Our website is set to allow the use of cookies. For more information and to change settings click here. If you are happy with cookies please click "Continue" or simply continue browsing. Continue.

Law for Business

Knowhow - guidance - precedents

14 DEC 2012

EU Data Protection and Computer confidentiality

By Zia Akhtar

The UK complied with the new law that came into force by the Privacy and Electronic Communications Regulations in May 2012 which brought the EU directive in to law. The EU cookie law is a piece of privacy legislation that was originally adopted by all EU countries on 26 May 2011 as part of the EU Directive 2009/136EC, known as the E-Privacy Directive [http://www.jisclegal.ac.uk/ManageContent/ViewDetail/ID/1347/EU-Cookie-Directive--Directive-2009136EC.aspx]. The Information Commissioner has issued guidelines on how businesses can comply with the law as research shows that the consumers are still not aware of its implications.

This new framework for businesses has been implemented is known as the ‘cookie' law which is based on the type of information that a user's website puts on the hard disk of a computer, in order to store it on the memory of the PC. The operation of cookies tends to record the business concerns preferences when surfing a particular site and are commonly used to rotate banner adverts, so the user receives different adverts based on previous website activity.

The cookie law requires websites to gain consent from visitors to receive any information on a computer or any other web connected devices (eg, smartphone, tablet etc). It has been designed to offer extra protection for data protection and for the online privacy of customers by making them aware, and giving them a choice, about the amount of information collected by websites.

Each EU member has its requirements and approach to the law; however the basic needs of the directive remain the same. The cookies can protect personal data on electronic communication devices, not just those involving the processing of personal data. The Regulation 6 that covers the use of electronic communications networks to record information, to gain access to information stored in the terminal equipment of a subscriber or user.

The application of a cookie type device does involve the processing of personal data, service providers will need to make certain they comply with the additional requirements of the Data Protection Act 1998 (the Act). The devices which process personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified.

This includes the requirements of the third data protection principle which states that data controllers must not process personal data that is over supplied. Where personal data is collected, the data controller should consider the extent to which that data can be effectively processed without verification of identity. This is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the business user, for example, counting visitors to a website.

While the collection of data in the context of conducting legitimate business online is the main aim of the Directive there is also the preclusion of the spy surveillance that would allow the entrance into a terminal without the knowledge of the subscriber. This will stop the access of information that would be intrusive of the organisation and prevent hacking of the users.

EU clarification of the data protection mechanism

The new law will force businesses to obtain explicit consent for all forms of website tracking from users. The data protection is quite strict but it does require the permission of the user to accept the conditions of its subscription. There is an explanation of the need for compliance to based on the implied consent of the end users.

This is defined as the valid form of consent and in order to rely upon it the business has to be satisfied that they understand that their actions will result in cookies being installed and without it the consent is not inferred. If the business user has a privacy policy and if it relates to the collection of the personal data such as health information, then the explicit consent of the user has be obtained.

In June this year the European data protection authorities (as part of the Article 29 Working Party on the Cookie Consent Exception) adopted an opinion that has set out there is an exemption for gaining of consent requirement [c.europa.eu/.../data-protection/article-29/.../opinion.../wp194_en.pdf]. This is based upon the computer application being used for defined purposes where the cookies keep track of a user's input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.

There is no risk that the First party analytical cookies installed in business portfolios are likely to create a privacy risk if websites provide visible information about the cookies to users and privacy safeguards, exist [http://www.theregister.co.uk/2012/04/05/eprivacy_directive_web_analytics/accessed]. This is in the form of a user friendly mechanism to opt out from any data collection and where there is detail that identifiable information does not expose the business user's personal details.

The organisation QuBit, has carried out a study of the impact of the cookie law that states ‘This law will have a massive impact on a broad swathe of digital marketing and optimisation techniques and is one of the most important changes in web development in the last five years' [http://www.qubitproducts.com/company-news/telegraph-eu-cookie-law-will-cost-businesses-10billion-say-qubit/]. The study claims that UK businesses could lose £10 billion due to a combination of lost sales, damage to existing technology and advertising businesses and the migration of online businesses overseas as they seek to avoid the costs of compliance.

Information Commissioner's guidance and research findings

In late September, the ICO issued guidelines in the form of press releases, conferences, meetings and workshops and wrote to 75 of the most visited websites, setting out what measures need to be taken to achieve compliance to implement the cookie law. ‘The issue is that businesses' online presence are still unclear around whether implied consent is allowed, we continue to work to educate around this' [http://www.ico.gov.uk/news/blog/2012/education-key-to-cookie-law-progress.aspx Accessed 10 September 2012]. The ICO has had 380 responses to its online tool which is working to respond to those concerns, with a progress report promised this year.

‘There has been findings published in November 2012 which show that the British Consumer Awareness of the privacy directive's implications which reveals that the European companies are heavily tracking online behaviour, consumers are highly aware of this activity, and consumers expect websites to get their permission before tracking their behaviour online' [http://www.truste.com/eu-compliance-tracking-awareness-index/]. However, only a minority of companies are seeking consent from users before dropping cookies. The current consumer attitudes to data privacy and company practices across the EU reveal that the 86% of respondents in the Netherlands were aware of internet browser cookies compared with 81% in Great Britain, 78% in Germany and 59% in France.

The research also pinpointed that 79% of Dutch respondents were aware that the EU Cookie Directive law requires that companies must have permission to track the business online compared with 63% in Great Britain, 51% in Germany and 26% in France. 82% of Germans expect companies to comply with the EU Cookie Directive as do 76% in Great Britain and 62% in the Netherlands. 12% of the top 50 UK websites and 32% of Dutch websites had taken some steps to comply with the Directive with an onscreen pop-up, banner or tab informing users about cookies on the site. None of the top 50 websites in France or Germany had done this.

The Cookie law is a major piece of enactment that flows from the Privacy Directive and impacts on companies across the EU. It needs a firm approach for businesses to protect their data and prevent unsolicited electronic intrusion and information compiling. They need to take steps and either offer their implied or express consent in letting the subscribers enter into their domain and connect them onto their own websites

Zia Akhtar is a member of Grays Inn. He is writer on business Law and compliance and is a regular contributor to this portal.

Jordan Publishing Employment Law

Jordan Publishing Employment Law

"exceptional value for money in today's challenging legal environment" John Mitton, PG Legal

Available in Employment Law Online
Jordan Publishing Company Administration and Governance

Jordan Publishing Company Administration and Governance

"This is an indispensable aid to the busy company secretary. The text is clear, the precedents...

Available in Company Law Online
Subscribe to our newsletters