Out-Law News 3 min. read

Browser setting rules could be dropped from new e-Privacy Regulation

Plans to force web browser providers to ask users to set their privacy preferences could be scrapped, according to proposals under consideration by EU law makers.

The European Commission had set out plans to require web browsers, and other providers of software that permit electronic communications, to inform users of their options to "prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment", and to require those users to select a particular privacy setting at the point of installation and thereafter when new privacy options are made available.

However, the Austrian presidency of the Council of Ministers has now proposed to remove those provisions from the new e-Privacy Regulation that is being developed.

The Austrian presidency said the original proposals had "raised a lot of concerns". These related to "the burden for browsers and apps, the competition aspect, the link to fines for non-compliance but also the impact on end-users and the ability of this provision to address e.g. the issue of consent fatigue", it said. This cast the value of the provisions into doubt, it said.

Rachel Forbes, a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com, said most websites in the digital age use cookies in more than a merely functional capacity and that obtaining consent has become a real issue, particularly with the increased standard of consent codified recently by the GDPR.

"In a perfect world, consent would be obtained for each individual non-essential cookie, but for some businesses who have lots of cookies on its website(s) this is extremely unpractical and it also means a very interrupted, non-friendly customer/ end-user journey, which is neither commercial nor practical," Forbes said. "We are therefore seeing an 'all or nothing' approach being adopted, with increased transparency within policies of what cookies actually do."

"Businesses are going to have to be much more switched on on the technical side to make sure they don’t place cookies in the first place, before the end-user has agreed to it. This isn’t anything new, but the increased fine regime under the GDPR – set to be matched by the new e-Privacy Regulation – has everyone revisiting and worrying about the consequences of non-compliance," she said.

"The original proposal for browser settings would not have solved the problem – in fact it would have been possibly non-compliant itself. How can it be said that an end-user who made a choice five years ago in a browser, wants to be tracked from website to website five years later, when technology has evolved? It doesn’t sound particularly 'informed' – one of the key components of valid consent," Forbes said.

"The e-Privacy Regulation and GDPR need to be looked at as one consolidated piece of law, not two separate pieces of legislation. They should complement not contradict one another," she said.

The Austrian presidency also set out revised plans in relation to 'cookie walls'. The term relates to instances where website and mobile app operators prevent consumers from accessing their services unless they agree to the collection and use of their personal data.

The European Commission proposed to restrict the cases where the use of cookie walls would be permitted, but the Austrian presidency suggested amendments that would give more scope for using them for anti-fraud, security or statistical purposes. It also said businesses using cookie walls may be able to do so legitimately under the new e-Privacy regime proposed providing that they give users a choice to use the services with or without their data being collected through cookies.

Forbes said that this further highlights the need for the GDPR and e-Privacy regime to work in harmony.

"It cannot be possible that the GDPR and associated ICO guidance says that consent cannot be fettered, yet here we are saying that cookies walls are permissible," Forbes said. "Another cornerstone of valid consent is the need for it to be 'freely given'. Trading personal data for access to services is not free – there is a clear imbalance of power. I understand that it would be useful to use cookie walls for anti-fraud and security purposes, but it may be better, and easier and more understandable, to change the scope of these cookies to a cookie not requiring consent."

Further plans to loosen planned restrictions on the processing of electronic communication metadata were also outlined by the Austrian presidency. The plans were set for consideration by representatives of the governments of the countries from across the EU on Monday.

The Austrian presidency's proposals (25-page / 139KB PDF) were published by the Internet Association of Privacy Professionals (IAPP).

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.