On 13 June 2005, Belgium’s long awaited new telecoms act (the “Telecoms Act”) was finally adopted.1 Belgium has now fully implemented the E.U. Directive on Privacy & Electronic Communications of 20022 (the “Directive”). The spam provisions of this Directive had already been implemented by the Royal Decree of April 4, 2003,3 which completed the general opt-in regime provided by the E-Commerce Law of March 11, 2003.4
The deadline for the implementation of the Directive expired on October 31, 2003 and infringement proceedings had been launched against Belgium (and other Member States) by the European Commission for failure to notify transposition measures. In April 2005, Belgium’s failure to transpose the Directive was confirmed in a judgment of the European Court of Justice.5
Cookies are small files of letters and numbers that act as identifiers on websites. Cookies allow the website server to recognise the user when he or she returns to the website. The letters and numbers identify the name of the server that sent the cookie, the lifetime of the cookie and possibly also other information such as the time the cookie was placed. As cookies allow the website’s server to recognise users that return to the website, they are primarily used for the customisation of websites. As such, cookies can be useful tools for analysing the effectiveness of online advertising or website design, or for verifying the identity of users engaged in online transactions. Cookies may thus facilitate e-commerce or the provision of other information society services.
In addition to compliance with these existing data protection rules, websites using cookies will now also need to comply with the specific provisions on cookies laid down in Article 5, 3° of the Directive, as implemented into Belgian law by Article 129 of the Telecoms Act.
Article 5, 3° of the Directive provides that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that:
the subscriber or user concerned is provided with clear and comprehensive information in accordance with the Data Protection Directive 95/46/EC, i.e., information about the purposes of the processing; and
the subscriber or user concerned is offered the right to refuse such processing by the data controller.
This is with the exception of any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over a network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user concerned.
The Directive does not contain specific guidance on this point: Article 5, 3° only requires the right to refuse to be offered and the information to be given (in a clear and comprehensive manner). Paragraph 25 of the Directive’s preamble specifies that the information and the right to refuse may be offered once for the use of various cookies (or other devices) to be installed on the user's terminal equipment during the same connection and may also cover any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.
However, the way these provisions of the Directive have been implemented into Belgian law has caused concern. Article 129 of the Telecoms Act provides that:
“The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that:
1. in accordance with the conditions laid down in the Data Protection Law of December 8, 1992, the subscriber or user concerned is provided with clear and precise information about the purposes of the processing and his rights under the Data Protection Law;
2. the data controller offers the subscriber or user concerned, prior to the processing and in a clear, comprehensive and unambiguous way, the possibility to refuse the intended processing” [emphasis added].
Article 129 further stipulates that a lack of refusal by the subscriber or user does not exempt the data controller from compliance with any other obligations under the Data Protection Law.
It thus seems that the way Belgium has implemented the E.U. provisions on cookies is neither user-friendly7 nor industry-friendly. As with many rules that affect the information society, it remains to be seen how creative the industry will be in complying with the new rules and how pragmatically these rules will be interpreted by the supervisory authorities.
First published in World Internet Law Report.
1Law of June 13, 2005 on electronic communications, Belgian State Gazette, June 20, 2005.
2Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201 of July 31, 2002.
3Royal Decree of April 4, 2003 regulating advertising by electronic mail, Belgian State Gazette, May 28, 2003.
4Law of March 11, 2003 on certain legal aspects of information society services, Belgian State Gazette, March 17, 2003.
5Judgment of April 28, 2005, C-376/04.
6Parliamentary Document 1425/018 of April 14, 2005.
7In Belgian Parliament, there is also a law proposal pending that tends to prohibit … the use of pop-up screens.