New Law on Cookies
What is a cookie?
A cookie is a small file of letters and numbers that act as an identifier on a website. They allow the website server that sent the cookie to recognise the user when s/he returns to the site, or browses from page to page. The numbers identify the name of the server that sent the cookie, the lifetime of the cookie and, possibly, other information such as the time the cookie was placed. Cookies are primarily used to allow websites to be customised, as they allow the website’s server to recognise that it is the same user returning to it.
What is SPAM?
This is the practice of blindly posting commercial messages or advertisements to a large number of unrelated and uninterested newsgroups, and bulk e-mailing unsolicited commercial messages.
EC’s Directive on Privacy and Electronic Communications (2002/58/EC) (the “Directive”)
The UK has implemented the Directive by way of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Regulations”) and which also replace the existing Telecommunications (Data Protection and Privacy) Regulations. The Regulations will come into force on 11 December 2003.
In the DTI’s paper; The Implementation of the Directive on Privacy and Electronic Communications, Government’s Response to Consultation, 18 September 2003, the DTI made it clear that it wanted to be as un-prescriptive as possible about the ways in which organisations comply with the information and rejection provisions. For example, one possibility that was mentioned in the DTI’s consultation document that preceded the Regulations was that organisations could include information in their cookie policies explaining how users could configure their browsers so as to reject cookies. (For example, some versions of Internet Explorer allow you to reject cookies).
There are some exceptions and limitations to the information and rejection provisions, namely:-
(1) if an organisation wishes to use a cookie whenever an individual visits its site, it must provide the visitor with the information and opportunity to reject a cookie only on the initial visit;
(2) there is no need to provide either the information or the opportunity to reject a cookie where use of a cookie or similar technology is (a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or (b) strictly necessary for the provision of an information society service requested by the subscriber or user.
In relation to SPAM, the Regulations only apply to unsolicited commercial communications sent to individual subscribers. Consideration has been given to extending the provisions to corporate entities and this area is being kept under DTI review.
Prior to the Regulations, the Data Protection Acts of 1994 and 1998 required organisations to provide for recipients to opt-out of marketing or promotional campaigns by e-mail.
The Regulations introduce a new opt-in regime, which requires organisations to get the recipient’s consent before carrying out such campaigns. This rule applies to much B2B (business to business) marketing. It is also retrospective and applies to existing databases of e-mail contacts.
There is a limited exception to this new regime, referred to as the “Soft opt-in” which allows unsolicited emails to individual subscribers where:
i) there has been as sale or negotiation with the individual;
ii) the direct marketing is to be carried out by the same legal person who obtained the original details;
iii) the direct marketing relates to similar products and services; and
iv) the individual was offered an opt-out when the details were originally obtained (as they were required to do under the Data Protection acts of 1994 and 1998).
In particular this will heavily impact and restrict the practice of using contacts lists to cross-market broader ranges of products and services.
The Information Commissioner’s guidance addresses the impact of the Regulations on legacy data and advises that the Commissioner will be “pragmatic” in this area. Organisations that have collected legacy data fairly (usually by offering an opt-out) and which have used the marketing lists recently can continue to market similar goods and services without needing to get new opt-in consent.
Copies of the Commissioner’s guidance are available from www.dataprotection.gov.uk at Guidance/Compliance Advice.
The provisions of the Directive concerning cookies are the subject of the draft law on the protection of individuals with regard to personal data processing. They also implement the Data Protection Directive (95/46/EC) of 24 October 1995 and modifies the law of 6 January 1978 concerning computer systems, files and freedoms. The rest of the Directive will be implemented in France through the law on “confidence in the digital economy” (confiance dans l'économie numérique), which will soon be adopted.
The draft law was adopted by the Assemblée Nationale at the first reading on 30 January 2002 and was submitted to the Senate on the 1 April 2003, which amended the draft. In line with the French legislative process, the further draft, as amended by the Senate, will be re-submitted at the beginning of 2004 to the Assemblée Nationale for final adoption.
The new article 32 of the law of 6 January 1978, as amended by the Senate, states that the data controller must clearly and comprehensively inform every person using electronic communications networks of (i) the purpose of the storage of information or the access to information stored in its terminal equipment; and (ii) the means by which users may refuse such storage or access.
It is then specified that these provisions are not applicable if the exclusive purpose of such practice either exclusively aims at facilitating the transmission of a communication over an electronic communications network, or is strictly necessary in order to provide an information society service explicitly required by the user.
The provisions of the draft law are, therefore, very close to the provisions of the Directive.
Note that the previous version, as adopted by the Assemblée nationale on 30 January 2002, the new article 32 prohibited organisations from making acceptance of a cookie part of their terms and conditions of use. In addition, failure to provide sufficient information led to a five-year imprisonment sentence and a €300,000 fine. These two points have however been withdrawn in the last version adopted by the Senate on 1 April 2003.
The Directive has not yet been implemented in Germany. In November 2001 an expert opinion by Roßnagel/Pfitzmann/Garstka proposed the modernisation of German data protection law in one single codification. It is, however, presumed that the German legislator will not follow this recommendation. Instead the legislator is likely to codify three different Acts, the most important of which are, a modification of the Telecommunications Act (TKG) and the codification of a new act, named “Tele Media Data Protection Act” (TMDSG). Currently, the Federal Legislator is in discussions with the regions, which will have to assign legislative competences for this purpose. A first draft on the TMDSG is expected to be published at the end of this year.
The TMDSG shall unify the data protection provisions in two different Acts. This will be done by replacing the “Tele Services Data Protection Act” (TDDSG) and incorporating the data protection provisions of the “Media Services Treaty” (MDStV).
Due to the discussions currently taking place, the provisions that will be applicable on cookies within the TMDSG are not sufficiently advanced yet to allow forecasts on the future legal frame.
Generally, following the prevailing opinion, cookies are lawful under the “Opt-out” regime of Sect. 6 para. 3 TDDSG. According to this clause, the provider may compile pseudonym-based user profiles for purposes of advertising, marketing research, and structuring of the tele-services provided the user does not raise objections. This diverges from Art. 5 para. 3 of the Directive only in so far as the opt-out lawfulness is restricted by the pseudonym-based information.
However, the provider shall inform the user on his right to opt-out according to Sect. 6 para. 3 sent. 2 TDDSG. Besides this, in case of “automated processes that allow the identification of the user” (cookies), the user must be informed about this process from the outset (Sect. 4 para. 1 sent. 2 TDDSG).
From 1 January 2004 a new data protection code (the “Code”) will enter into force and replace the provisions currently strewed in several set of rules. The Code is an overall review of the way to manage data processing: it is partly a collection of existing provisions but it also provides new simplified regulation of existing requirements as well as new regulation on matters previously lacking any specific provisions.
The Code also gives the Italian legislator the opportunity to implement the Directive within the Code. In particular, the Code will partially bridge the gap in Italian legislation which has, up to now, been lacking in specific rules on data processing via the Internet (based on the legislation currently in force, general rules on data protection apply).
To this extent, a specific section of the Code is dedicated to Electronic Communications, the provisions of which substantially replicate the Directive. Within this section there is chapter titled “Internet and Electronic Networks” which sets out general principles to be applied when providers of communication and information services, supplied by means of electronic communications networks, process personal data and, in particular, when subscribers’ or users’ information is collected.
The general principles contained therein will be implemented by codes of conduct and professional practice, to be drawn up in the near future. Such codes of conduct and professional practice shall be encouraged by the Garante (the Italian Supervisory Authority) within the framework of the categories concerned, by adhering to the guidelines set out in Council of Europe recommendations on personal data processing.
The codes and their compliance with the laws and regulations, will be verified by the Garante. The codes will be valid and enforceable upon their publication in the Official Journal of the Italian Republic and the compliance with the provisions contained therein will be a prerequisite for the personal data processing to be lawful.
In particular, based on the Code and without prejudice to the code of conduct mentioned below to be drawn up in the future, on the use of an electronic communication network to gain access to information stored in the terminal equipment of a subscriber or user, to store information or monitor operations performed by the user (e.g. cookies), will be prohibited.
The code of conduct and professional practice applies to the processing of personal data by providers of communication and information services, supplied by means of electronic communications networks. It will identify the criteria to ensure and streamline adequate information and awareness by users of public and private electronic communications networks as to the categories of personal data processed and the mechanisms for such processing. In particular, the information notices will be provided online using simple and interactive means. This will enhance openness and fairness in respect of the users as well as full compliance with the principles governing data processing with a view to certifying the quality of the implemented mechanisms and the security level afforded.
This code of conduct will also lay down prerequisites and limitations for a provider of an electronic communication service to use the network in the manner described above for specific, legitimate purposes related to technical storage. Storage should be for no longer than is strictly necessary to transmit a communication or provide a specific service as requested by a subscriber or user that has given his/her consent based on prior information
Section 18, Chapter 6 of the Act states as follows:
“Electronic communication networks may be used to store or gain access to information that is stored in the subscriber’s or user’s terminal equipment only if the subscriber or user receives information from the controller of personal data about the purpose of the processing and is given an opportunity to impede such processing. This does not prevent such storage or access that is required to perform and facilitate the transfer of electronic messages via an electronic communications network or which is necessary to provide a service that the user or subscriber has expressly requested.”
The Act requires this information to be clearly stated on the website. It does not require the information to be presented to visitors before entering the website.
The Swedish National Telecom Agency has been given the task of supervising the market’s compliance with the Act. In order to be able to fulfil its role as the supervising authority, the Telecom Agency has been given the power to issue injunctions in relation to websites not complying with the Act. Such injunctions may be combined with fines. As a final measure, in case of non-compliance, the Telecom Agency has been authorised to prohibit non-compliant operators in pursuing their activities over the Internet. However, such prohibitions may not be issued if the violation of the Act is deemed to be of lesser importance. A violation of the provision in the Act requiring websites to provide information regarding cookies may, in cases of wilful misconduct or negligence, be considered as a criminal offence resulting in an obligation to pay fines.
The Dutch legislator has not yet implemented the new regime for cookies under the Directive.
On the 28th of October 2003, the lower house of the Dutch parliament adopted the legislative proposal which will amend the Dutch Telecommunications Act of 1998 (the “Proposal”). Following this amendment, the new EC’s telecommunication Directives including the Directive, will be implemented. Before the new law can enter into force the Proposal will also have to be adopted by the upper house. This may take place before the end of this year, but early 2004 is viewed to be more realistic.
Moreover, the provisions of the Proposal do not cover all of the subjects dealt with in the Directive. Most relevant in the present context is the fact that article 5, section 3, of the Directive is not implemented by the present Proposal because the legislator requires additional consultation/study for that. According to the relevant ministry, the Ministry of Economic Affairs, a draft text for the implementation of the new regime for cookies and the like is ready for consultation. In the coming weeks, this draft text will be discussed with the Ministry of Justice, the Data Protection Authority and the Dutch national regulator, OPTA. Following this, the text will be amended and implemented, which, depending on the chosen method of legislation, might be at the same time as the Proposal or shortly after that.
The Data Protection Law applies to the processing of personal data wholly or partly by automatic means, as well as to the processing other than by automatic means of personal data that form part of or are intended to form part of a filing system (article 3, §1).
(a) Is information collected by cookies personal data?
Personal data is defined as any information relating to an identified or identifiable natural person (i.e. the data subject). An identifiable person is one who can be directly or indirectly identified, in particular by using an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
According to the Belgian legislation, all information concerning physical persons shall be considered to be personal data, as long as either the controller or any other person is able to identify the data subject by whatever means are likely to be reasonably used. This has serious consequences for the processing of data on the Internet, as generally the internet service provider will be able to identify the data subject using reasonable means.
Generally speaking, a cookie will not be able to identify a person independently. Cookies, as such, serve to identify a computer. However, the data collected through a cookie can be linked to other information, e.g. information provided through registration forms, surfing habits or purchase habits, IP-address. As such, the collected data become personal data, thus making the data subject identifiable.
The definition of processing is very broad. It is defined as, any operation or set of operations performed on personal data, whether by automatic or manual means, such as; collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of personal data.
The storage of a cookie and collection of information therewith falls under this definition.
Comparison of the current Belgian legal situation with the conditions imposed by Directive 2002/58
The Directive on privacy and electronic communications provides that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that: the subscriber or user concerned is provided with clear and comprehensive information and is offered the right to refuse such processing by the data controller. This is with the exception of any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
As a matter of principle, personal data may not be processed without the clear and unambiguous consent of the data subject. This consent requires clear and comprehensive information about the data processing and its purposes.
In view of the principles of data quality (article 5 of the Data Protection Law), the data subject must be provided the opportunity to reject the cookies and, unless the cookies are strictly necessary for the access of the website, he must still be able to access the website if he has rejected the cookies. Refusing access to a website on the grounds that the data subject has refused cookies is contrary to the principles of data quality if the acceptance of the cookies is not strictly necessary for the access of the website.