Crumb of comfort on EU cookie rules

Keith Nuthall sums up the latest developments in the saga of EU plans to restrict cookies

Keith Nuthall sums up the latest developments in the saga of EU plans to restrict cookies

Last week a political deal was struck in Brussels on the shape of European Union cookie legislation. The result, in footballing terms, was a win to the lawyers over the IT industry.

The proposed legislation sought to limit the use of Internet cookies, which allow e-commerce sites to recognise their customers and provide personalised service, to protect consumer privacy.

On the plus side, the anti-cookie proposals of the Council of Ministers, (which represents the EU member states and shares the right of veto with the European Parliament), have been softened, which should give some breathing space to the EU's hard-pressed Net industry.

On the downside, however, the compromise approved by the European Parliament to the proposed "directive on processing of personal data and protection of privacy in the electronic communications sector" is pretty woolly, and so open to legal interpretation that Internet service provider body EuroISPA predicts "there will definitely be arguments down the way".

These arguments will not just focus on the new regulation but also on how the cookie rules mesh with the existing EU data protection directive.

The new rules are also embodied in a directive, a kind of EU legislation that gives national regulatory authorities a degree of leeway in how they implement it. As a result, said EuroISPA's regulatory affairs director Joe McNamee, "It's going to boil down to what national authorities consider appropriate."

With 15 authorities available we can expect a good deal of inconsistency in national cookie regulation over the next few years, until a sensible model of good practice is thrashed out, possibly by an EU technical committee set up by the old data protection directive.

Earlier this year, the Council of Ministers - acting, some would say, without regard for the technological implications - upset the cookie applecart by inserting a rule saying that cookies should only be served "on condition that the subscriber or user concerned receives, in advance, clear and comprehensive information about the purposes of the processing and is offered the right to refuse such processing by the data controller."

This caused alarm in the EU-based Internet industry and e-commerce operations, which sweated at the prospect of being forced to adapt programmes so that Web visitors were offered a chance to block cookies every time they could be served - in some instances, that would be every time they visited a page.

Apart from the expense, such online red tape could hardly be said to improve the European Internet experience for users, throwing another spoke into the wheel of Brussels' much-vaunted and recently updated "eEurope" programme.

Robin Jezek, of industry group the Interactive Advertising Bureau, said, "It would be expensive. It would be a bit of a nightmare."

Whether he will still be having bad dreams about the amended rule is open to question. MEPs changed just three words. The relevant phrase now requires that the subscriber or user concerned "is provided with clear and comprehensive information".

A key victory here is the removal of the duty to offer users the right to block cookie-serving in advance.

McNamee said, "It's not in advance, which is a key difference. We wanted it removed and it has been."

However, MEPs did not adjust the legislation to account for the existence of cookie-blocking tools which can protect consumers concerned about privacy online.

Internet groups had lobbied for this to be required - such tools are available on the latest version of Microsoft's Internet Explorer. ISPs and other Internet companies could then have argued that the technological means to abide by the new law were already in place.

But that is not going to be the case and the argument will continue. For the time being, debates will be held in Brussels.

Although the amendments were designed to bend towards the views of the Council of Ministers, with the chairman of the Citizens' Freedoms and Rights, Justice and Home Affairs, Ana Palacio Vallelersundi, proposing the new cookie amendment in close consultation with her Spanish government (which holds the presidency of the EU until next month) there is no guarantee that they will survive unscathed.

The proposal will have to return to the council for final approval and if there are enough dissenting voices it will be referred to a conciliation committee representing both member states and the parliament.

That committee would have to frame a deal, which would take six weeks or so. In the unlikely event of it not doing so, then the whole proposal would fail and all the EU institutions would go back to the drawing board.

Because of the importance of this legislation to the EU's much-battered e-commerce industry, this is hard to imagine. After all, this planned directive is not just about cookies.

A deal also was done at the parliament last week on its rules affecting spam, another bugbear of privacy activists, with MEPs leaving untouched the council's so-called "soft", opt-in position, where unsolicited e-mail is essentially banned from EU-based companies.

Henceforth, (assuming the legislation is approved), consumers will have to be offered a free-and-easy method to stop Internet companies whose sites they have visited from sending them commercial messages in their e-mail.

Also, there was an agreement on another hot potato: data retention. Here the compromise says that member states may only lift the protection of data privacy in order to conduct criminal investigations or safeguard national or public security, when this is a "necessary, appropriate and proportionate measure within a democratic society".

All of this soul-searching will, of course, be irrelevant to the many Internet companies and sites whose servers and legal offices are based outside the EU, (which includes companies registered in the Isle of Man, Jersey, Guernsey and, of course, the US). This fact gives weight to the argument that EU companies will be put at a disadvantage by heavy regulation in what is, by definition, a global marketplace.

Supporters of tighter privacy laws talk of Brussels blazing a trail in the industry, but you do not have to be a cynic to be sceptical about such talk.

Indeed any move towards what the European business association the Union of Industrial and Employers' Confederations of Europe fears is an indiscriminate ban on cookies, would, it has been claimed, "shy off consumers and harm business". Whether the new compromise hatched in the European Parliament meets this test is open to question.

Jim Murray, director of the European consumer association BEUC, told EU newswire that he was sceptical about whether cookie technology can be reconciled with all this data protection legislation.

Read more on IT risk management