EU’s Web Privacy Law on ‘Cookies’ May Trigger Legal Confusion
European Union data privacy rules forcing companies such as Google Inc. (GOOG) and Yahoo! Inc. (YHOO) to seek consent before targeting users with online advertising may sow confusion because of national differences in the way they are applied.
A day before countries are meant to put in place a 2009 law including restrictions on so-called cookies, industry groups and lawyers say it’s unclear how the rules will be implemented across the 27-nation region.
“What we see is that the member states transpose it in a totally fragmented manner,” said Kimon Zorbas, vice-president of IAB Europe, a digital advertising group whose members include Google, Yahoo and Microsoft Corp. (MSFT) The law’s text, which is a mixture of old and amended articles, is “quite messy” which in turn “brings huge legal uncertainty in the markets and nervousness” as to which rights apply when doing business across the EU, he said.
The EU is cracking down on companies invading Web users’ privacy, by promising people more control over their data and harsher sanctions, including criminal penalties, against violations. Google, Yahoo, Microsoft and Facebook Inc., the top social-networking service, are among several Internet companies under scrutiny for possible privacy-rule breaches.
Implementation a ‘Problem’
“The problem is how to implement it,” said Quentin Archer, a technology specialist at law firm Hogan Lovells LLP in London. The method of consent can differ from one cookie to another, with some being very intrusive while others are necessary for the operation of a service, he said.
“Because there are so many different types of cookies it’s not really possible to give precise guidance, so businesses are left looking at the general principles.”
The European Commission has been working closely with governments to help them implement the law, said Jonathan Todd, a spokesman for Commissioner Neelie Kroes who is in charge of the e-privacy legislation.
The law has “very clear rules” as to what the requirements are, Todd said. “If those requirements are not met in a particular member state then they will be subject to infringement proceedings.” The Brussels-based commission has the power to sue countries that don’t implement agreements in the correct way.
Todd said Denmark and Estonia are so far the only two countries to implement the law.
“We’re due for a period of some confusion because implementation seems to be happening in a drip-drip fashion at the moment,” said Sally Annereau, a data privacy analyst with Taylor Wessing LLP in London.
National data protection agencies have the power to impose sanctions for non-compliance by companies.
To contact the reporter on this story: Stephanie Bodoni in Luxembourg at firstname.lastname@example.org
To contact the editor responsible for this story: Anthony Aarons at email@example.com