Remember Cookies? Article 29 Working Party Issues New Guidance

October 13, 2013

Most web sites have now settled on a policy for the use of cookies but their use still remains controversial for some. So, however belated, the latest guidance from the Article 29 Working Party on obtaining consent for cookies will be welcome – if only as a reassuring check.

The new document, Working Document 02/2013 providing guidance on obtaining consent for cookies, is available on the Article 29 Working Party site or can be downloaded from the panel opposite.  

The Article 29 Working Party observe that, while the ePrivacy Directive stipulates the need for consent for the storage of or access to cookies, there are considerable variations in practice. For example, an immediately visible notice that various cookies are being used or a notice that by further browsing on the website, the user agrees to cookies being set. Even though these practices are helpful, the Article 29 Working Party takes the view that in isolation they are unlikely to constitute valid consent, as all the elements for obtaining consent must be present.

Together with the opinion on consent that the Working Party already adopted in 2011 and the opinion of 2012 on the exemptions for cookie consent, this new document provides more clarity and practical guidance on the requirements of valid consent and its main elements in the specific context of cookies. The Article 29 Working Party state that the information provided must be specific and appropriate. Furthermore, consent must be sought before the processing starts, so before (non-functional) cookies are set. Another requirement is that consent must be unambiguously and freely given, which means that there should be no doubt that the data subject has given consent and that he or she should have a real choice and there is no risk of deception, coercion or significant negative consequences for the data subject if consent is not given. 

Other Article 29 Working Party Developments 

At its latest meeting, the Article 29 Working Party sent a letter to the LIBE Committee expressing its concerns regarding the proposal for a Council decision on the conclusion of the PNR agreement between the European Union and Canada. It raises serious concerns about the use of PNR data for law enforcement purposes, because PNR data are generated for commercial purposes and their reliability is not checked. In addition, considering there is no factual evidence so far to demonstrate to what extent the use of the data contributes to more public safety and the (further) processing of PNR data can be very intrusive to the data subject, the Working Party stresses the need for introducing strong data protection safeguards.

The Working Party also reports that it had a lengthy debate on PRISM and related programs. The Working Party has decided to continue to assess to what extent the protection provided for by EU data protection legislation is at risk and possibly breached and what the consequences of PRISM and related programs may be for the privacy of the European Union’s citizens’ personal data.  

The Article 29 Working Party also finalized and adopted its analysis of the Microsoft Service Agreement and other privacy policies. The Working Party noted Microsoft’s constructive approach and identified a number of areas where improvements are required. Microsoft was asked to send its response very shortly, explaining how and when it would implement the Working Party’s recommendations.  

Finally, the Working Party met with representatives of the Lithuanian presidency of the Council and from the Council of Europe in order to discuss the state of play of the on-going data protection reforms. The Working Party also discussed on-going work on opinions on legitimate interests and device fingerprinting.