Tuesday 12 June 2012

Cookies: Thank goodness we operate from ‘Blighty!

Not only can we Brits celebrate the Queen’s Diamond Jubilee, England’s (relative) success in the Euro 2012 Football Championships and the impending Olympics, we now have another reason to cheer.

Information Commissioner Christopher Graham was on sparking form when speaking to the assembled crowd at the Evidon Empower II summit in Central London today. In typical no-nonsense style, he set out to bust three “cookie myths” that had emerged, and left everyone impressed with his determination to apply fairness and common sense to a community that is in a pretty fragile state right now.

Christopher Graham only made one tactical mistake. Had he not have had to leave half way through the proceedings, he would almost certainly have been carried, shoulder high, around the audience to wild acclaim at the end of the event. Why? Because the audience was also treated to a view of the cookie conundrum from the perspective of German and French privacy regulators, and from a Dutch lawyer who spoke about the Dutch regulatory climate.

Believe me, ‘Blighty is the place to do data protection business in.

The German data protection regulators evidently can’t even decide if their Government has enacted a sufficiently wide cookie law – and they are so concerned about the matter that all 18 of them will hold a meeting in September (yes, in September) to consider the issue. Turning to the Netherlands, all Dutch webmasters are expected to comply (already) with a law that came into force last Tuesday, with (apparently) no period for reflection as to what it actually means. At least the Brits had a year to think about things before the ICO got tougher. And the French – well, let’s just be glad that British webmasters aren’t expected to take the steps evidently required by our chums at the CNIL.

Very tellingly, though, a CNIL official paid the ICO an extraordinary compliment, indicating that perhaps even they accept that French webmasters were likely to face significant compliance issues if they were to follow the letter of the French law: “If all of the companies in France followed even the ICO’s guidance, we would be very happy”. So, even our French chums are capable of displaying that touch of pragmatism that is so often necessary in data protection land.

Christopher Graham was on sparkling form when he put his (metaphorical) myth-busting pants on to slam allegations (1) that this cookie stuff is all the ICO’s fault, (2) that at the last minute the ICO changed its mind on the consent rules, and (3) that no-one takes any notice about cookies. All good stuff. He then dropped the bombshell that the Article 29 Working Party had, very recently, reached an agreement (yes, a unanimous agreement) as to which cookies, under certain conditions, can be placed without the requirement of informed consent. The opinion also gives guidelines for deciding whether a cookie is exempt from the principle of informed consent.

Personally, given the huge difference of views that those speaking for the French, German and Dutch regulators expressed, I’m looking forward to reading it to work out just what it is that everyone can agree on, for it does seem to be the case that there is a lot that regulators can’t quite agree on just yet. However, as I’m a “glass half full” rather than a “glass half empty” blogger, I want to celebrate the bright side of things.

Here is a link to the actual document, and the press release. Let me know what you think. It might just be one of those that really is worth reading!