Cookies Consent Conflicts May Undercut EU ePrivacy Regulation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

A proposed European Union electronic privacy law reboot raises concerns that it doesn’t sync with the bloc’s new general privacy regime, a group of privacy regulators said in a recent opinion.

A simpler approach to consent rules for placing cookies on the computers of users in the EU would be a boon to online companies that do business there. But creating an ePrivacy Regulation that is potentially at odds with the new EU General Data Protection Regulation (GDPR) would create a privacy compliance nightmare for companies already facing daunting implementation challenges, the regulators said. Cookies are small packets of data that websites place on computers to facilitate tracking and ease of use, such as faster downloading.

And cookies aren’t the only thing in the proposed ePrivacy Regulation that may be in conflict with the GDPR. The Article 29 Working Party of EU privacy leaders from the 28 EU countries, in its April 7 opinion, expressed “grave concerns” about the proposed ePrivacy Regulation’s low legal standards for user consent to cellphone Wi-Fi tracking, use of embedded meta data and allowing tracking by other websites affiliated with the one actually visited.

If the ePrivacy Regulation is amended to address the privacy regulators’ concerns, the result would be a much stricter approach to consent, Peter Van Dyck, an information technology and data protection senior associate at Allen & Overy LLP in Brussels, told Bloomberg BNA. “Some companies are therefore, understandably, slightly wary of what the changes will mean for them,” he said. They want legal certainty, he added.

On April 11, the European Parliament held its first hearing on the proposed regulation and heard from a variety of representatives from industry, consumer groups and government.

The opinion sends a “warning shot over the bow,” serving notice from the privacy regulators to their allies in Parliament to step up and improve the ePrivacy Regulation’s privacy provisions, Tim Toohey, the head of the Cyber Security Practice at Greenberg Glusker LLP in Los Angeles, told Bloomberg BNA. It appears those parliamentary allies are “willing ready and able to accept the invitation,” he said.

The GDPR will take effect in May 2018. The EU is trying to approve the ePrivacy Regulation so it can take effect at the same time.

Expanding Coverage

The EU privacy chiefs had some praise for the draft ePrivacy Regulation, saying that it seeks to create a harmonized approach across the 28 EU countries and is consistent with the GDPR’s approach of setting a primary privacy regulator to handle oversight and enforcement.

The group also welcomed the expansion of ePrivacy rules to include over-the-top providers (OTT), such as Facebook Inc.'s WhatsApp and Messenger services, and Skype Inc. communications services. Including OTT services as well as traditional telecoms, such as Deutsche Telekom AG and cable providers, helps create “a level playing field,” Van Dyck said.

No Privacy Surprises

None of the concerns raised by the privacy regulators “come as any real surprise,” Elle Todd, partner and head of digital and data at Olswang LLP in London, told Bloomberg BNA. The consent issues they raise will interest app providers and content publishers but are “unlikely to be hugely controversial,” she said.

Van Dyck said that, to address fears of continuous monitoring through Wi-Fi tracking, the privacy regulators suggested that the European Commission, the EU’s executive arm, develop a mobile phone automatic anti-tracking signal that users could enable.

In regards to allowing websites to pass on tracking permission to other websites, the Working Party called for an “explicit prohibition” on “take it or leave it choices” presented to website visitors.

The privacy regulators were also critical of the lack of privacy by design in products and services lacking privacy by default settings for internet tracking. They said users must be able to provide specific consent through their browser settings and recommended making do-not-track settings mandatory.

Lukasz Olejnik, an independent cybersecurity and privacy consultant and researcher in London, told Bloomberg BNA the Privacy Regulation text should be revised “in-line with principles of privacy by design on the technology level.”

Parliament Committee Hearing

The EU Parliamentary Committee on Civil Liberties, Justice and Home Affairs (LIBE) heard opinions on the proposed ePrivacy Regulation from privacy professionals, online industry and non-government organization representatives, academics and government officials.

“European Parliament stakeholders represent a broad spectrum of opinions,” from strict privacy protection advocates to industry-centered views, that were represented at the hearing, Olejnik said.

Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), told the committee that he shared the concerns raised by the privacy regulators. However, without an ePrivacy Regulation, the overall EU privacy legal regime “would be incomplete,” he said.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the Article 29 Working Party opinion on the proposed ePrivacy Regulation is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security