve behavioural advertising or influence children."[18]
Today, ad networks request parents' consent when the child will engage in some Social Network or the like. This comment seems to say that behavioural advertising can only be used when interest category are those which are not intended for children. In addition, no more influencing of children. Potentially one may no longer be able to create campaigns which influence children to say no to drugs, no to smoking and no to drinking and driving.
PARTIES
According to the Working Party, there are several possible actors, Ad Networks, publishers and advertisers. WP 171 is solely directed at Ad networks, and Publishers.
The Working Party states the following:
"• Ad network providers are bound by the obligations of Article 5(3) of the ePrivacy Directive insofar as they place cookies and/or retrieve information from cookies already stored in the data subjects' terminal equipment. They are also data controllers insofar as they determine the purposes and the essential means of the processing of data.
• Publishershave certain data controller related responsibilities regarding the processing that takes place in the first phase of the processing, i.e., when by virtue of the way they set up their web sites they trigger the transfer of the IP address to ad network providers (which enable the further processing). Such responsibility entails"[19]
TORTS AND CONSUMER PROTECTION ADDITIONAL OBLIGATIONS
The Working Party has also expressed that the failure to provide adequate notice and permission may create liabilities. These liabilities are in the tort, contract and consumer protection areas. The Working Party specifically mentions "Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive)."[20]
WHAT THE FUTURE HOLDS
The Working Party has advised that that "[a]t the end of a certain "discussion" period, the Article 29 Working Party will evaluate the situation and take the necessary and appropriate measures."[21]
The appropriate measures are difficult to imagine since the Working Party does not have any Judicial, Prosecutorial, or legislative powers.
For the time being, the Working Party proposes the following courses of action
I to limit the scope of the consent in terms of time;
II mitigation by providing additional information;
III freely given consent can always be revoked.
Let us hope that all the issues may be resolved.
[1]Directive 2009/136/EC of the European Parliament and of the Council (of 25 November 2009) amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
[2] Supra, Footnote 90.
[3] Opinion 4/2007 on the concept of personal data, Page 7 "On the other hand, the rules on protection of personal data go beyond the protection of the broad concept of the right to respect for private and family life."
[4] Id..
[5] Opinion 2/2010 on online behavioural advertising, Adopted on 22 June 2010, WP171
[6] Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware"
[7] Id..
[8] Id..
[9] Id..
[10] Id..
[11] Id..
[12] Supra, Footnote 5, at 48.
[13] Supra, Footnote 5, at 14.
[14] Supra, Footnote 5, 48
[15] Supra, Footnote 5
[16] Supra, Footnote 5
[17] Supra, Footnote 5, at page 15.
[18] Supra, Footnote 5, at page 17
[19] Supra, Footnote 5, at 22
[20] Supra, Footnote 5, at Footnote 29.
[21] Supra, Footnote 5, at 22
If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.
Add Comment
