Cookies Update: Implementation of the EU Directive - August 2012

03 August 2012

Ruth Boardman, Laura Acreman, Gabriel Voisin

Continuing Bird & Bird’s chart of the revised rules on cookies, the following countries have recently taken steps towards implementation: Belgium, Italy, The Netherlands, Poland and Portugal.

Belgium

On 28 June 2012, the Belgian Parliament and Senate passed a new Act on electronic communications, including an updated version of the E-commerce Act of 13 June 2005.

The new Act introduces a new consent rule applying to all types of information stored or accessed on a user’s terminal device, in addition to the existing right for the user to be provided with information about the technology used (e.g. cookies) and the purpose of their use together with the right to refuse such processing.

This new rule derives from Article 5.3 of the new ePrivacy Directive (Directive 2009/136/EC amending Directive 2009/136/CE) requiring that “the subscriber or the user concerned has given his or her consent”.

Although the Belgian legislator replicated the wording of the ePrivacy Directive, questions about the extent of consent exemptions remain unanswered. The Belgian Data Protection Commission recommends clarification of the following:

(a) Which tracking technologies are affected by the consent requirement and by the consent exemptions?
(b) What type of information should be provided to users? and
(c) How should third party tracking technologies be blocked?

These points may be clarified in a Royal Decree or by the Belgian Telecom Regulator (IBPT).

Italy

The Italian rules on cookies have now been officially published. These rules are contained in the recently amended section 122 of the legislative decree no.196 of 30 June 2003 on protection of personal data (i.e. the Italian Data Protection Code).

The new rules outline the use of cookies and similar technologies, namely requiring the express consent of the contracting party or user provided that the user (or ‘contracting party’) has been previously informed about what those cookies are and how they are used.

Although expected, further guidelines are yet to be provided because the new board of the Garante has only recently been appointed.

More detailed information about the new Italian rules is available here.

The Netherlands

The Dutch law entered into effect on 5 June 2012. The Dutch cookie rules are arguably stricter than the implementation required by the ePrivacy Directive. This is primarily caused by a narrow interpretation of the consent requirement for the placement of cookies, which cannot be based on opt-out solutions or by means of browser settings.

Moreover, the introduction of a burden of proof for so-called tracking cookies (used for behavioural targeting), makes it easier for the Dutch Data Protection authority (DPA) to supervise the use of cookies with respect to data processing based on tracking cookies. With this burden of proof, the DPA no longer needs to prove that the cookies are used for data processing activities - in which case it will be up to the website to prove that the cookies are not used for these purposes. This supervision is in addition to supervision from the telecom regulator OPTA, as primary supervisor. It is important to note that this burden of proof is likely to enter into force from 1 January 2013.

OPTA has the ability to impose fines of up to EUR 450,000, apply administrative sanctions and/or impose an order for periodic penalty payments. OPTA has produced a set of FAQs on the new rules, an English translation of which can be found here.

The DPA can only impose monetary penalties of up to EUR 4,500 in a limited set of circumstances: failure to notify data processing activities and transfers of data in breach of a Commission decision. Other sanctions are administrative enforcement or penal sums, but these can only be used after the DPA has started an investigation and confirmed that the entity is not compliant to the Dutch Data Protection Act.

Poland

Although Poland is yet to implement the Directive, the Government recently published its new proposal to amend and implement the Directive into the Telecommunication Law of 16 July 2004 currently regulating cookies.

The proposal introduces the obligation to obtain informed consent for the use of cookies, unless the exemption applies for technology necessary to transmit a communication or where cookies are necessary to provide information society service upon subscriber’s/end-user's request.

The end-user/subscriber should be informed about cookies directly, in an easily understandable and unambiguous manner prior to giving their consent. Despite the opt-in wording provided in the proposal, the informed consent can be expressed by software and service settings, including browser settings.

The proposal is supposed to be further consulted on by stakeholders before being reviewed by Parliament.

Portugal

Similar to Poland, Portugal is yet to implement the Directive, although Law Proposal nr. 78/XII has been filed in Parliament on 21 June 2012 for further discussion.

This first proposal intended to amend legislation on privacy and electronic communications namely Law 41/2004 of 18 August 2004, in view of Directive 2009/136/EC. The proposal foresees the amendment of several dispositions of Law 41/2004 (and its republication) including obligations (i) to provide information about the purpose(s) of processing and (ii) to obtain previous consent from the relevant user.

Law Proposal nr. 78/XII lends itself to an interpretation that consent can only be given after the user has received sufficient information on the cookies and prior to those cookies being placed, although how the regime will be properly implemented remains to be seen.

Click on the map to see how the Directive is being implemented across our countries:

 Click to see a PDF on how the directive is being implemented across our countries