On February 10, 2021, the Council of the European Union (which includes representatives of the European Union (EU) member states, hereinafter Council) reached an agreement on the ePrivacy Regulation proposal that governs the protection of privacy and confidentiality of electronic communications services (ePrivacy Regulation).
The first draft of the ePrivacy Regulation was approved by the European Commission in 2017 and has since been under discussion in the Council. The current agreement in the Council comes shortly after Portugal took over the Council presidency (on January 1, 2021) and released a revised draft of the ePrivacy Regulation (on January 5), which was the 14th draft including the original EU Commission proposal. The present agreement is therefore a breakthrough in the negotiation process and allows the Portuguese Council presidency to start negotiations with the European Parliament on the final text.
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision partially annulling the Guidelines of the French Data Protection Authority (the “CNIL”) on cookies and other tracking tools (“Guidelines”). The Council of State ruled that the CNIL’s Guidelines could not prohibit the use of ‘cookie walls’, a practice which consists of blocking user access to a website where the user refuses to consent to cookies and other tracking tools. Nevertheless, the Council of State confirms the Guidelines on other key points, such as the requirement to facilitate the right to withdraw consent to cookies, the retention period for cookies and the information requirement for cookies not subject to a consent requirement.
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.
The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers:
The deadline of 26 May 2012 for businesses to comply with new EU website cookie consent requirements in the UK has now passed. Under the EU’s amended e-Privacy Directive 2002/58/EC new rules were introduced last year for businesses to obtain the consent of website users to place cookies on a user’s computer. Although EU Member States were required to implement the consent requirements by 25 May 2011, the UK’s Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period to become compliant with the new law which ended on 26 May 2012. Many other EU Member States have still to implement the cookie consent requirements with only 20 of the 27 Member States having so far implemented the requirements into their national laws.1
New EU cookie consent requirement