Cookies and spyware new draft law in Belgium

06 January 2005

Johan Vandenriessche

An overview of legislation on cookies was presented in the March edition of the IT & E-Commerce Law Bulletin (the “Cookies special issue”). At the time we could only provide limited guidance on the legal framework affecting cookies in Belgium because Belgium had yet to file a draft law in Parliament implementing Directive 2002/58/EC (the “Directive on privacy and electronic communications”)[1]. The draft law was filed on 4 November 2004 so we are now able to assess the proposed legal framework for cookies and spyware in Belgium[2].

Cookies and spyware

A cookie is a small file of letters and numbers that acts as an identifier on a website. Cookies allow the website server that sent the cookie to recognise the user when he returns to the site, or browses from page to page. The numbers identify the name of the server that sent the cookie, the lifetime of the cookie and possibly, other information such as the time the cookie was placed. Cookies are primarily used to allow websites to be customised, as they allow the website’s server to recognise that it is the same user returning to it.

Spyware is software generally installed without the informed consent of the user which gathers information about the user.

The link between cookies and spyware is made by Article 5, (3) and considerations 24 and 25 of Directive 2002/58/EC.

The current legal status of cookies

A summary analysis of cookies under the current legislation can be found in the “Cookies Special” issue of the Bird & Bird IT & E-Commerce Law Bulletin. The conclusion of this analysis was that the existing legal framework in Belgium does not differ substantially from the framework provided by Directive 2002/58/EC.

The status of cookies (and spyware) under the Belgian draft law

The draft law provides that:

The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that:

1 the subscriber or user concerned is provided with clear and comprehensive information in accordance with the Law of 8 December 1992 on privacy protection in relation to the processing of personal data, about the purposes of the processing and his rights under the Law of 8 December 1992 on privacy protection in relation to the processing of personal data.

2 the data controller offers the subscriber or user the right to refuse such processing

The first paragraph applies notwithstanding any technical storage of or access to information stored in the terminal equipment of a subscriber or user for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

A lack of refusal in the meaning of the first paragraph or the application of the second paragraph shall not exempt the data controller of his obligations under the law of 8 December 1992 on privacy protection in relation to the processing of personal data that are not imposed by this article.”

Unlike the pre-draft text (before filing with the Parliament), the current text does not impose the condition of offering the right of refusal before any processing, i.e. before the installation of a cookie. Intensive lobbying of online advertising and marketing associations succeeded in the removal of this condition.

The business associations in support of removing the condition referred to an interpretation of the current policy of the national supervisory authority, the Data Protection Commission. In its opinion 34/2000 on the protection of privacy in electronic commerce, the Data Protection Commission stated that in case of invisible processing of personal data (cookies in this specific opinion), the data subject should receive the necessary information about the purpose of the processing and the means of refusal. On a website this is generally done by a privacy disclaimer on the homepage and/or every other page where data is collected. Implicitly, this seems to allow the data controller to place the actual cookies before the consent of the data subject is obtained. This is indeed a wide-spread practice.

By deleting “the right of refusal prior to any processing”, the draft law seems to confirm this implicit reasoning. The consequences are, however, broader. Since cookies and spyware legally fall under the same category, this flexible interpretation of data protection law might also apply to spyware. It remains to be seen whether or not this interpretation will survive the parliamentary debate.



[1]Directive 2002/58/EC of the European Parliament and Council (12 July 2002) – concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[2] Draft Law on some legal issues concerning electronic communications, Doc. Nr. 1425/001 and 1426/001.