It is fair to say that we have been waiting for the new and improved European cookie regime for quite some time now, since May 2018 in fact.
As the wait continues, the EDPB (the body made up of the national data protection authorities and responsible for the consistent application of data protection rules across the EU) has issued a statement, warning the Council (the EU legislative body made up of ministers representing each Member State) not to overly complicate the new law and diverge from GDPR.
Clearly dissatisfied with the Council’s current direction of travel, the statement reminds the Council that their proposals must “under no circumstances lower the level of protection offered by the current ePrivacy Directive 2002/58/EC” and should “complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication”.
The EDPB’s concerns
In particular the EDPB has expressed concerns that the orientation of the Council’s discussions mean:
- Consistency of enforcement – could be compromised, and lead to divergence from an EU standard and GDPR requirements. This follows if the Council do not entrust enforcement of the ePrivacy regulation to the same national data protection authorities who enforce GDPR. The EDPB stressed those same authorities can ensure consistency of application through the use of GDPR cooperation and consistency mechanisms and act as a single point of contact for data controllers reducing the risk varying national cookie requirements;
- Potential move away from broad prohibitions – as the EDPB reiterates its support for broad prohibitions with limited exceptions, consent requirements, and anonymisation requirements linked to the use of metadata;
- A lost opportunity – to give clear guidance on “cookie walls”;
- Added procedural uncertainty – would arise if cookie enforcement is entrusted to national competent authorities who are not already members of the EDPB and would need to interact with the EDPB.
Considering the above, the EDPB closes their statement inviting Member States to “support a more effective and consistent ePrivacy Regulation, as initially proposed by the European Commission and as amended by the European Parliament". One thing is for certain, even after a 2 year delay and emerging European cookie enforcement, those hoping for clarity on the future of EU cookie requirements have a while to wait yet.
"The EDPB is concerned about some new orientations of the discussions in the Council related to the enforcement of the future ePrivacy Regulation, which would create fragmentation of supervision, procedural complexity, as well as lack of consistency and legal certainty for individuals and companies."