In October 2009 the European Commission adopted the Citizens Rights Directive, part of the reform package for the regulation of the electronic communications sector. The Citizens Rights Directive amends the E-Privacy Directive 2002, coming into force in May 2011. It contains many innovations, including new rules for data security and breach disclosure.
The directive also amends the rules about the confidentiality of communications. In particular, it has introduced new requirements governing the storage of information on peoples' terminal equipment and how this information is accessed:
"Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the Data Protection] Directive 95/46/EC, inter alia about the purposes of the processing."
These new rules focus in particular on the dropping of cookies onto our equipment. This will only be lawful if the service provider has the subscriber or user's consent. In order for consent to be valid, it must be freely given, specific and informed, the benchmarks established by the Data Protection Directive.
The EU's Article 29 Working Party, which is made up of the national data protection regulators and other officials, issued an opinion on cookies and the consent issue earlier in 2010, observing that the new rules will not be satisfied by default browser settings, bulk consents, web user inactivity or the use of opt-outs. Critical elements within the opinion are:
- The settings of most web browsers' default to the acceptance of cookies.
- 'Average' web users do not understand how to change their browser settings.
- Some cookies are able to bypass the browser settings through their capability to "respawn", with Flash cookies being singled out for criticism.
- The acceptance of cookies via a deliberate, but one-off, adjustment of the browser settings cannot mean that the web user will be able to anticipate or understand how their data will be used in the future.
- Opt-outs falsely assume the web user will fully understand what is happening to their data.
- Opt-outs operate through the web user's non-reaction, rather than their reaction to processing.
Critics of the directive
These changes are highly controversial and hotly debated. Service providers are deeply troubled that regulators and courts may require them to gain consent every single time a cookie is dropped, which may not be practical. Some fear that a strict regulatory approach will operate to stifle growth in electronic commerce in Europe. Others suggest that an overly "pro-privacy" approach will actually damage the users' enjoyment of the online environment. Others say that it is wrong for the law to be taking a different path to the preferred route of technology.
The UK is currently undertaking a publication consultation on the implementation of the Citizens Rights Directive, which has been led by the Department for Business, Innovation and Skills. Tellingly, the consultation document offered no real solutions to the challenges posed by the new rules, although it did express sympathy with some of the concerns just mentioned:
"The internet as we know it today would be impossible without the use of these cookies. Many of the most popular websites and services would be unusable or severely restricted and so it is important that this provision is not implemented in a way which would damage the experience of UK internet users or place a burden on UK and EU companies that use the web."
Location, location, location
So, where are we heading with all of this? To some extent, the answer depends upon the jurisdiction in which you are doing business. For example, if you are dropping cookies on to terminal equipment in the UK you might be justified in thinking that you will get a more "pro-business" response from the regulator here than you would in, say, Germany; the likelihood is that businesses will continue to experience variances in regulatory attitudes and practices.
From a legal perspective, the debate may well turn on the question whether the cookie is "necessary" for the delivery of the web service, because the Citizens Rights Directive recognises that consent will not be required in such circumstances; as a lawyer who specialises in defending organisations from regulators, I regard this as a critical safe harbour for data controllers, as it identifies a battleground - the meaning of "necessity" - that regulators will be reluctant to enter, through fear of loss and the precedents that will set.