Companies have been challenged with respect to their cookie policies and their implementation due to the entry into force of the GDPR earlier than the proposed ePrivacy Regulation

 Given the delay in the adoption of an EU-wide regulation on e-privacy, national data protection authorities have taken the initiative in publishing guidelines on cookies requirements. The

It has been reported that the Information Commissioner’s Office (ICO) has issued the US-based Washington Post newspaper with a warning about how it obtains consent for cookies from website visitors.

According to a report in The Register, the ICO stated that the Washington Post’s online subscription options do not allow users to opt out of cookies and other trackers free of charge. Such functionality is only possible as part of the newspaper’s premium paid subscription service. The browsing options offered by the Washington Post are:

(i) free access to a limited number of articles dependent on consent to the use of cookies and tracking for personalised advertisements;

(ii) a basic subscription that provides paid access to an unlimited number of articles but which also requires consent to the use of cookies and other tracking; and

(iii) a more expensive premium subscription option that gives users access to an unlimited number of articles, free of advertising and ad tracking.

The ICO views this as a contravention of the EU’s General Data Protection Regulation (GDPR). Article 7(4) GDPR states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. In failing to provide a free alternative to accepting cookies, the ICO appears to have determined that consent cannot be freely given by users, and is therefore invalid.

Continue Reading ICO warns that the Washington Post offers invalid cookie consent under the GDPR

The governments of Switzerland and the United States finalised the Swiss-U.S. Privacy Shield Framework on 11 January. The Framework is similar in many respects to the EU-U.S. Privacy Shield, and replaces the U.S.-Swiss Safe Harbor Framework with immediate effect.

Background
Continue Reading Switzerland and the United States Agree Privacy Shield Framework

On 10 January, the EU Commission proposed a new Regulation on Privacy and Electronic Communications (“proposed Regulation”) to replace Directive 2002/58 (known as the “ePrivacy Directive”).

The proposed Regulation

The proposed Regulation aims to align the rules that apply to electronic communications services with the forthcoming General Data Protection Regulation (GDPR).
Continue Reading EU Commission publishes its proposals for new e-Privacy Regulation