Out-Law News 6 min. read

EU privacy watchdogs contradict UK position on cookie consent


EU data protection watchdogs have contradicted UK regulations on the use of cookies, advising the European Commission to specify that user consent must be obtained before cookies are used.

Countries were expected to adopt changes to the EU's E-Privacy Directive by 26 May this year that affected the legal position of website publishers in relation to cookies. The Information Commissioner's Office (ICO) published guidance on how new UK laws should work and the Government said that consent for cookie use did not have to happen before cookies were used.

But  the European committee of national data protection regulators, the Article 29 Working Party, has now published its view of what 'consent' should mean in EU data protection laws. Currently the E-Privacy Directive takes its definition of consent from the EU Data Protection Directive.

Its opinion (38-page / 207KB PDF), which it hopes will be adopted by the European Commission in its planned revision of the Data Protection Directive, is that 'prior' consent must be received to make cookie use legal.

The UK Government has told businesses that consent can come after processing has begun.

A proposed text of the E-Privacy Directive had called for 'prior consent' but this was removed during negotiation, according to an open letter published by culture minister Ed Vaizey in May.

"The word 'prior' does not occur in Article 5(3) of the [E-Privacy] Directive, and it therefore does not appear in the UK transposition," said Vaizey in his letter. "Crucially, there is no indication in the definition as to when that consent may be given, and so it is possible that consent may be given after or during processing."

But this week's Working Party guidance contradicts the UK Government's view.

"While Article 5(3) does not use the word prior, this is a clear and obvious conclusion from the wording of the provision," the guidance says. "It makes good sense for consent to be obtained prior to the starting of the data processing. Otherwise, the processing carried out during the period of time from the moment the processing had started until the moment that consent had been obtained would be unlawful because of lack of legal ground. Furthermore, in such cases, if the individual decided against consenting, any data processing that had already taken place would be unlawful for that reason as well."

A technology law expert has said that the result of the conflict could be even more guidance for businesses.

"It seems likely that further guidance will now be necessary from the Government and ICO on this point," said Claire McCracken of Pinsent Masons, the law firm behind OUT-LAW.COM. "It will also be interesting to see what impact the opinion has on the greatly anticipated technical solution that the Government is currently working on now that there has been clarification of what 'consent' actually means."

The Privacy and Electronic Communications Directive, from which laws governing the use of cookies are drawn from, states that the meaning of 'consent' within provisions of those laws must derive from the original definitions given to the word in the Data Protection Directive.

The Data Protection Directive lays out the rules that organisations must follow to ensure they use personal data appropriately. That law provides that personal data may be processed if a person has given their unambiguous consent and that the consent is explicitly given.

The Article 29 Working Party said that proposed new EU data protection laws, which the European Commission is expected to outline later this year, should better define consent and its practical meaning.

"The notion of unambiguous consent is helpful for setting up a system that is not overly rigid but provides strong protection. While it has the potential to lead to a reasonable system, unfortunately, its meaning is often misunderstood or simply ignored," the Article 29 Working Party said in its opinion.

"The wording itself ('unambiguous') would benefit from further clarification as a part of the revision of the general data protection framework. Clarification should aim at emphasising that unambiguous consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent," the Working Party said.

The data protection watchdogs also called on EU lawmakers to ensure that data processing does not occur until individuals' consent is given. In a separate statement (1-page / 55KB PDF) the Working Party said this was applicable to social networking websites that use default settings to specify consent.

"It should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent. This is especially true in the on-line environment ... Only consent that is based on statements or actions to signify agreement constitutes valid consent." the opinion said.

Organisations in charge of personal data must be able to prove they have obtained individuals' consent, the Working Party said.

"If the burden of proof is reinforced so that data controllers are required to demonstrate that they have effectively obtained the consent of the data subject, they will be compelled to put in place standard practices and mechanisms to seek and prove unambiguous consent," the Article 29 Working Party opinion said.

"The type of mechanisms will depend on the context and should take into account the facts and circumstances of the processing, more particularly its risks," it said.

Organisations should not be required to obtain explicit consent for every kind of personal data processing, the Working Party said. Unambiguous consent, covering explicitly given consent and consent determined by clear actions should be the standard of consent organisations need to achieve, it said.

"This choice gives more flexibility to data controllers to collect consent and the overall procedure may be quicker and more user friendly," the Working Party said.

A clause that sets out individuals' right to withdraw consent to having their personal data processed should also be included in new data protection laws, the Working Party said.

The laws should also state that individuals must have access to clear information about how their personal data may be used in order to make informed decisions about whether they consent, it said.

Specific requirements for children and other people who do not have the legal capacity to signal consent should also be written into the new laws, the Working Party said.

The UK's representative on the Article 29 Working Party committee told OUT-LAW that the proposed changes to the way consent is defined in EU data protection laws would also have an impact on cookie consent if adopted.

"The general principles do apply equally to consent under the Privacy and Electronic Communications Directive", David Smith, Deputy Information Commissioner and UK representative on the Article 29 Working Party committee told OUT-LAW.

The E-Privacy Directive says that storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

The Directive was implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain "informed consent" to tracking users through cookies.

The Information Commissioner's Office (ICO) has previously issued guidance on how website owners can comply with this requirement, but it has left it up to individual companies to choose methods they believe comply with the laws.

Earlier this week the European Commission said it had taken the first legal steps against countries that had not implemented new telecoms laws. The laws, including the Privacy and Electronic Communications Directive, had to be introduced into national laws by 25 May.

The Commission has written to 20 of the 27 EU countries asking them for their views on any infringements they may have made by not enacting the laws.

In June EU Commissioner Neelie Kroes said that only five EU countries, including the UK, had fully implemented the Privacy and Electronic Communication Directive's requirements and warned the Commission would use its "full powers" to force countries that had not complied to act.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.