Tuesday 18 June 2013

The European Commission’s chaotic cookie compliance culture

Journalists always like to hammer the odd nail into the European Commission’s data protection credibility coffin. This week, we learn from a “Euroactiv Exclusive” the extent to which the European Commission is ignoring the cookie requirements and is evidently tracking users of its websites.

Journalists have discovered that “the European Commission’s homepage sets cookies to store information on surveys – which are not essential to the operation of its website – and technically they should warn about keeping the data.” Also: “users browsing the Commission’s EURES homepage are tracked by Google Analytics without warnings, in clear breach of the current data protection rules.”  

European Data Protection Supervisor Peter Hustinx is evidently aware of the problem and his officials are currently preparing new guidelines for the EU institutions about tracking and cookies on websites. Quite why his officials have not managed to update their guidance before now is not clear. 

The direction of travel on cookies has been very clear since November 2009, when an obscure MEP inserted the cookie rules into a telecommunications package that was implemented in the UK by means of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, [SI 2011 No 1208]. If the cookie rules were devised to deal with the legacy of the great Phorn debacle, (and I won’t trouble readers with a learned explanation on the merits of that initiative), then it means that a mighty sledgehammer was created to crack a pretty small nut. 

Leaving that aside, is 4 years enough notice for the European Commission to implement its own rules? 

Evidently not.

Still, if Dave Evans, the ICO’s former cookie captain has any spare time on his hands as he leaves the ICO and joins Swiss Re as their new Data Protection Officer, perhaps he might be available to explain to these Commission bods what needs to be done to comply with European laws.
Does it really matter that the Commission's institutions can’t fully comply with European laws?

In one sense, their failure to treat the cookie requirements seriously sends a strong message to the data protection community. If privacy officers need leadership on the cookie question, they had better not look in their direction.

The trouble is, however, that these institutions should not have the luxury of choosing which laws to implement. Yes, the cookie laws are silly, so there’s not a lot of harm done by not implementing them. 

But, if the Commission (and its associated institutions) can’t be bothered to fully implement the current laws, then why should the Commissioners be accorded much credibility when they announce that the current Data Protection Directive needs urgent overhaul and it is really important that there should be agreement on a new legal instrument by 2014? 

The more important task for Peter Hustinx is to reassert his credibility among journalists as an effective regulator, when the European institutions he is supposed to supervise treat issues like cookie compliance with this degree of reverence.