GDPR Compliance Means Re-visiting Cookie Consent

IagreeRemember the cookie law?  Ticked that box ages ago and not thought about it since?

Well, it is now time to re-evaluate your solution, because the game has changed.   The ePrivacy Directive which gave us the cookie law is currently being looked at in a public consultation, but that is not really the issue.

The fact is that the GDPR, which is now law but subject to a two-year grace period before enforcement, has already tightened up the rules as well as increased the penalties for getting it wrong.

There may be a while to go yet, and we may see some guidance from regulators, but I think they will have other issues on their collective agendas.  So it is really important to start thinking about the changes you will need to make now, especially for companies that have a lot of websites.

So what does GDPR mean for cookie consent?

Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymous, even if they do not directly identify an individual, will be personal data if there is potential for an individual to be identified or singled out.  Any persistent cookie that is unique to the device by virtue of its attributes or stored values fits the criteria for personal data.  That means most cookies, and certainly the most useful ones for site owners. This is the basis for cookie consent being about GDPR compliance now, as well as the existing cookie laws. For more of the details on this argument, see the blog post on the Cookie Law website.

Implied consent is no longer going to be compliant. There are several reasons for this. Mainly its because the GDPR requires the user to make an ‘affirmative action’ to signal their consent. Simply visiting a site for the first time would not qualify.

Advice to adjust browser settings won’t be enough. The GDPR says it must be as easy to withdraw consent as give it. Telling people to block cookies if they don’t consent would not meet this criteria – it is both difficult and ineffective against non-cookie based tracking.

‘By using this site, you accept cookies’ statements will not be compliant. If there is no genuine and free choice, then there is no valid consent. Also people who don’t consent also cannot suffer detriment, which means you have to provide some service to those who don’t accept those terms.

Sites will need an always available opt-out. Even after getting valid consent, there must be a route for people to change their mind.  Again this comes down to the requirement that withdrawing consent must be as easy as giving it.

Soft opt-in is likely the best consent model.  This means giving an opportunity to take action before cookies are set on a first visit to a site.  As long as there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.  Although see above about a persistent opt-out route. This however may not be sufficient for sites that contain health related content, or other sites where the browsing history may reveal sensitive personal data about the visitor.

You need a response to Do Not Track browser requests. A DNT:1 signal is a valid browser setting communicating a visitor preference.  It could also be seen as an exercise of the right to object to profiling.

Consent will need to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose.  This means granular levels of control, with separate consents for tracking and analytics cookies for example.

Most sites right now would fail on many of these criteria.  But you will only need to fail on one of them to risk getting a fine under the GDPR.  It’s time to take action.

Data Protection Officer

What is a EU Data Protection Officer?
Data protection officers are a designated person within an organization that collects the personal data of Union citizens who is responsible for making sure that the organization follows the new regulations. They are appointed for two year periods and can only be terminated if they fail to fulfill their duty; however, they can be reappointed indefinitely. Like the rest of this legislation, the DPO would be mandated sometime in 2016 pending the finalization of the reforms in 2014.

While all people who collect personal data in the Union will be accountable to the law, Article 35 of the proposal says that only certain data collecting entities must have a designated data protection officer. These entities are “a public authority or body”, “an enterprise employing 250 or more persons”, or someone whose “core activities… require regular and systematic monitoring of data subjects.”*

The DPO has several duties that are spelt out in Article 37 of the proposal. First, they must “inform and advise the controller or the processor of their obligations… and to document this activity and the responses received.”* Next, they are to monitor the “implementation and application”* of the organization’s policies and training on data management as well as monitoring the application of these polices. They must also keep documentation on (according to Article 28) at least the name of the data collecting entity, contact details of their DPO, purpose of the data processing, types of subjects and data, “recipients of the personal data“, whether or not data is transferred outside the EU, and offering the time limits for data erasure. Likewise, they must monitor personal data breaches and “the response to requests from the supervisory authority”*. And they have a variety of roles to the supervisory authority including cooperating with the supervisory authority if requested and to be the supervisory authority’s contact person in the organization.

The Data Protection Officer is one of the areas of the EU data protection reforms that’s being heavily debated, however. The major areas of contention are on the importance of the DPO, how much work this actually is, and the criteria for deciding who does and does not need a DPO.

The general assumption is that the legislation means that the data protection officer is someone’s full-time position. But some of the MEPs working on the reform suggest that a full-time DPO is unnecessary because they could do the work part-time while performing other duties. And there are some who think that the DPO is superfluous.

The Union originally adopted the German model wherein any company with over 250 employees would have to appoint a data protection officer. This requirement, Vivian Reding argues**, will help small businesses to avoid getting overly burdened by administrative costs and work. However, Jan Phillip Albrecht–the regulation’s rapporteur–has suggested revisions that alter this model to focus not on employees, but on how many people’s data is collected. His model states that any company collecting data on 500 or more EU citizens must have a DPO.

Data Protection Act

The Data Protection Act is a 1998 United Kingdom Act of Parliament that makes the United Kingdom compliant with the EU Data Protection Directive which passed in 1995. It’s a very large and complex act that has unfortunately confused some people; however, it has eight principles, which are rather simple to understand.

The first data protection act principle is that “Personal data shall be processed fairly and lawfully”*. To clarify that, it states that “fairly and lawfully” more specifically means meeting the following two principles.

The second data protection act principle is that data can only be collected for specific, lawful purposes and cannot be used for anything that is contradictory to that purpose. The third principle is related: the data collected must be relevant to the original purpose and no more or less ought to be taken.

Data protection act principle four is that data must be accurate and up to date. Principle five is that the personal data must be deleted after the initial purpose is complete. The sixth states data collect must account for all of the rights in the Data Protection Act.

Principle seven makes entities accountable for data loss by mandating that they have security protocol in place on any device that has personal data on it. And principle eight declares that no data should be transferred to a country “unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”*

There are some exceptions to this act. The most notable is that the rights of the individual can be superseded if it is a matter of national security. Likewise, data collected in order to prevent or stop crime is exempt from the data protection act. But there are also certain exceptions for handling your own personal data because it is assumed that you will adopt the level of data protection that you already feel most secure with.

While the Data Protection Act has been in effect, however, there have been major technological advances. For instance, the Internet has become an everyday phenomenon and many companies collect extensive personal data and make individual profiles about each person. With that and the horizon of amazing technological advances ahead of us, many people feel that this act no longer goes far enough. However, the outdated Data Protection Act will be replaced by the larger scale EU Data Protection reforms that should be finalized by 2014 and mandated by 2016.

EU Data Protection Proposals

The EU Data Protection Proposals are proposals for new legislation that seek to reform Directive 95/46/EC, or the EU Data Protection Directive. The original proposal to supersede the directive was submitted on the 25th of January 2012; however, in the meantime several MEPs have been working on it, so there are now several amendments to the original document.

So far, nothing has been taken out of the proposal completely, but many issues are under heavy debate.A few of the key issues in the original proposal are the data protection officer, “the right to be forgotten”, profiling, and explicit consent.

The data protection officer is a person inside of any entity that collects personal data that is responsible for monitoring if the entity complies with the Data Protection Regulation. The must take care of all the documentation, train people on the protocols, and be the supervisory authority’s contact person inside that organization. There is debate about how much work this is and what data collecting entities need one with some people saying that this could be done part-time by someone rather than as a full-time position. And while the 2012 proposal argues that the DPO is only needed in large companies (those with over 250,000 employees), some think anyone who collects personal data must have one or that it should depend on how many people’s data is being collected and not the size of the company itself.

The right to be forgotten is the right to ask a company to delete any personal data about oneself if there is no legitimate reason for keeping it. Basically, this would allow anyone to delete their private data from any company at any time for no reason at all. Some of the MEPs working on this have suggested deleting this right because it will be very difficult to enforce; however, others think it ought to be weighed against other rights.

Profiling is the practice of trying to judge someone’s abilities and livelihood based on a computerized processing of their personal data. This is a highly debated area of the proposal, and some people suggest banning it for use by employers or creditors. And the rapporteur Jan Phillip Albrecht has suggested profiling be only by law or consent and ought not to be allowed to identify children or things about individuals that could lead to discrimination like race or sexual orientation.

Explicit consent is the rule that a company must request permission from the person before collecting personal data about them and that the person can change their mind and opt-out of the data collection at any time. While this policy is mostly retained in the MEPs’ amendments, some have pushed for a set time limits to consent and that the collection of personal data should stop as soon as the original purpose of data collection is complete.

Press conference by Viviane Reding

EU Data Protection Directive Changes

EU Data Protection Directive changes are not all that complicated once you break them down; however, their effect on individuals and business will be massive. So, herein, we’ll discuss what these changes are and how they’ll effect citizens of the Union as well as the businesses that process their personal data.

The original EU Data Protection Directive (Directive 95/46/EC) mandates a few simple things: data transparency (the data subject must know that their data is being collected), data must only be collected for specified legitimate purposes, data may only be processed for those specific processes, and if data is transferred to a third country, they must adhere to these guidelines.

However, EU Data Protection Directive (Directive 95/46/EC) has been in effect since 1995–well before the massive technological changes of the last decade, particularly the Internet being an everyday experience for many people. Because of this, data protection has become a far greater concern to many individuals.

Or as Viviane Reding writes in the proposal, “Rapid technological developments have brought new challenges for the protection of personal data. … Lack of trust makes consumers hesitate to buy online… This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe, and more generally in the Europe 2020 Strategy.”

Under the proposed 2014 EU Data Protection Directive, changes mainly center around this concern of Internet-based data sharing. In fact, as Viviane Reding notes, this legislation makes personal data the property of the person the data is about.*Because of this, citizens of the European Union will receive a few new rights and businesses will need to alter their operating procedures accordingly.

The right to be forgotten, is covered in Article 17 of the proposal. This right allows someone to request that a company delete their private information–and the company must comply. Article 18 allows a person to get a digital copy of this information and to transfer that information to another company.

Article 20 of the new EU Data Protection Directive changes a company’s ability to profile someone. Profiling is automatically processing people’s personal data in order to predict things about their life.

Also in the new proposal, however, are the data protection officer and mandated fines. The data protection officer is a person inside of a company who would make sure that the company is compliant with the EU Data Protection Directive, interact with the supervisory authority, and interact with EU citizens who want access to their data, to delete their data, to port their data, or similar requests.

Otherwise, the EU Data Protection Directive changes are minimal. The changes are in the spirit of the old framework, or as Reding put it in the proposal, “The current framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity.”*

EU Data Protection Fines

EU Data Protection Law Fines

Under the new EU Data Protection law, fines for noncompliance can be up to 2% of “annual worldwide turnover”*. These fines would be imposed on the data collector by the supervisory authority (the governmental body that handles data security within a member state) on a case-by-case basis and be “effective, proportionate and dissuasive.”* The qualifications for what they mean by “effective, proportionate and dissuasive.” are described in detail in the proposal to reform EU data protection.

The proposal states, “The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.”* These provisions for the EU Data Protection law fines are spelt out in Article 79, “Administrative sanctions”.

A warning may be given the first time a non-compliance issue is discovered if it is accidental in nature and the data is being collected “without a commercial interest”* or by an organization with less than 250 employees that processes personal data as something secondary to their main purposes. In other words, a small company whose main business is data processing but failed to abide by the EU Data Protection Directive reforms would be fined according to the following.

EU Data Protection law fines of the next degree are of up to 250 000 EUR or 0,5% of total yearly global gross income. Fines of this caliber are imposed on business that accidentally or on purpose do not provide a system for people to request their personal data or to any company that charges a fee for access to or for requesting this information.

The EU Data Protection law fines bump to 500 000 EUR or 1% of total yearly global gross income. This level of fines are imposed for a few different, but more direct violations of the policy. The major ones are similar to the 0,5% fines, but more extreme violations: not providing access to information for data subjects; giving data subjects incomplete information; “does not provide the information in a sufficiently transparent manner, to the data subject pursuant”*; does not comply with the right to be forgotten; or does not give the data subject a digital copy that they can then transfer to another company. However, there are some other ways to receive this fine level: neglect to determine co-responsibilities with third parties with whom the organization shared data, failing to maintain the proper documentation, or by not observing the special rules for data collection about free expression, new laws about processing data as a pre-employment screening, and saving data for scientific and scholarly research.

Fines of up to 1 000 000 EUR or 2% of global annual gross income can be imposed under the new EU Data Protection law reforms. Fines of this amount are only imposed on blatant violations of the Data Protection Directive. The EU sees these violations as having no legal basis to collect data; not getting consent to collect data; processing data about potentially damaging data (like health, race, politics, sexual orientation, criminal convictions, etc.); not allowing for objections by data subjects; creating extensive “profiles”; blatant non-compliance like not adopting internal data management policies or not designating a data protection officer; processes data in a clearly non-compliant way; neglecting to alert the supervisory authority of a data breach; transferring data to another country that has been deemed non-compliant; and not complying with the supervisory authority.

As the MEPs debate the EU Data Protection law, fines are one of the issues that are being negotiated. However, while the fines amounts are mostly static, there is discussion of altering the criteria, imposing more stringent fines on more harmful activities, and lessening the penalties for certain crimes.

EU Data Protection Timeline

EU Data Protection Regulation Timeline

The Data Protection Regulation is intended to replace the earlier Data Protection Directive (Directive 95/46/EC) which was passed in 1995.  Massive changes in technology, and the explosion in the availability and use of personal data online meet the current laws are hopelessly out of date.

Work supposedly began on the re-write in 2010, but the first published version of the Regulation was released by the European Commission on 25 January 2012, championed by Commissioner Viviane Reding.

At the time she announced it with a fanfare and cries of ‘We’ve Done It’, however this statement proved to be a little premature.

“The current framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity. This is why it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities.”

However, given parliamentary procedure and the nature of reform, some people are confused about when these regulations would go into effect and the timeline of the process itself. So, this EU Data Protection Regulation Timeline will give you more clarity.

Since the first announcement, there have been many major committee meets, amendments, votes, and negotiations. The most important of which are described below.

  • In May of 2012, the European Parliament held the first stakeholder meeting.
  • On the 10th of October 2013, MEPs Albrecht and Droutsas presented their draft reports.
  • In January 2013, the Internal Market Committee held a vote on their opinion of the draft.
  • In February 2013, the Industry Committee and the Employee Committee also voted on the matter.
  • In March 2013, the Legal Affairs Committee voted and the Civil Liberties Committee held the first discussion of their amendments.
  • Throughout 2013 the LIBE committee received and considered over 4,000 proposed amendments – making it the most heavily lobbied piece of EU legislation ever.
  • On October 21 2013 the LIBE committee voted and approved a revised version of the Regulation
  • In March 2014 the LIBE text was voted and approved by the whole Parliament.
  • The next stage is for the Council of Ministers (representing the Governments of each Member State) to come to its own agreement on the text as it is, or more likely its own revisions. This is now expected to happen sometime in the Autumn of 2014 at the earliest.
  • In the meantime a new set of MEPs will be voted into the Parliament in May 2014.
  • Finally, with each body having agreed its own position there will follow a tri-partite negotiation between the Commission, Council of Ministers, and the Parliament.

It is generally expected that final agreement will now be reached at some time during 2015. A two year lead in period is then normally provided to give business time to prepare and enforcement of the Regulation would then begin in 2017.