A “new” online privacy directive is actively being implemented within the European Union since its inception in November 2009. It is aimed at giving the users control over how cookies are used on the websites they visit, giving their consent to their use before they are copied on their device. We will see in this post what this directive says exactly, and how it is implemented in local laws, focusing on United Kingdom, France, Spain and Portugal.
Dating from November, 25 2009, the directive 2009/136/EC (pdf) amends two other directives regarding users' rights relating to electronic communications networks and services (Directive 2002/22/EC) and the processing of personal data and the protection of privacy in the electronic communications sector (Directive 2002/58/EC).
We are concerned here with the article 66:
A cookie is a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. It can be retrieved during that user session or during later visits on the same website, even in the far future.
Different types of cookies exist: session cookie (used during the time of a session, or a visit to a website), persistent cookie or tracking cookie (used to store data between sessions), secure cookie (used over https encrypted connection, hence encrypted itself), HttpOnly cookie (used when transmitting http(s) requests), third-party cookie (from other domains than the visited website to track the user browsing history), and zombie cookie (virtually impossible to delete, as it uses different storage mechanisms than regular cookie: http ETag, flash, png, Silverlight…).
Any web user, starting by you and me, should be free to share personal data with any company or organization if he wishes, and only if he wishes. By merely surfing on the internet, we are tracked by hundreds of different companies that make profiles of our habits. Those profiles are the data they are using to propose us specific ads through behavioral targeting, or to sell to marketers.
This is where retargeting enters into action. For example, you visit a shoe seller website, and two days later, on another site about, say, cars, you get a shoe ad. There are some good probabilities that an advertising company (Google AdSense or another one) tracked you from the first site to the latter to retarget you with a product you have been previously exposed to.
Furthermore, the profile created by your footprints on the web is also tracked if you belong to a social network. Each time you encounter, still logged in or not to your network, a sharing button (whether it is a Facebook Like, a Twitter or a Google+ button), the social network knows where you are and adds this page to your navigation history on their side.
The principle to remember here is this: if a product is free, you are the product.
In its Opinion 2/2010 on online behavioural advertising (pdf) about the Article 29, the Working Party states that behavioural advertising (…) must not be carried out at the expense of individuals' rights to privacy and data protection. It then draws the legal framework and details the obligation to obtain prior informed consent.
Let's dive into three countries implementations: United Kingdom, France and Spain.
As the 2003 Regulations already implemented a European Directive (named 2002/58/EC) concerned with the protection of privacy in the electronic communications sector, the implementation of the new Directive 2009/136/EC took the form of a change in the Article 5(3) of the E-Privacy Directive. The UK introduced the amendments on May 25, 2011 through The Privacy and Electronic Communications (EC Directive) Regulations 2011, an amendment known as the “cookie amendment”, which amended text is:
In theory, the ICO is able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. Hence, from May 26th 2012, sites for any organization based within the UK (even if their site is hosted overseas) must seek consent to store cookies on a user's computer, or device, as failure to comply could result in a fine up to £500,000.
In practice, though, the ICO is now “considering complaints about cookies in line with its normal approach to complaint handling under the Regulations. This will involve in most cases contacting the organisation responsible for setting the cookies in the first instance and asking them to respond to the complaint and explain what steps they have taken to comply with these rules.”
As long as you have taken “sensible, measured action to move to compliance”, there seems to be nothing to be afraid of. In their own words: “monetary penalties will be reserved for the most serious of breaches of the Regulations.”
The implementation in French law of that European directive took place on August, 24 2011 in the ordinance n°2011-1012 relating to electronic communications (in French). The article 37 specifies that:
The CNIL (for Commission Nationale de l'Informatique et des Libertés, or National Commission on Informatics and Liberties), the independent French administrative authority whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data, exempts of prior consent the cookies used to measure audience, under certain conditions (information, right of access and of opposition, limited purpose, geolocation by IP at the maximum scale of the city, storage life).
The penalties incurred in case of non compliance with this law can be up to 300,000 euros, but “in case of complaint or control, the Commission will appreciate the efforts undertaken by the person in charge of the processing to achieve compliance” (source CNIL, in French).
The implementation of that directive in Spain has been done through the Royal Decree-Law 13/2012 (pdf, in Spanish), of March, 30 2012, that states:
Nevertheless, the amendment of the law has not led to the incorporation of a penalty: failure to obtain consent for the use of cookies cannot be sanctioned (well, for the moment, source in Spanish).
As published in the Diário da República on August, 29 2012 (pdf, in Portuguese), the Article 5 states that:
The question of websites hosted outside of the European Union is also to be answered. Could a country or even the whole Union ban Google AdSense or Facebook for not complying with its local laws when most of government sites are still far from it?
In a following post, we will see the solutions that can be set up to comply with the Cookie Directive.
Image source: Veggieburgerfan via Wikimedia Commons
European directive 2009/136/EC
What does it say?
Dating from November, 25 2009, the directive 2009/136/EC (pdf) amends two other directives regarding users' rights relating to electronic communications networks and services (Directive 2002/22/EC) and the processing of personal data and the protection of privacy in the electronic communications sector (Directive 2002/58/EC).
We are concerned here with the article 66:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application.
What is a cookie?
A cookie is a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. It can be retrieved during that user session or during later visits on the same website, even in the far future.
Different types of cookies exist: session cookie (used during the time of a session, or a visit to a website), persistent cookie or tracking cookie (used to store data between sessions), secure cookie (used over https encrypted connection, hence encrypted itself), HttpOnly cookie (used when transmitting http(s) requests), third-party cookie (from other domains than the visited website to track the user browsing history), and zombie cookie (virtually impossible to delete, as it uses different storage mechanisms than regular cookie: http ETag, flash, png, Silverlight…).
What is that directive aimed at?
Any web user, starting by you and me, should be free to share personal data with any company or organization if he wishes, and only if he wishes. By merely surfing on the internet, we are tracked by hundreds of different companies that make profiles of our habits. Those profiles are the data they are using to propose us specific ads through behavioral targeting, or to sell to marketers.
This is where retargeting enters into action. For example, you visit a shoe seller website, and two days later, on another site about, say, cars, you get a shoe ad. There are some good probabilities that an advertising company (Google AdSense or another one) tracked you from the first site to the latter to retarget you with a product you have been previously exposed to.
Furthermore, the profile created by your footprints on the web is also tracked if you belong to a social network. Each time you encounter, still logged in or not to your network, a sharing button (whether it is a Facebook Like, a Twitter or a Google+ button), the social network knows where you are and adds this page to your navigation history on their side.
The principle to remember here is this: if a product is free, you are the product.
In its Opinion 2/2010 on online behavioural advertising (pdf) about the Article 29, the Working Party states that behavioural advertising (…) must not be carried out at the expense of individuals' rights to privacy and data protection. It then draws the legal framework and details the obligation to obtain prior informed consent.
Implementation of European directive in local laws
As of September 2012, most European countries have already implemented the European directive in their local laws, including Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, the Netherlands, Romania, Slovakia, Spain, Sweden, and United Kingdom. Poland and Portugal are yet to implement the directive, although law proposals have been filed (sources: Two birds, Field Fisher Waterhouse).Let's dive into three countries implementations: United Kingdom, France and Spain.
United Kingdom: the ePrivacy Directive
As the 2003 Regulations already implemented a European Directive (named 2002/58/EC) concerned with the protection of privacy in the electronic communications sector, the implementation of the new Directive 2009/136/EC took the form of a change in the Article 5(3) of the E-Privacy Directive. The UK introduced the amendments on May 25, 2011 through The Privacy and Electronic Communications (EC Directive) Regulations 2011, an amendment known as the “cookie amendment”, which amended text is:
Member States shall ensure that storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.As we can see, their approach has been to directly copy out the wording of the provision and make reference to elements of the wording of Recital 66 which consider that browser settings may give consumers a way to indicate their consent to cookies.
Where it is technically possible and effective (…) the users consent to processing may be expressed by using the appropriate settings of a browser or other applicationThe Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) states that:
A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the [following] requirements are met:However, there is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:
- The subscriber or user of that terminal equipment is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- has given his or her consent.
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
In theory, the ICO is able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. Hence, from May 26th 2012, sites for any organization based within the UK (even if their site is hosted overseas) must seek consent to store cookies on a user's computer, or device, as failure to comply could result in a fine up to £500,000.
In practice, though, the ICO is now “considering complaints about cookies in line with its normal approach to complaint handling under the Regulations. This will involve in most cases contacting the organisation responsible for setting the cookies in the first instance and asking them to respond to the complaint and explain what steps they have taken to comply with these rules.”
As long as you have taken “sensible, measured action to move to compliance”, there seems to be nothing to be afraid of. In their own words: “monetary penalties will be reserved for the most serious of breaches of the Regulations.”
France: the Paquet Télécom
The implementation in French law of that European directive took place on August, 24 2011 in the ordinance n°2011-1012 relating to electronic communications (in French). The article 37 specifies that:
Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he or she has been already informed, by the person in charge of the processing or his representative:Therefore, the user must be informed the cookie will be stored before it takes place, his or her consent being required. The term cookie is used in a broadly manner and includes any technique storing data on the client side.These access or inscriptions can take place only if the subscriber or the individual user has expressed, after having received this information, his or her consent which may result from appropriate parameters of the connection device or any other device under his or her control.
- of the purpose of any action tending to access, by way of electronic transmission, to information already stored in his or her terminal equipment of electronic communications, or to register information in this equipments
- of the means at his or her disposal to oppose it
These provisions are not applicable if the access to the information stored or the registration of the information in the terminal equipment of the user:
- either has the sole purpose of enabling or facilitating communication by electronic means
- or is strictly necessary for providing an online communication service at the express request of the user.
The CNIL (for Commission Nationale de l'Informatique et des Libertés, or National Commission on Informatics and Liberties), the independent French administrative authority whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data, exempts of prior consent the cookies used to measure audience, under certain conditions (information, right of access and of opposition, limited purpose, geolocation by IP at the maximum scale of the city, storage life).
The penalties incurred in case of non compliance with this law can be up to 300,000 euros, but “in case of complaint or control, the Commission will appreciate the efforts undertaken by the person in charge of the processing to achieve compliance” (source CNIL, in French).
Spain: the ley de las cookies
The implementation of that directive in Spain has been done through the Royal Decree-Law 13/2012 (pdf, in Spanish), of March, 30 2012, that states:
Ultimately, several articles of the law of information society and electronic commerce services 34/2002 of July, 11, are amended in order to adapt their rules to the new wording provided by the directive 2009/136/CE to the Directive 2002/58/CE of the European Parliament and Council of July, 12 2002, concerning the processing of personal data and the protection of privacy in the field of electronic communications, being due the new wording of its article 22.2, to require user consent about the files or computer programs (like the so-called “cookies”) that store information in the user equipment and allow it to be accessed; devices that can facilitate web browsing but which use might reveal aspects of the private sphere of users, so it is important that users are adequately informed and have mechanisms that allow them to preserve their privacy.Thus, the article 22.2 (page 26947) of the law 34/2002 of July, 11, about Information Society and Electronic Commerce Services (or LSSI-CE) became:
The service providers can use storage and data recovery devices in recipients terminal equipment, provided that they have given their consent after they have been provided with clear and complete information about their use, in particular about the purposes of data processing, in accordance with the Organic Law of Personal Data Protection 15/1999 of December, 13.With the new legislation, each website must inform its users the use that will be made of the information collected through cookies, giving them the opportunity to accept it or not. Tacit consent (opt out) of the previous law is substituted by informed consent (opt in).
Where technically possible and effective, the recipient consent to accept the data processing may be facilitated by using the appropriate settings of the browser or other applications provided that he or she has to configure it during installation or upgrade through an action expressly for this purpose.
This shall not prevent any technical storage or access of technical nature to the sole purpose of carrying out the transmission of a communication by an electronic communications network or, to the strictly necessary extent, for the provision of a service of the society of information explicitly requested by the recipient.
Nevertheless, the amendment of the law has not led to the incorporation of a penalty: failure to obtain consent for the use of cookies cannot be sanctioned (well, for the moment, source in Spanish).
Portugal: the lei dos cookies
As published in the Diário da República on August, 29 2012 (pdf, in Portuguese), the Article 5 states that:
The information storage and the possibility of access to the stored information on the terminal equipment of a subscriber or user are allowed only if they have given their prior consent, based on clear and comprehensive information under the Law of Protection of Personal Data, particularly with regard to the objectives of processing.Thus, in Portugal too, the cookies directive insists on the prior consent of the users.
Conclusion
As we have seen, most of European countries have already complied with the implementation of the 2009/136/EC directive, and the rest are soon to follow. Nevertheless, some issues are still pending regarding the technical solutions to set up, or the sanctions incurred by not complying with that law.The question of websites hosted outside of the European Union is also to be answered. Could a country or even the whole Union ban Google AdSense or Facebook for not complying with its local laws when most of government sites are still far from it?
In a following post, we will see the solutions that can be set up to comply with the Cookie Directive.
Image source: Veggieburgerfan via Wikimedia Commons
La loi européenne sur les cookies (in French)
La ley europea de las cookies (in Spanish)
A lei europeia dos cookies (in Portuguese)
No comments:
Post a Comment