new telecoms law of June 2005

23 September 2005

Peter Van de Velde

On 13 June 2005, Belgium’s long awaited new telecoms act (the “Telecoms Act”) was finally adopted.1 Belgium has now fully implemented the E.U. Directive on Privacy & Electronic Communications of 20022 (the “Directive”). The spam provisions of this Directive had already been implemented by the Royal Decree of April 4, 2003,3 which completed the general opt-in regime provided by the E-Commerce Law of March 11, 2003.4

The deadline for the implementation of the Directive expired on October 31, 2003 and infringement proceedings had been launched against Belgium (and other Member States) by the European Commission for failure to notify transposition measures. In April 2005, Belgium’s failure to transpose the Directive was confirmed in a judgment of the European Court of Justice.5

The fact that Belgium has now implemented the Directive means that it finally has specific rules in place regarding the use of cookies on websites. Until now, the legal status of the use of cookies remained rather unclear.

Cookies are small files of letters and numbers that act as identifiers on websites. Cookies allow the website server to recognise the user when he or she returns to the website. The letters and numbers identify the name of the server that sent the cookie, the lifetime of the cookie and possibly also other information such as the time the cookie was placed. As cookies allow the website’s server to recognise users that return to the website, they are primarily used for the customisation of websites. As such, cookies can be useful tools for analysing the effectiveness of online advertising or website design, or for verifying the identity of users engaged in online transactions. Cookies may thus facilitate e-commerce or the provision of other information society services.

In general, cookies may identify a computer, but will be unable to identify the physical persons using the computer. However, in connection with other information (such as the IP address or information provided through online registration forms), the information stored in cookies may contribute to the identification of a physical person. In that case, the storage of a cookie and the collection of information through that cookie may be qualified as a “processing by automatic means” of personal data. In these circumstances, the Data Protection Law of December 8, 1992 will apply to the use of cookies on websites.

In addition to compliance with these existing data protection rules, websites using cookies will now also need to comply with the specific provisions on cookies laid down in Article 5, 3° of the Directive, as implemented into Belgian law by Article 129 of the Telecoms Act.

Article 5, 3° of the Directive provides that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that:

  1. the subscriber or user concerned is provided with clear and comprehensive information in accordance with the Data Protection Directive 95/46/EC, i.e., information about the purposes of the processing; and
  2. the subscriber or user concerned is offered the right to refuse such processing by the data controller.

This is with the exception of any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over a network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user concerned.

In general, the use of cookies thus requires the knowledge of the users concerned and the ability of such users to refuse the storage of the cookie on their computer (or other terminal equipment).

The question that puzzles the online industry is to know at what time exactly the information about the use of the cookie and the right to refuse the cookie, should be given. Does it need to be given prior to the processing (i.e. prior to the storage of the cookie)? Or can the information about the use of cookies (and the right to refuse them) be safely tucked away in the general privacy disclaimer on the website (as is now often the case). The latter solution means that the user first needs to access the website to read the disclaimer and that of course, at that time, the cookie may already be stored on his equipment.

The Directive does not contain specific guidance on this point: Article 5, 3° only requires the right to refuse to be offered and the information to be given (in a clear and comprehensive manner). Paragraph 25 of the Directive’s preamble specifies that the information and the right to refuse may be offered once for the use of various cookies (or other devices) to be installed on the user's terminal equipment during the same connection and may also cover any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.

However, the way these provisions of the Directive have been implemented into Belgian law has caused concern. Article 129 of the Telecoms Act provides that:

“The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that:

1. in accordance with the conditions laid down in the Data Protection Law of December 8, 1992, the subscriber or user concerned is provided with clear and precise information about the purposes of the processing and his rights under the Data Protection Law;

2. the data controller offers the subscriber or user concerned, prior to the processing and in a clear, comprehensive and unambiguous way, the possibility to refuse the intended processing” [emphasis added].

Article 129 further stipulates that a lack of refusal by the subscriber or user does not exempt the data controller from compliance with any other obligations under the Data Protection Law.

The requirement of providing the right to refuse the cookie “prior to the processing” particularly worries the online industry. How should this be done? If the information needs to be given prior to the processing, the use of a specific pop-up screen or splash page would be necessary in order to give the user the opportunity to refuse the cookie prior to its storage. Or would a specific reference to the use of cookies in the privacy disclaimer of the website still be sufficient?

As said, the requirement of granting the refusal prior to the processing can not be found in the text of Article 5, 3° of the Directive. In fact, the “prior” wording initially appeared in the very first draft of the Telecoms Act, was then deleted from it, but was finally slipped back in by way of an amendment introduced by certain Members of Parliament. The amendment was motivated by referring to the general need for a safer Internet. Therefore, it was felt that website users need to be informed in a clear, comprehensive and unambiguous way of the purposes of the use of cookies and need to have the opportunity to refuse the storage of cookies on their equipment prior to the processing, “potentially already at browser level”.6 Most browsers indeed offer the opportunity to disable cookies as a rule, but it seems clear that this does not exempt individual website providers from their obligation to comply with the new cookie requirements imposed by the Telecoms Act.

It thus seems that the way Belgium has implemented the E.U. provisions on cookies is neither user-friendly7 nor industry-friendly. As with many rules that affect the information society, it remains to be seen how creative the industry will be in complying with the new rules and how pragmatically these rules will be interpreted by the supervisory authorities.

First published in World Internet Law Report.

1Law of June 13, 2005 on electronic communications, Belgian State Gazette, June 20, 2005.

2Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201 of July 31, 2002.

3Royal Decree of April 4, 2003 regulating advertising by electronic mail, Belgian State Gazette, May 28, 2003.

4Law of March 11, 2003 on certain legal aspects of information society services, Belgian State Gazette, March 17, 2003.

5Judgment of April 28, 2005, C-376/04.

6Parliamentary Document 1425/018 of April 14, 2005.

7In Belgian Parliament, there is also a law proposal pending that tends to prohibit … the use of pop-up screens.