Keith Nuthall sums up the latest developments in the saga of EU
plans to restrict cookies
Last week a political deal was struck in Brussels on the shape of
European Union cookie legislation. The result, in footballing
terms, was a win to the lawyers over the IT industry.
The proposed legislation sought to limit the use of Internet
cookies, which allow e-commerce sites to recognise their customers
and provide personalised service, to protect consumer privacy.
On the plus side, the anti-cookie proposals of the Council of
Ministers, (which represents the EU member states and shares the
right of veto with the European Parliament), have been softened,
which should give some breathing space to the EU's hard-pressed Net
industry.
On the downside, however, the compromise approved by the European
Parliament to the proposed "directive on processing of personal
data and protection of privacy in the electronic communications
sector" is pretty woolly, and so open to legal interpretation that
Internet service provider body EuroISPA predicts "there will
definitely be arguments down the way".
These arguments will not just focus on the new regulation but also
on how the cookie rules mesh with the existing EU data protection
directive.
The new rules are also embodied in a directive, a kind of EU
legislation that gives national regulatory authorities a degree of
leeway in how they implement it. As a result, said EuroISPA's
regulatory affairs director Joe McNamee, "It's going to boil down
to what national authorities consider appropriate."
With 15 authorities available we can expect a good deal of
inconsistency in national cookie regulation over the next few
years, until a sensible model of good practice is thrashed out,
possibly by an EU technical committee set up by the old data
protection directive.
Earlier this year, the Council of Ministers - acting, some would
say, without regard for the technological implications - upset the
cookie applecart by inserting a rule saying that cookies should
only be served "on condition that the subscriber or user concerned
receives, in advance, clear and comprehensive information about the
purposes of the processing and is offered the right to refuse such
processing by the data controller."
This caused alarm in the EU-based Internet industry and e-commerce
operations, which sweated at the prospect of being forced to adapt
programmes so that Web visitors were offered a chance to block
cookies every time they could be served - in some instances, that
would be every time they visited a page.
Apart from the expense, such online red tape could hardly be said
to improve the European Internet experience for users, throwing
another spoke into the wheel of Brussels' much-vaunted and recently
updated "eEurope" programme.
Robin Jezek, of industry group the Interactive Advertising Bureau,
said, "It would be expensive. It would be a bit of a
nightmare."
Whether he will still be having bad dreams about the amended rule
is open to question. MEPs changed just three words. The relevant
phrase now requires that the subscriber or user concerned "is
provided with clear and comprehensive information".
A key victory here is the removal of the duty to offer users the
right to block cookie-serving in advance.
McNamee said, "It's not in advance, which is a key difference. We
wanted it removed and it has been."
However, MEPs did not adjust the legislation to account for the
existence of cookie-blocking tools which can protect consumers
concerned about privacy online.
Internet groups had lobbied for this to be required - such tools
are available on the latest version of Microsoft's Internet
Explorer. ISPs and other Internet companies could then have argued
that the technological means to abide by the new law were already
in place.
But that is not going to be the case and the argument will
continue. For the time being, debates will be held in Brussels.
Although the amendments were designed to bend towards the views of
the Council of Ministers, with the chairman of the Citizens'
Freedoms and Rights, Justice and Home Affairs, Ana Palacio
Vallelersundi, proposing the new cookie amendment in close
consultation with her Spanish government (which holds the
presidency of the EU until next month) there is no guarantee that
they will survive unscathed.
The proposal will have to return to the council for final approval
and if there are enough dissenting voices it will be referred to a
conciliation committee representing both member states and the
parliament.
That committee would have to frame a deal, which would take six
weeks or so. In the unlikely event of it not doing so, then the
whole proposal would fail and all the EU institutions would go back
to the drawing board.
Because of the importance of this legislation to the EU's
much-battered e-commerce industry, this is hard to imagine. After
all, this planned directive is not just about cookies.
A deal also was done at the parliament last week on its rules
affecting spam, another bugbear of privacy activists, with MEPs
leaving untouched the council's so-called "soft", opt-in position,
where unsolicited e-mail is essentially banned from EU-based
companies.
Henceforth, (assuming the legislation is approved), consumers will
have to be offered a free-and-easy method to stop Internet
companies whose sites they have visited from sending them
commercial messages in their e-mail.
Also, there was an agreement on another hot potato: data retention.
Here the compromise says that member states may only lift the
protection of data privacy in order to conduct criminal
investigations or safeguard national or public security, when this
is a "necessary, appropriate and proportionate measure within a
democratic society".
All of this soul-searching will, of course, be irrelevant to the
many Internet companies and sites whose servers and legal offices
are based outside the EU, (which includes companies registered in
the Isle of Man, Jersey, Guernsey and, of course, the US). This
fact gives weight to the argument that EU companies will be put at
a disadvantage by heavy regulation in what is, by definition, a
global marketplace.
Supporters of tighter privacy laws talk of Brussels blazing a trail
in the industry, but you do not have to be a cynic to be sceptical
about such talk.
Indeed any move towards what the European business association the
Union of Industrial and Employers' Confederations of Europe fears
is an indiscriminate ban on cookies, would, it has been claimed,
"shy off consumers and harm business". Whether the new compromise
hatched in the European Parliament meets this test is open to
question.
Jim Murray, director of the European consumer association BEUC,
told EU newswire EurActiv.com that he was sceptical about whether
cookie technology can be reconciled with all this data protection
legislation.