On 13 June 2005, Belgium’s long awaited new telecoms act (the “Telecoms Act”) was finally adopted. Belgium has now fully implemented the EU Directive on Privacy & Electronic Communications of 2002 (the “Directive”). The spam provisions of this Directive had already been implemented by the Royal Decree of 4 April 2003, which completed the general opt-in regime provided by the E-Commerce Law of 11 March 2003.
The deadline for the implementation of the Directive expired on 31 October 2003 and infringement proceedings had been launched against Belgium (and other Member States) by the European Commission for failure to notify transposition measures. In April of this year, Belgium’s failure to transpose the Directive was confirmed in a judgment of the European Court of Justice.
Cookies are small files of letters and numbers that act as identifiers on websites. Cookies allow the website server to recognise the user when he or she returns to the website. The letters and numbers identify the name of the server that sent the cookie, the lifetime of the cookie and possibly also other information such as the time the cookie was placed. As cookies allow the website’s server to recognise users that return to the website, they are primarily used for the customisation of websites. As such, cookies can be useful tools for analysing the effectiveness of online advertising or website design, or for verifying the identity of users engaged in online transactions. Cookies may thus facilitate e-commerce or the provision of other information society services.
In addition to compliance with these existing data protection rules, websites using cookies will now also need to comply with the specific provisions on cookies laid down in Article 5, 3° of the Directive, as implemented into Belgian law by Article 129 of the Telecoms Act.
Article 5, 3° of the Directive provides that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that:
the subscriber or user concerned is provided with clear and comprehensive information in accordance with the Data Protection Directive 95/46/EC, i.e. information about the purposes of the processing
the subscriber or user concerned is offered the right to refuse such processing by the data controller
This is with the exception of any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over a network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user concerned.
The Directive does not contain specific guidance on this point: Article 5, 3° only requires the right to refuse to be offered and the information to be given (in a clear and comprehensive manner). Paragraph 25 of the Directive’s preamble specifies that the information and the right to refuse may be offered once for the use of various cookies (or other devices) to be installed on the user's terminal equipment during the same connection and may also cover any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.
However, the way these provisions of the Directive have been implemented into Belgian law causes a lot of eyebrow-raising. Article 129 of the Telecoms Act provides that:
«The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that:
1° in accordance with the conditions laid down in the Data Protection Law of 8 December 1992, the subscriber or user concerned is provided with clear and precise information about the purposes of the processing and his rights under the Data Protection Law;
2° the data controller offers the subscriber or user concerned, prior to the processing and in a clear, comprehensive and unambiguous way, the possibility to refuse the intended processing.”
Article 129 further stipulates that a lack of refusal by the subscriber or user does not exempt the data controller from compliance with any other obligations under the Data Protection Law.
It thus seems that the way Belgium has implemented the EU provisions on cookies is neither user-friendly nor industry-friendly. As with many rules that affect the information society, it remains to be seen how creative the industry will be in complying with the new rules and how pragmatically these rules will be interpreted by the supervisory authorities.
 Law of 13 June 2005 on electronic communications, Belgian State Gazette, 20 June 2005.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), O.J., L201 of 31 July 2002.
 Royal Decree of 4 April 2003 regulating advertising by electronic mail, Belgian State Gazette, 28 May 2003.
 Law of 11 March 2003 on certain legal aspects of information society services, Belgian State Gazette, 17 March 2003.
 Judgment of 28 April 2005, C-376/04.
 See also Bird & Bird’s Cookies & Spam Special (IT & E-Commerce Law Bulletin, December 2003, available at ).
 Parliamentary Document 1425/018 of 14 April 2005.
 In Belgian Parliament, there is also a law proposal pending that tends to prohibit … the use of pop-up screens.