EDPS Takes a Tough Line on EU Cookie Law

I have been reading the text of a speech given by Peter Hustinx the European Data Protection Supervisor today, and his interpretation of the EU Cookie Directive will raise some concerns in some powerful corners.

Online advertisers and European Commission Vice-President Neelie Kroes are both given a stern word or two.

The office of the European Data Protection Supervisor is in its own words “an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies.”

The EDPS looks at complaints about data protection issues in EU institutions and advises the EU directly on data protection and privacy legislation.  So their opinion carries some weight.

The speech in question was given on 7 July to an audience at Edinburgh University’s School of Law.  You can find the full text here, but we have been picking out a few of the highlights.

On one point he takes what appears to be a softer line than most on what cookies can be deemed ‘necessary’ and therefore do not require consent.

In apparent support of the Irish law, which we discussed in a previous post, he said that “typically” session cookies would fall into the necessary category.

Elsewhere however he takes a fairly tough line.

He starts by stating very clearly that, despite how others might want to interpret it differently, the Cookie Directive regime is definitely one where users should be able to ‘opt-in’ to cookies, rather than be given the chance to ‘opt-out’.

He also makes it clear that the intention is for users to be given “clear and comprehensive” information about cookies before they can give their informed consent.

This goes against some of the guidance coming from the UK authorities that consent does not have to be “prior consent”.

He also covers the much-hoped-for-by-many browser based approach to consent.  In doing so he points out that whilst in the future this may be viable, current default browser settings and user skills in changing them, makes this scenario at present “not realistic.”

Going further than this, he also gives an opinion that the recent changes introduced by the major browser manufacturers, with their different implementations of the ‘Do Not Track’ approach themselves fall short of requirements, and are in fact better aligned with the previous legal regime of opt-out.

He also goes on to mention the self-regulation regimes on behavioural advertising that have been put in place by industry bodies like the EASA and IAB, also in his opinion do not fit with the current regime as they are also opt-out solutions.

European Commission VP Neelie Kroes, who is in charge of the EU Digital Agenda, has openly supported these initiatives, and Hustinx comes very close to an open criticism of this stance.

He does not admonish Kroes directly, but states that her support appears to “raise doubts on the position of the European Commission” and he calls on them to ensure the directive is “fully respected”.

All of which tells us that even at the highest levels in Europe, there is still a lot of disagreement on what the new cookie legislation actually means.

Which just makes it all the more difficult for website owners who want a simple solution.