EC website fails to comply with EU data privacy cookie law

As the UK starts enforcing EU rules on cookies, it emerges that the EC's own website does not comply with the data privacy legislation

As the UK enters the first week of enforcing European Union (EU) rules for use of cookies on websites, it has emerged that the website of the European Commission (EC) fails to comply with the data privacy legislation.

The UK cookie rule is based on an amendment to the EU's Privacy and Electronic Communications Directive that applies to all EU member states.

The directive requires all European websites obtain users' opt-in consent first if they want to install pieces of code, known as "cookies", that store and pass on personal details and information about browsing activities to third parties.

However, the EC's website has no automatic or homepage notification about cookies. Only if a visitor clicks on the "legal notice” link at the top or bottom of the page, is there any information about cookies.

According to the information presented, visitors to the website "can control and/or delete cookies as you wish – for details, see"

User can also delete cookies already on their computers and you can set browsers to block them being placed. But the site warns users that, if they do this, they may have to adjust some preferences manually every time they visit the EC's website.

This looks very much like the old-fashioned “opt-out” approach, according to Stewart Room, partner at law firm Field Fisher Waterhouse. 

"There’s no way this would satisfy the new consent rule," Room wrote in a blog post.

According to Room, a visit to the Article 29 Working Party, the EU body made up of the national data protection regulators, yields the same result.

The European Data Protection Supervisor has been one of the most vocal critics of bad data protection, but there is nothing about cookies on his official website.

From there visitors can enter the legal notice where, according to Room, there is the following wording about cookies:

"The EDPS website uses two session cookies which are essential for the website to operate. The first cookie contains the username ‘guest’ used by each visitor on the site and the second cookie contains a hash key to allow the server to bind the visitor to the session on the server. Both session cookies are deleted when the visitor closes his internet browser."

The entities that have delivered cookie obligations for all of us, said Room, do not live by their own ideals.

Read more about the cookie law

Read more on Privacy and data protection