The e-privacy regulation: new rules for analytics cookies

On 8 September 2017, the Council of the European Union reviewed the draft of the new e-Privacy Regulation (“EPR”) – previously published by the European Commission on 10 January 2017 -, which allows the use of first-party and third-party analytic cookies without express consent of the end-user.

The relevant legation in this field (Directive 2002/58/EC, hereinafter “e-Privacy Directive” or “EPD”) is indeed undergoing a reform process to align the current legal framework with the technological developments and the new provisions contained in the EU General Data Protection Regulation

Among other changes to the new EPR, the Council has proposed amendments to Article 8, concerning the “Protection of information stored in and related to end-users’ terminal equipment”. Cookies are one of the main examples of technologies which can track users’ behaviour online by reading information on their devices and, since EPD adoption, have been constantly subjected to European and national regulations.

Main Issues

In the European legislation, the main rule concerning the use of tracking technologies is Article 5(3) of the e-Privacy Directive. In Opinion 4/2012, Article 29 Working party (“WP29”) clarified that the above-mentioned article allows cookies to be exempted from the requirement of express and informed consent, if they are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” (Criterion A) or if they are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service” (Criterion B).

In addition, WP29 suggested a further exemption to the required informed consent by considering that “first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes, anonymised and equipped with user-friendly opt-out mechanisms” (Criterion C).

Opening up to the use of first-party and third-party analytics surely serves the business needs of companies by introducing a new exception to the express and informed consent of the end-user. Moreover, the absence of any reference in Article 8 of the EPR to “data anonymization”, “privacy by design” and “data minimization” as specified in Opinion 3/2016 seems leading to the conclusion that, for the legislator, analytics do not pose a serious risk for users privacy anymore. However, the same may not be said with regard to profiling technologies for which an express and informed consent is still necessary.

Practical Implications

In conclusion, should the Council revision of the Article 8 of the EPR be deemed appropriate:

  • An express and informed consent will be required only for profiling technologies and not for first-party analytics
  • By default, the required consent will most likely be centralized in software such as internet browsers, apps, smartphones prompting users to freely choose their privacy settings, avoiding the use of banners. 

Source: ICT Legal Consulting  ICT Legal Consulting

News

Pilots for the European Cybersecurity Competence Networks: how can your SME benefit? - Cyberwatching.eu 6th Webinar -

The four pilot projects involved in the development of the European Cybersecurity Competence Network will present their plans and upcoming tools and services for SMEs in the Cyberwatching.eu webinar on the 2nd of April, 10:00 AM CEST

REGISTER NOW!

 

Future Events

Cyber Insurance and its Contribution to Cyber Risk Mitigation - Leiden March 25-29
25/03/2019 to 29/03/2019
Image:

The rise in both the scale and severity of recent cyberattacks demands new thinking about cybersecurity risk and the mitigation and transfer of that risk. Cyber insurance is one potential way to manage risk by transferring damage liability, but the cyber insurance market is immature and the understanding and actuarial knowledge of cyber-risk is currently underdeveloped.

e-SIDES workshop 2019
02/04/2019
Image:

e-SIDES workshop: Towards Value-Centric Big Data: Connect People, Processes and Technology

BRUSSELS

2 April 2019

10am to 4pm

 

e-SIDES is a research project funded by European Commission H2020 Programme that deals with the ethical, legal, social and economic implications of privacy-preserving technologies in different big data context.