Privacy and Cookies: Examining the European Union Framework

Posted on March 12, 2021

Authored by Sahel Bahman

Cookies, Security and Website tracking
Image Source: Aphaia

Introduction

The information age has paved the way for a variety of new developments in multifarious fields and thus, resulted in fast paced technological advancements.[1] While these developments have proven to be extremely beneficial, they have consequently given rise to new forms of crimes, including but not limited to, fraud and identity theft. As a result, laws governing and ensuring data privacy have become the need of the hour.[2] 

This article aims to examine the legal framework provided by European Union (“EU“) for the protection of data subjects with regards to cookies, specifically the General Data Protection Regulation (“GDPR“)[3] and the ePrivacy Directive, Furthermore, the landmark influential judgment by the Grand Chamber of the European Court will be elaborated upon in order to provide a holistic understanding of the protection provided by the EU. This article will also shed light on the limitations and issues pertaining to the use of cookies that are still present. 

What is a Cookie?

A cookie is a packet of data which a website obtains from a user in order to track activity and visits to the website, allowing for gathering of user analytics.[4] They have become a common and important tool in giving business and website owners insight into their users’ activity and information. Cookies can be classified in three ways, on the basis of their purpose, their period of endurance and their provenance.[5] The danger lies in their ability to track individuals’ browsing histories, thereby creating a means for a hacker to access and hijack browsing data. 

Obtaining informedconsent

The GDPR sets out the legal framework regulating the collection and processing of personal information of those living in the EU[6]. In its context, the GDPR provides a right of access[7], a right to be forgotten[8] and a right not to be subject to a decision solely on automated basis[9]. Evidently, the GDPR aims to protect data subjects and provides them with legal rights to ensure this.

Cookies are directly referred to in Recital 30 of the GDPR which provides that if the cookies are used to identify a user then they are considered personal data. Therefore, cookie pop-ups must comply with the GDPR. 

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Recital 30, GDPR

Although the GDPR attempts to provide widespread levels of protection, data controllers often obtain weaponized consent. A comparison can be drawn with the terms and conditions applicable to online purchases. The terms and conditions associated with any virtual platform sets out a long list of information which most consumers omit to read. Instead, consumers just check a box and consent to several terms which they may not be entirely aware of. Similarly, data controllers compose their privacy policies in a manner where data subjects may have difficulty in finding the privacy-protecting options. Subsequently, on the surface, data controllers abide by privacy laws by providing protection options to their data subjects, however, in reality these options are neither explicit, nor simple for users to find. An example of this is the cookie consent notice, where a popup bar appears requiring acceptance of cookies to proceed. Sometimes the refusal of the cookies may result in the loss of access to the website, thereby creating a ‘take-it-or-leave-it scenario’ for the user. Therefore, although privacy laws are adhered to, the level of protection received is not entirely effective as data subjects do not always provide informed consent with respect to the data shared by them.[10] 

In addition to the GDPR, further steps have been taken to ensure privacy of data subjects, especially for the regulation of cookies.

The ePrivacy Directive

In 2002 (with amendments made in 2009) the EU introduced the ePrivacy Directive[11]. This directive is also known as the cookie law as it deals with cookie consent pop-ups[12]. The ePrivacy Directive required websites to exclude any cookies until consent was obtained from the user[13]

However, the pop-up banners used by most websites do not retrieve truly informed consent, as they usually state “use cookies to enhance user experience” without any further explanation. As a result, the user clicks on “agree” in order to minimise  the banner and continue using the page without anything blocking its view. 

Therefore, the ePrivacy Directive was a step taken by the EU towards providing more protection, in order to create a safer experience for data subjects, by ensuring that a user is aware that cookies are being used. In some instances it has taken precedence the GDPR, thereby offering data subjects within the EU further protection. However, the protection is still, to some extent, limited and insufficient as data controllers still maintain the upper hand, as most users remain unaware of the contents of these cookies.

The question that remains is what role have the courts play to bridge this lacuna in law and practice. The following section dwells into a case what where the court proactively took steps to rectify the situation.

Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH[14]

The landmark authority which may be employed to illustrate the interplay of provisions from the ePrivacy Directive and the GDPR, in addition to clarifying the requirements for informed consent under these instruments, is the Verbraucherzentrale Bundesverband eV v. Planet49 GmBH

This is a case between the Federal Union of Consumer Organization and Associations and an online gaming company. Planet49 GmbH organized a promotional lottery which resulted in the transfer of participants’ personal data to the company’s sponsors and partners. This information was stored, and access was given to the information stored in the terminal equipment of those users. The case demonstrates the EU outlook on the scope and definition of consent. 

The preliminary issues, relevant to cookie law, brought before the court can essentially be categorized into two questions:

1. Whether Article 2(f) and Article 5(3) of the ePrivacy Directive, read in conjunction with Article 2(h) of Directive 95/46/EC[15] and Article 6(1)(a) of Regulation 2016/679[16], must be interpreted as consent as referred to in the provision is present, in the form of cookies, if the storage and access to the stored information is permitted through a pre-checked checkbox where a user has to deselect in order to remove his consent. 

2. Whether Article 5(3) of the ePrivacy Directive must be interpreted as meaning that the information that the service provider must to a website user includes the duration of the operation of cookies and whether third parties have access to it. 

Pursuant to Article 5(3) of the ePrivacy Directive, storing of information or gaining access to information already stored is only allowed if the concerned user has given their consent, after being provided clear and comprehensive information about the purpose of the processing in accordance with Directive 95/46. The provision itself does not provide for how this consent must be given. Recital 17[17] of the directive makes it clear that any appropriate method which allows for informed consent to be gathered freely is allowed, including ticking a box when visiting a website. 

The Court determined “consent” by a user or subscriber as that which corresponds to the data subject’s consent in Article 2(f) read with Article 2(h)of Directive 95/46/EC. A data subject’s consent is defined as freely given specific and informed indication of his wished by which the data subject signifies his agreement to personal data relating to him being processed. Ergo, the same definition is applicable in the ePrivacy Directive.

The court found that Article 2(f) and Article 5(3) of the ePrivacy Directive, read in conjunction with Article 5(3) of Directive 95/46/EC, does not allow for storage of information or access to information already stored in a website user’s terminal equipment through a pre-ticked checkbox which must be deselected to constitute as a refusal of consent. 

The GDPR expressly provides for active consent. Pursuant to Recital 32, giving consent can be done through ticking a box when visiting a website however, the recital precludes “silence, pre-ticked boxes or inactivity” from being accepted as consent.

            “the fact that a user selects the button to participate in the promotional lottery organised by that company cannot therefore be sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.

Recital 17 of Directive 2002/58/EC, paragraph 59

Evidently, the ruling of the court provides the measures which must be taken on behalf of the data controller, to ensure that a data subject does not give their consent unknowingly. Actively having to check a checkbox is more likely to result in the user being aware that they are consenting to something, whereas if it is pre-selected, the user may not even pay attention to that fact. Therefore, the answer to the first question is no, the abovementioned articles should not be interpreted as consent, in the form of cookies, if the storage and access to the stored information is permitted through a pre-checked checkbox where a user has to deselect in order to remove his consent. 

With regards to the second question, the court ruled that in situations where the cookies aim to collect information for advertising purposes, as was the case here, the duration of the operation of the cookies and accessibility by third parties was part of the comprehensive information which must be provided to use in accordance with article 5(3) of the ePrivacy Directive.

Article 5(3) of the ePrivacy Directive also refers to Directive 95/46/EC, specifically article 10 which lists the information which the controller has to provide to a data subject from whom data is being collected. In this list the duration of the processing of data is not included however, Article 10 states ‘at least’, meaning the list is non-exhaustive and only the minimum requirements. Therefore, the court found that Article 5(3) of the ePrivacy Directive must be interpreted as meaning that the information the service provider must give to a website user includes both the duration of the operation of cookies and whether it is accessible by third parties. 

In summary, the court here indicates the extent of protection provided by the ePrivacy Directive and the rights which are provided to data subjects and users of websites with regards to cookies. Consent is only accepted if it is given actively and the data subject is provided with all required information; including duration for which the cookie is operating and whether third parties have access to those cookies. 

Conclusion 

Legislators, legal officers as well as case law decisions, have attempted to ensure informed consent is provided only when informed consent to share one’s data is given. However,  given the lack of awareness of data subjects vis-a-vis their rights, this is limited in nature as data controllers are still I have the upper hand. However, as provided in Case C-673/17, the rights which are invokable are vast and give extensive protection to data subjects. Complete and informed consent of a data subject is required, and a pre-checked checkbox is not sufficient and will not constitute as such, thereby ensuring that all statutory requirements regarding consent are to be met by the subject’s agreement. While precedents help establish order, national and local authorities need to ensure that data subjects are well aware of the rights and how to protect themselves while using the internet.


*Sahel Bahman is a Researcher at IntellecTech Law and a second year European Law student at Maastricht University in the Netherlands. She is currently studying four jurisdictions namely; French, German, Dutch, and English whilst also taking a holistic perspective by looking at European Union law. Sahel has a keen interest in data protection and IP law and hopes to pursue a career in this field of law. 

[1] Declan Butler, “Technological change is accelerating today at an unprecedented speed and could create a world we can barely begin to imagine.(Nature.com, 25 February 2016). https://www.nature.com/news/polopoly_fs/1.19431!/menu/main/topColumns/topLeftColumn/pdf/530398a.pdf?origin=ppub, accessed 14 February 2021

[2] Kurt M.Saunders & Bruce Zucker, “counteracting Identity Fraud in the Information Age: The Identity Theft and Assumption Deterrence Act (1999), Vol 8 Issue 3, Cornell Journal of Law and Public Policy, p. 661-662. https://core.ac.uk/download/pdf/188558405.pdf, accessed 15 February 2021.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

[4] Jennifer L., ‘What Are Cookies? (privacypolicies.com, 5 January 2021). https://www.privacypolicies.com/blog/cookies/, accessed 15 February 2021

[5] Richie Koch, ‘Cookies, the GDPR, and the ePrivacy Directive’ (GDPR.eu). https://gdpr.eu/cookies/?cn-reloaded=1, accessed 18 February 2021

[6] Supra Note 3, Article 1

[7] Supra Note 3, Article 15

[8] Supra Note 3, Article 17

[9] Supra Note 3, Article 22

[10] Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub and Thortsten Holz, ‘(Un)informed Consent: Studying GDPR Consent Notices in the Field(2019), CCS ’19: Proccedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 973-990.

[11] Directive 2009/136/EC of The European Parliament and of the Council of 25 November 2009; available here.

[12] Supra Note 5.

[13] Supra Note 3, Article 5.

[14] Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH Case C-673/17; available here.

[15] Directive 95/46/EC of the European Parliament and of the Council of 25 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; available here.

[16] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; available here.

[17] Recital 17 of Directive 2002/58/EC – For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or a legal person, should have the same meaning as the data subject’s consent as defined and further specified in Directive 95/46/EC. Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.

One thought on “Privacy and Cookies: Examining the European Union Framework

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s