Main Nav

Data Protection Reform Legislation in the European Union

Earlier in 2012, the European Commission proposed a major reform of the European Union’s (EU) legal framework on the protection of personal data.  The new proposals are meant to strengthen individual rights and to address the challenges of globalization in light of emerging technologies.  The EU's Data Protection Directive is also developing specific rules for the transfer of personal data outside the EU to ensure the best possible protection of data when it is exported abroad. (See earlier blog for further background information.)  Under EU law, personal data can only be gathered legally under strict conditions.  Organizations that collect and manage personally identifiable information (PII) must protect it from misuse and are required to respect certain rights of the data owners, which are guaranteed by EU law.

The Article 29 Data Protection Working Party was set up jointly by the European Parliament and the Council in 1995 to address issues on the protection of individuals with regard to the processing of personal data and the “free movement” of these data.  At its June 2012 meeting, it adopted an opinion on cookie consent exemption.

The revised Article 5.3 (the so-called “cookie-rule”) of the e-Privacy Directive, which went into effect on May 26, 2012, reinforces user protection of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s device.  While this opt-in requirement applies to all types of information stored or accessed in the user’s device, the majority of discussion has centered on the usage of cookies.

Article 5.3 allows some cookies to be exempted from the requirement of informed consent, if they satisfy one of the following criteria:

  • the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”;
  • the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.

According to the Opinion, the following cookies are not covered by the exemptions, and thus require prior opt-in consent:

  • Social plug-in tracking cookies
  • Cookies used for third-party advertising
  • First-party analytics cookies

The Opinion reveals that some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes.  These cookies include:

  • User-input cookies (i.e., session-id cookies)
  • Multimedia player session cookies
  • User interface customization cookies (e.g., language preference cookies selected by a user).

EDUCAUSE will continue to monitor and report on this issue.