Despite the fact that the year 2019 has only a few weeks to go, the intention has been announced by the European Council to discuss the ePrivacy Regulation proposal with the European Commission and the European Parliament in trilogue before the end of the year. So will 2019 be the year of the ePrivacy Regulation after all? A brief update on the latest developments in relation to the ePrivacy Regulation as well as the (changed) consent regime for the use of cookies.
Following the coming into force of the General Data Protection Regulation (GDPR) in 2018, it is now time for the ePrivacy Regulation (ePV) to ensure that data protection around electronic communications is also ensured and that ePrivacy regulations are in line with the AVG. Although the original plan was to have the AVG and ePV come into force at the same time, this did not succeed - partly due to the European Commission elections in 2019.
After tinkering with the proposal several times, the latest version of the ePV was published on November 15, 2019. If it is up to the European Council, this proposal will be discussed in trilogue before the end of this year so that nails can finally be hammered and the proposal can be adopted. Based on the latest version of the proposal, what can we expect?
One topic that people just can't seem to agree on is the rules regarding cookies. Until there is an ePV, we in the EU are bound by the ePrivacy Directive (2002/58/EC). When it comes to the use of cookies and similar technologies, Article 5(3) of the ePrivacy Directive applies. This article is implemented in the Netherlands in Article 11.7a of the Telecommunications Act (Tw). When it comes specifically to regulating the use of cookies, a number of things have changed in the latest ePV proposal compared to Article 11.7a Tw.
Article 11.7a Tw prescribes that "information will only be stored on or extracted from subscribers' or users' peripherals if the relevant subscriber or user gives his or her consent and has been fully and clearly informed about it.So the gist of this regulation is that the placement of cookies is permitted if the information requirement and the consent requirement(informed consent) are met. The consent must thereby meet the conditions of Article 4 paragraph 11 AVG. Paragraph 3 of article 11.7a Tw contains a number of exceptions for the placement of functional and purely analytical cookies: informed consent is not legally required in that case. In practice, however, on the advice of the Autoriteit Consument & Markt (ACM) these cookies are usually reported anyway.
Unlike the ePrivacy Directive, the ePV assumes that the use of cookies is prohibited, subject to seven exceptions. Thus, the main rule is formulated as a prohibition ("no cookies, unless"). A notable difference is that the information obligation, which is one of the core elements in the current regime, is not explicitly mentioned in the proposal. What the European Commission's thinking was in not including the information obligation is unclear. It seems far from likely that all cookie notices may be removed from websites again after the introduction of the ePV.
The second core element from the Tw, the consent requirement, does appear in Article 8 (1) of the proposal. Indeed, consent is mentioned as one of the seven exceptions to the cookie ban. For the coloring of consent, the requirements of the AVG are followed.
The consent regime in the ePV proposal is also interesting for the discussion of the permissibility of cookie walls. The various draft versions of the ePV include varying rules for cookie walls. For example, the European Commission's original proposal of Jan. 10, 2017, did not include specific rules for cookie walls. However, on Oct. 26, 2017, the European Parliament agreed to an amended version of the ePV that included an absolute cookie wall ban.
It now appears that in the latest proposal, the European Council takes a more accommodating stance on cookie walls than the European Parliament. It reads that the use of cookie walls need not normally be understood as depriving the user of choice. In other words, consent can be freely given in certain situations. This is the case, for example, when the website visitor is given the option to use an equivalent of the website when he does not want to accept cookies. This could include the situation where both the option of paid access to a website without cookies and an unpaid access to the website with cookies is offered. Thus, a radically different starting point than is currently taken by the Autoriteit Persoonsgegevens (AP).
It remains to be seen whether the ePV proposal indeed makes its way to the trilogue before the end of 2019 and whether this version survives the negotiations there. One thing is certain: the conditions for setting cookies and obtaining consent from data subjects have not yet been the last word.
This article can also be found in the ePrivacy file
More articles by Kennedy Van der Laan
