This article is taken from December 2009 World Communications Regulation Report Read the latest issue and every back-issue on free-trial by clicking here
Telecommunications Reform Clears European Parliament With Provisions on ‘Cookies’, Internet Cutoff, and Data Breaches
Telecommunications reform, including privacy amendments that require websites to obtain customer consent before placing “cookies” on users' computers, as well as provisions allowing the cutoff of Internet service to abusive file shares, gained final approval on November 24 with a vote by the European Parliament.
The General Assembly voted overwhelmingly (510 in favor, 40 against, 20 abstentions) in favor of the telecommunications reform package that also amends the European Union's e-Privacy Directive (2002/58/EC).
The Directive's changes were passed by the Council of the European Union on October 27, and were included as part of the larger telecommunications reform package passed by the Council on November 5 (WCRR, November 2009).
New Telecommunications Regime Takes Effect
With the legislative approval, the new EU telecommunications regulatory regime took effect December 1. EU Member States will have until June 2011 to pass laws implementing the legislative package, including the e-Privacy Directive changes.
Final approval of the package came after more than two years of legislative wrangling, primarily over provisions in the law regarding the cutoff of Internet service to users accused of illegal file sharing of copyrighted material. The so-called “three-strikes” approach — in which government officials could order ISPs to cut service to alleged illegal file sharers after a third notice to the user — was accepted, but only after an amendment to the legislation made clear that judicial approval and a court order are required to terminate user access to the web.
Besides the issue of Internet access and illegal downloading, the new telecommunications package contains a number of “prominent reforms”, according to the European Commission, including:
• guarantees for so-called “net neutrality”;
• a boost in the Commission’s power to regulate antitrust aspects of the EU telecommunications market;
• a new EU telecommunications regulatory agency;
• greater independence for national telecommunications regulators;
• consumer protection against personal data breaches and spam;
• harmonization of radio spectrum across the European Union, especially with regard to the mandatory switch from analog to digital television by 2012; and
• allowance for “functional separation” that could require dominant telecommunications operators to separate their network infrastructure from business units offering services that use the infrastructure.
Consent for Downloading Cookies
The new law compels ISPs and website operators to provide better information to Internet users about “cookies” stored in their computers, and allows users to exercise more control over cookies.
The amended e-Privacy Directive introduces “consent” into EU law in Article 5(3), which requires that the EU's 27 Member States ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information,” according to the new text.
“If you look at the original article 5(3) and look at the new article 5(3), there is a clear difference,” explained Bridget C. Treacy of Hunton & Williams LLP, in London. “The old provision requires the notice and right to opt-out, the new provision refers more specifically to consent,” which usually needs to be “explicit and fully informed”.
The consent provision does not specifically mention “cookies” — tracking tools placed on a user's computer that can be used for behavioral advertising, among other things, although they are also integral to the functioning of many websites. But the change is generally understood by attorneys who are familiar with the law to refer to cookies.
The provision, however, has created confusion among those same legal analysts about how such a consent requirement would work in practice. They are unsure whether notices in privacy policies and end user license agreements could constitute effective consent to the downloading of cookies, and whether a provision allowing consent through “settings of a browser or other application” is even technically possible.
The requirement that companies provide a means for users to give explicit consent to cookies has sparked concerns that web browsing could become cumbersome if sites begin using pop-up windows to get user permission before installing cookies or other technologies, such as local shared objects (so-called “flash cookies”) used in applications including Adobe Flash Player.
“Cookies are, even when they're legitimate, downloaded immediately” when a user visits a website, noted Benoit Van Asbroeck of Bird & Bird, Brussels. “If you need to go first through a process of accepting that … [it] will certainly slow down the access to the Internet and therefore I fear [this] in practice.” It is unclear from the text of the legislation whether notices in privacy policies and EULAs could constitute consent, Van Asbroeck added.
Kristen J. Mathews, a Partner at Proskauer Rose LLP in New York (kmathews@proskauer.com), explained the problem for website owners around the world:
While this amendment leaves European companies in a state of alarm, it also leaves non-EU companies in a state of quandary. The EU (specifically, the Article 29 Working Party) consistently has taken the position that its personal data directive (an older sibling of the e-Privacy Directive) applies to wholly non-EU Web sites that place cookies on computers which are located in Europe. If the e-Privacy Directive also applies to all Web sites that drop cookies, the global impact of these amendments essentially requires every Web site to change its practices in about 18 months, which is the deadline by which European Member States must implement the e-Privacy Directive's amendments.
Clarification Needed From National Authorities
It may fall to regulators within the various Member States to clarify exactly how companies can comply with the legislation using available technologies, experts noted. “I think this is going to be difficult, and I think there will need to be some thought given when this legislation is implemented into local law about how regulators expect companies to comply. I think there is genuine confusion here,” Treacy said.
One possible way to obtain consent from users was found in Recital 66 of the legislative package, which reads in part: “Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application.”
Jan Dhont, head of the Privacy and Data Protection practice at Lorenz in Brussels, said browser settings, as they are managed now, would not constitute consent. “What's clear is that a default setting which allows the installation of cookies can never be interpreted to [give] consent for cookies to be installed on the hard drive,” Dhont said. However, valid consent might be given if browsers by default were set not to accept cookies and users, given clear information, had to choose from the start whether to accept or partially accept cookies via tick boxes, he added.
Even if that were the case, however, obtaining consent through browsers could create confusion about which company is liable for privacy violations, Dhont noted.
Van Asbroeck agreed. “The browser is a separate legal body from the others; you just use the browsers to find other information …. I have doubts that the companies in charge of the browsers will take such kind of liability.”
“We reject that browser settings can be considered consent,” said Nuria Rodriguez, senior legal officer at the European Consumers' Organisation (BEUC). “Some of them are privacy friendly and some of them are not.”
“We very much welcome [the new laws] but it's clear at the moment the technologies are not actually allowing the consumers to give meaningful consent,” Rodriguez added, and this includes consent to flash cookies, which are neither well-understood nor easily erased by users. Also, since individuals cannot take direct legal action to enforce the provisions of the EU directive, it is unlikely that users will be able to seek redress, given that enforcement is weak in Member States, Rodriguez explained.
“There exist very, very few enforcement bodies or organizations that have enough money and enough resources to enforce privacy law on the Internet,” according to Rodriguez. Moreover, sanctions in most member states — notably excluding Spain — are low, which may lead companies that are unconcerned about their public image to ignore privacy rules, according to Van Asbroeck.
National regulatory authorities will need to clarify how companies can obtain consent to cookies — but in the meantime, companies should examine their terms of use and privacy policies, Dhont said. “I would certainly advise companies to review their terms of use to ensure that they definitely refer to ‘consent' rather than ‘opt-out',” Dhont stated. “I think now the formulation of these terms of use will be critical.”
Now, industry must take steps to figure out how to comply with the new rules, Treacy added. “I think they should be discussing this amongst their trade associations … I think people need to have this discussion rather than waiting for this [guidance from authorities] to happen.”
“We wouldn't be against entering into a dialogue with industry to find ways for consumers to comply … but it's clear that something has to be done,” Rodriguez said.
Action Against Spammers; Internet Freedom
The law also introduces the possibility for any person, including corporate entities such as ISPs, to bring “effective legal proceedings against spammers”, according to European Data Protection Supervisor (EDPS) Peter Hustinx. National data protection authorities will also have improved enforcement powers, since they will be able to order organizations breaking privacy laws to “stop immediately”, the EDPS added.
The European Commission emphasized in a November 20 memorandum on the new law that the legislation also contains guarantees of “net neutrality” in the European Union. In addition, the memo pointed to an “Internet freedom” annex to the new EU law that incorporates the legal basis raised by many Member States for objecting to the “three-strikes” file-sharer cutoff law.
The annex states that “any measures taken by Member States regarding access to or use of services and applications through telecoms networks must respect the fundamental rights and freedoms of citizens, as they are guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and in general principles of EU law,” the EC memo said.
Lingering File Sharer Net Cutoff Concerns
No sooner had the legislation been approved by the General Assembly than a leading EU-based Internet rights group — La Quadrature du Net (LQN) — warned that the vote could represent a step backward when it comes to the “fundamental right of access to the Internet”. LQN led the fight in France against the so-called “three strikes” law that allows the French government to cut off Internet access if someone has been caught illegally downloading.
After having its first attempt to implement a three-strikes law rejected as unconstitutional, the French Parliament on September 22 approved a new Internet cutoff law that incorporates independent judicial review.
The EU cutoff provision states that an Internet user's access can be cut off only if it is “appropriate, proportionate and necessary” and only after “a prior, fair and impartial procedure” that gives users the opportunity to state their case and also respects the principles of the presumption of innocence and the right of privacy.
According to LQN, just what is meant by “fair and impartial” is vague and is a potential loophole that will allow EU member states to implement laws such as France's “three strikes” rule.
But Commissioner for Information Society and Media Viviane Reding insisted in a statement before the Parliamentary vote that any EU Member State government that tries to cut off the Internet access of an EU citizen without judicial approval will face a legal challenge from the European Commission.
Data Breach Notice
Also included in the new law is the first data breach notification requirement at the EU level — although it covers only telecommunications companies and ISPs that provide services on public networks.
The new law defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”
“Publicly available electronic communications services” include telecoms and ISPs that provide services in public networks, but the term does not include all data controllers that have an online presence, such as online banking and shopping services.
Covered providers will be required to notify competent national authorities, typically data protection authorities, of personal data breaches “without undue delay”.
Under the law, “[w]hen the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without undue delay.”
Notification to individuals may not be required in cases where the provider has demonstrated to government authorities that it has implemented “appropriate technological protection measures” to render compromised data unreadable to those who accessed the data without authorization.
(The November 20 European Commission memorandum on the regulatory reform package is available at http://op.bna.com/pl.nsf/r?Open=dapn-7y5nzy and the amended e-Privacy Directive is available at http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf)
(BNA's correspondents in Brussels contributed to this report.)
This article is taken from December 2009 World Communications Regulation Report Read the latest issue and every back-issue on free-trial by clicking here