Saturday 14 January 2012

Cookies: Commission indicates unease at the current rules

If you read the responses that a couple of the Directorate Generals have made in opposing the Commission’s proposals for a new data protection Directive, you can sense that they’re just realised how hard it might be for everyone to make sense of the current cookie rules, and how much worse the situation could become should the Commission get its way with its new proposals.

We’re all busy people, so I’ll just sketch out the high level argument in this blog. The details can be fleshed out by those who really like getting immersed in the legal bumf. All I want to focus on today is the basic issue.

The argument is that the ePrivacy Directive threatens legitimate on-line business, and that it does so by requiring the categorisation of cookies into particular types, only one of which (the “strictly necessary” type) can be deployed without first having to obtain the consent of the user. If you believe what you read in the leaked Inter service consultation document, the Commission now proposes to compound difficulties by tightening up the definition of “consent” and by preventing people under the age of 18 from giving consent themselves (since only grown-ups are considered capable of giving this type of consent).

If you read the DG Markt comments, for example, you will learn that:

• “Web analytics used for site optimization and variation testing is an essential part of e-commerce operations, It is likely that under the explicit and specific consent regime a large majority of site visitors would not accept any cookies, giving websites a massively reduced statistical basis on which to make site optimization decisions;
• A trader should be able to promote products which are relevant to a recent purchase the customer has made, without having to ask for “consent” each time when he would have to address the customer. Traders often stress the fact that reconfirming the consent of customers can be 10 times more expensive than the retention of an existing consent. This is a cost many businesses will not afford; especially since consent, extended to all categories of data, will in fact increase the amount of data collected and the costs for date controllers;
• Explicitly removing the less explicit context-based means of obtaining consent is likely to ensure that less users agree to harmless forms of data processing, with a negative impact on the performance of e-commerce operators and the availability of free internet services.
• Further, there is an open question as to whether these proposed measures would affect the interpretation of the E-privacy Directive. At present, the cookie consent requirements ... can be satisfied by adequate browser (or other technologies) settings that might require affirmative opt-in consent to receive cookies and may in the future be satisfied by a “Do Not Track” or other setting. However, it would not be possible for a data controller to prove that a data subject consented to receive cookies or permit tracking through their browser or other indirect means of consent unless more privacy invasive tools were employed (such as identity encoded cookies).”

DG Markt is also concerned about the difficulties of obtaining consent:

“The data controller will need to bear the burden of proving that the data subject has given “explicit”, “affirmative”, consent for the processing of their personal data for the specific purposes for which the data was collected. This will in effect push companies and service providers to a registration model, or other business models that rely on identified or authenticated users. This will be:

• Potentially negative for privacy as it will lead more companies to request more and more personal data from users, held in databases, which will be more “invasive” of personal data and privacy than those presently required;
• Disproportionately costly in terms of compliance, with dubious benefit. Controllers will have to record the various consents and details such as: the time they were given, the purposes for which they were given and the identity of the individual who gave them.”

To say that this challenges the business models of internet-based companies such as Facebook is to put it mildly.

The criticism from DG Markt is pretty strong stuff. And it makes it all the more important that we try to implement the current cookie rules in a pragmatic and sensitive way. Otherwise, when the screws are tightened, as is inevitably foreseen by the Commission’s proposals, the “rules” will be ignored to an even greater extent that data controllers currently ignore the transborder data flow rules.

And this is why it’s so important that, at least in the UK, the Information Commissioner’s Office and the International Chamber of Commerce create guidance on implementing the cookie rules that can actually be implemented. The next meeting of the usual suspects will occur in a few weeks time, in central London. I hope to attend that meeting and, subsequently, to comment on any relevant developments.

DG Markt reply to CISNet – delai 20/12/2011 – Data Protection Reform consultation just.c3(2011) 1350739 bis de la DG JUST, p12

Situation wanted:

If all goes to plan, I will shortly be ceasing full-time employment with my current employer, and will have time on my hands to help others who need pragmatic data protection advice and support. Please let me know if you are aware of anything interesting on the horizon. I do prefer policy work to ticking boxes, but we all have our price!