30 June 2012

EU Cookies and Transfers

The Article 29 Working Party - the independent advisory body drawn from the EU national data protection authorities, European Data Protection Supervisor and the European Commission - has released a 12 page Opinion (ie formal Guidelines) clarifying exemptions to the Cookie Consent Requirement in the EU 2002 E-Privacy Directive [PDF].

Earlier posts have noted the Working Party's concentration on 'consent' in electronic interactions.

This month's Opinion 04/2012 addresses which types of cookies are exempted from the informed user-consent requirement under the European Parliament Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy & electronic communications).

Article 5.3 of that Directive requires website operators to obtain informed consent from users prior to storing cookies on the devices of people visiting those sites -
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
There are two exemptions -
  •  when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and 
  • when the cookie is strictly necessary in order for an "information society service" provider to provide the service  explicitly requested by the user. 
Where a doubt remains as to whether the cookie falls within an exemption, site operators should seek consent from the user.

The Opinion stresses the narrow scope of the first 'sole purpose' exemption. The words “sole purpose” mean that such cookies will be exempted only if they are strictly necessary for communication to take place over a network between two parties. Three elements should be considered -
  • the ability to route information over the network, 
  •  the ability to exchange data items, and 
  •  the ability to detect transmission errors or data loss. 
The Opinion indicates that the second exemption is necessarily broader. It offers several examples -
  • 'user input' cookies (shopping-cart cookies)
  • authentication cookies such as those used to identify the user once that person has logged in to an online banking site
  • security cookies designed to detect failed login attempts on a website, 
  • multimedia player session cookies needed to play audio or video content. 
The Opinion emphasises that storage under the second exemption is restricted to what is strictly necessary for the user rather than the service provider. That has several consequences.

Third-party cookies used for behavioral advertising and third-party tracking cookies used by social network services such as Facebook in the collection of data for behavioral advertising or market research are thus not exempted. The duration of the cookie should reflect the functionality for the user. 'Persistent cookies' - that remain stored in a user’s device after the user closes the browser and potentially linger there for years - are less likely to be exempted.

In emphasising transparency the Opinion notes that "social networks have ample opportunity to collect consent from their members directly on their platform if they wish to conduct such tracking activities, having provided their users with clear and comprehensive information about this activity".

The Working Party has also released guidance [PDF] on Binding Corporate Rules for organisations transferring personal data outside of the European Economic Area on behalf of other bodies. The expectation is that the guidance will allow those data processors to develop internal codes of conduct relating to data privacy and ensure data transfer complies with EU data protection law.