An amendment to an EU privacy directive was voted through by the Council of the EU on October 26th, and now awaits simple formalities before it comes into force. EU member states must then interpret and implement the directive through local laws by April 26th 2011 at the latest.
The EDPS, the body responsible for EU institutions’ compliance with data protection laws, issued a press release yesterday stating, “nothing stands in the way for the ePrivacy Directive to enter into force. The formalities required for formal adoption will be undertaken in the coming weeks. The revised ePrivacy Directive, as amended by the European Parliament and adopted by the Council must be implemented by the Member States within 18 months.”
Struan Robertson, Legal Director at law firm Pinsent Masons, described the remaining formalities as a “rubber stamping exercise.”
The amended directive will now state that national governments must “ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information.”
Cookies without user consent would only be allowed when they are “strictly necessary” to provide a service “explicitly requested” by the user such as storing shopping cart information on e-commerce sites, for example.
The directive must now be interpreted and implemented by individual governments through local laws, but Robertson suggests any interpretation that attempts to avoid the issue of clear user consent would be an unlawful one. “There could be advantages for everyone if it is interpreted that way, but it would not accurately implement EU law,” he said. U.K. regulators, for example, reproduced the wording of the original 2002 directive faithfully in local law, and Robertson said he expects the same this time round.
However, IAB Europe Vice President Kimon Zorbas suggests that consent could be given through users’ browser settings in much the same way some users already manage their cookies. That might enable users to express consent permanently, eliminating the need for pop-ups and other disruptions to user experience the directive might cause.
Roberston suggests the directive was already intended to require consent for cookies, but that its wording enabled publishers and ad companies to comply by publishing details of cookie use in their privacy policies. “I suspect the motivation for this could be to correct ambiguity in the original directive,” he said.