The ePrivacy Directive has been in force since 2002, with a major amendment in 2009. It deals with the regulation of cookies only marginally in its Art. 5(3):
"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."
Currently, this is the "EU cookie law". However, member states may have implemented this provision slightly differently into its domestic laws. In practice, controllers need to rely on the domestic cookie laws and not directly on the EU cookie law. Such is the nature of a directive.
Following the adoption of the GDPR, a number of problematic issues started to arise concerning this provision. The three key issues in this context are:
Is a consent needed for analytics and marketing cookies used by Google Analytics and Facebook ?
Is it possible to use web browser settings to obtain a consent ?
Can any analytics be regarded as necessary to provide the information society service ?
In addition, anwsers to these questions may be changed by the new ePrivacy regulation, which the German Presidency of the EU Council will have a good chance to adpot in the first half of 2020. The ePrivacy regulation drafts elaborate on the idea of a consent exemption for “web audience measuring” or “audience measuring”. However, it is unclear whether and to what extent this exemption would also cover services in question. The first draft of ePrivacy Regulation also worked with provision for a specific settings of web browsers and similar programs through which the consent could be obtained.
Is a consent needed for analytics and marketing cookies used by Google Analytics and Facebook?
Mostly yes, but not always
Is it possible to use web browser settings to obtain a consent?
Not in the moment, yes in the future
Not possible at all
Not possible at all
Can any analytics be regarded as necessary to provide the information society service?
Some (limited) analytics yes
In Slovakia, we do not have any practice or opinions of the regulator, which is Regulatory Authority for Electronic Communications and Postal Services. Moreover, according to the explicit wording of Section 73 of the Electronic Communications Act for violation of Section 55 (5) (the cookie provision), there is no sanction available (even though according to ePrivacy Directive there should be).
However, in our opinion the Slovak Data Protection Authority may indirectly monitor and penalize non-compliance with the provision through the basic principles of personal data processing under GDPR, which should also apply if personal data are processed via cookies. However, this would be a very bold approach by the supervisory authority.
Of course, this does not mean that nothing needs to be done. First of all, it is necessary to become familiar with the issue and regulation of cookies and subsequently analyze (knowing the legal framework) how cookies and cookies-like technologies are used in practice. Only then the impact of ePrivacy regulation be addressed.
Based on the above, we have decided to prepare a detailed Cookies Memorandum for our clients in which we try to answer the following questions:
What are the cookies?
What is the legal regulation of cookies?
Are cookies personal data?
What is the relationship between the ePrivacy Directive and GDPR?
What are the legal bases for cookie processing?
What is an information society service?
Can setting of a web browser be considered as a consent under GDPR?
What are the so-called "cookie walls" and what is their legal regime?
How to fulfill the information obligation when processing cookies?
What changes can be brought by the ePrivacy Regulation?
How to prepare and move forward?
Our 23-pages memorandum also includes an executive summary of the answers to all the questions above. The memorandum is based on the legal status of August 31, 2019 and we plan to update it regulary as newer guidelines and ePrivacy Regulation arrive. We spent almost 60 hours preparing the memorandum, but since we offer it to all clients and the public, its price is symbolic.
If you are interested in receiving the memorandum, please let us know.
Each of us can become victim to a hacker attack. However, the fulfillment of remediation, notification and documentation obligations under the GDPR doesn´t mean the end of the case itself. What usually follows is the establishment of liability. Although during this process, the courts will work with classic legal instruments, their application may get complicated by a still relatively new legal regulation for the courts - GDPR. In a series of blogs, we will follow Case C-340/21 before the CJEU, which may develop this area further.
The United States adopted the so-called CLOUD Act in March 2019 with the term “CLOUD” actually (and ironically) referring to “Clarifying Lawful Overseas Use of Data.” The CLOUD Act represents amendment to United States Code to improve law enforcement access to data stored across borders, and for other purposes reflecting the latest case-law development in the United States (Microsoft case).