The Special Investigations Unit of the Data Protection Commission (DPC) has been contacting website operators in Ireland requesting their participation in a cookies sweep survey.
We understand that these sweep surveys are grounded on Article 31 of the GDPR, which requires controllers and processors to cooperate with the DPC, if requested, in respect of the performance of its statutory tasks. Participation is not optional. A refusal to participate could result in enforcement measures.
The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (ePrivacy Regulations) gives effect in Ireland to EU Directive 2002/58/EC (as amended).
Generally, user consent is required before setting non-essential cookies and similar technologies used to store or gain access to information on a user’s device. Users must be provided with easily accessible, ‘clear and comprehensive’ information on the technology being used and its purpose.
The CJEU’s recent ruling (Case C‑673/17) in Planet49 provides that the standard of consent that must be obtained from users in order to comply with the ePrivacy Regulations, is based on the definition of, and the conditions for, valid consent under Articles 4(11) and 7 of the GDPR (i.e. a clear, affirmative act, freely given, specific, informed, and unambiguous), even if the activity does not involve the processing personal data.
Recital 32 of the GDPR prohibits pre-ticked boxes, and provides that silence or inactivity does not constitute valid consent. The CJEU’s ruling in Planet49 confirms this in respect of obtaining valid consent for cookies - an active action by the user is required to signify their consent.
Consent is not required if the cookie or other technology is:
A proposed EU-wide ePrivacy Regulation, intended to replace Directive 2002/58/EC, is anticipated to introduce simplified rules on cookies including by extending the current consent exemptions. Whilst the European Parliament adopted the proposed Regulation in October 2017, it remains in draft. The most recent version was issued on 18 September 2019, but the timing for the formal adoption of the Regulation remains uncertain. The DPC’s current cookies sweep is not based on this draft EU Regulation.
Cookies sweeps are not a new initiative. The European Data Protection Board (EDPB), under its previous guise of the Article 29 Working Party, coordinated a cookies sweep of 478 websites across eight EU member states in 2014. This sweep was carried out before the higher standards for consent were introduced by the GDPR. Ireland did not take part in that sweep.
The DPC’s cookies sweep is not unexpected. Whilst there is no mention of the sweep on its website, DPC representatives have previously indicated that cookie-based transparency and consent is on the DPC’s agenda for the second half of 2019.
Cookies consent is topical across Europe. For example, on 1 October 2019, the CJEU provided its judgment in the Planet49 case concerning cookie-based transparency and consent. Whilst the CJEU’s judgment deals with consent under the ePrivacy Directive, its judgment indicates that inferred consent from passive activities (e.g. continued browsing of a website) may not be valid. This view is supported by recent guidance issued by data protection authorities in France, Germany and the UK.
If you would like to learn more about anything in this note, or how these issues may apply to your organisation, please contact Robert Haniver on firstname.lastname@example.org.