DAC Beachcroft | Insurance, Privacy & Data Security News | October 2014
October 2014 update
How many of us are annoyed on daily basis by the cookie banner pop up which has become a feature of our digital lives?
The honest answer is usually, "I don’t really care, but I will click anything just to get this annoying pop up off my screen"! For those who weren't following the legislative changes at the time, these pop-ups were a result of a change in law in 2009 when the European Parliament adopted an amendment to the ePrivacy Directive.
Among other modifications the new version of the directive, (EC) 2009/136 (the "Directive"), introduced an obligation for website operators to receive their users’ consent to using cookies and similar technologies which has been highly unpopular for both data subjects and companies.
Although planned to have a unifying approach to cookie legislation across Europe, we have been left with a patchwork of national laws and guidance across the Member states. Many of them followed the UK approach and permit implied consent method, hence we can usually just ignore the banner and not have to click our consent to having our browsing activities monitored. Germany have refused to implement the legislation at all, alleging that their current data protection legislation more than meets the requirements of the Directive, which has led to great confusion in Germany as to where this law is written and what the obligations are.
After lying low for a while, September has seen cookies hit the headlines yet again. On 16 September European authorities began a “cookie sweep” consisting of random checks of the most popular EU e-commerce and media websites in an exercise initiated by the French data protection authority, the CNIL. I suspect the results will prove interesting reading but more pertinent will be the action that data protection authorities take as a result of findings of non compliance. To date, compliance actions have been limited, with 2014 seeing the first fines in Europe for failure to comply: The Spanish regulator fined two companies €3000 each for failing to provide clear and comprehensive information about the cookies they used. Our own ICO is working on a complaints driven basis and reports state that the ICO's approach has been to write to companies who they consider to be in breach and ask them to remedy the website and provide a more apparent method to obtain consent/provide notification to website users of cookie usage and storage.
What should concern the companies who are found in breach of the law, is that even if the penalty for non compliance is not significant, a breach may act as a marker, drawing the attention of the regulators and increase the chances of exposing wider breaches resulting in more serious enforcement action. This may be reason enough to implement an ongoing process in the legal, compliance and IT departments of your organisation to review both the cookies you use on your websites and the banners and notices through which you obtain user consent.
All this and more in this month's update. Colleagues can sign up to the alerter
Follow us on twitter @DACBprivacyFor DAC Beachcroft privacy updates, please follows us at @DACBprivacy
Click any of the links below to read more ...
Click the below headings to read more on each of the developments...
EU Data Protection Regulation Developments
Updates from around the World...
Cayman Islands' DP bill in final stages of consultation
For more information please contact:
You might also like ...
Cyber Risk legal update | January 2016
Newsletter | Cyber Insurance, Privacy & Data Security
A milestone has been reached in the world of data protection law. After three years of detailed discussions political agreement has been reached between the European Commission, Council and Parliament on the final text of the General Data Protection Regulation (the GDPR).
The GDPR will replace the Data Protection Directive 95/46/EC and therefore the UK Data Protection Act 1998 and will be directly applicable in all Member States without the need for implementing legislation. The legislative process will be complete once the text is formally adopted by Council and Parliament, which expected in the coming months. The GDPR will come into effect two years from formal adoption and is therefore anticipated to take place in the first half of 2018. Further detail about the key features of the GDPR is provided here