Out-Law News 3 min. read

ICO makes the case for alternative to consent as basis for data processing under 'cookies' rules


The UK's Information Commissioner's Office (ICO) has urged EU policy makers to look at allowing website operators and advertisers to place 'cookies' on internet users' devices without first having to obtain their consent.

In response to a European Commission consultation on potential reforms to the EU's Privacy and Electronic Communications (e-Privacy) Directive, the ICO said the rules should be updated and "seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals".

"There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal," the ICO said (29-page / 136KB PDF).

The e-Privacy Directive permits the storing and accessing of information on users' computers "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".

An exception to the consent requirements exists where the information stored, often in cookies, is "strictly necessary" for the provision of a service "explicitly requested" by the user.

The rules have meant that internet users are often now prompted by pop-up messages or banner notices on websites that highlight the potential tracking of their online activities through cookies.

In its consultation response the ICO also said that all forms of direct marketing via electronic communications should be subject to an opt-in consent requirement. Currently, some types of direct marketing activity can be carried out on an opt-out basis.

"There should be a harmonised opt-in approach with a clear set of rules which are easy for organisations to follow and for citizens to understand," the ICO said. "These should be consistent with provisions in the GDPR. In our view, the privacy implications of receiving unwanted telemarketing calls are at least as great – and arguably greater, particularly for some vulnerable people – than other channels which already require an opt-in (e.g electronic mail)."

Some social media communications should be considered subject to the e-Privacy rules on direct marketing, it said.

"The relevant considerations are likely to be different depending on the way the messages are communicated, whether via direct message or displayed on a newsfeed," the ICO said. "We do however consider that direct messages sent through social media should be opt-in."

The ICO criticised rules that place restrictions on the processing of location and traffic data by internet service providers and mobile network operators. It urged the provisions to be deleted as conditions on such data processing are "covered by the GDPR". The GDPR, or General Data Protection Regulation, is the EU's new broad data protection framework which and will come into effect in May 2018.

Some telecoms industry bodies have called for the EU's e-Privacy rules to be revoked. However, the ICO said specific EU-wide rules are necessary to ensure "an equivalent level of protection (full protection) across the EU regarding the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector".

However, the ICO said there is no "added value" in having "specific rules for the electronic communications" in relation to the notification of personal data breaches. It pointed to the fact that broad data breach notification rules will apply under the GDPR as the reason for its view. Telecoms companies are currently subject to separate data breach notification requirements under the e-Privacy framework.

Telecoms groups have previously raised concerns with the e-Privacy regime on the basis that they believe it places additional restrictions and regulatory burdens on them than rival communications providers that currently fall outside the scope of the Directive. So-called 'over-the-top service providers' (OTTs), like WhatsApp and Skype, are not classed as electronic communication network and service providers for the purposes of the rules.

The ICO said that while it does not think widening the scope of the e-Privacy rules to cover OTTs is a priority issue, it supports the broadening of the regime to account for OTTs "in-part".

Provisions relating to data security, confidentiality of communications, use of traffic and location data and unsolicited marketing should all apply to OTTs, but operators of private electronic communications networks and non-commercial Wi-Fi networks should not be subject to the e-Privacy regime, it said.

Updated e-Privacy rules should not force website operators to "make available a paying service (without behavioural advertising), as an alternative to the services paid by users' personal information", the ICO said. Nor should the new framework prohibit website operators from preventing users accessing their non-subscription based services where they "refuse the storing of identifiers in their terminal equipment".

The ICO said: "Revised e-Privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual."

The watchdog also said that the penalties regime for infringement of e-Privacy rules should not necessarily reflect that outlined under data protection laws since breaches do not always concern personal data. At the moment, the maximum fine for infringement, of £500,000, that can be issued under the UK's Privacy and Electronic Communications is the same as that which can be issued under the Data Protection Act.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.