Mr. Erkki Liikanen
200 rue de la Loi
12 February 2001
I understand from Mr. Jaakko Rauramo that he recently discussed with you some aspects of the political agreement of the Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector. Jaakko has suggested that I follow up with you directly on our key concerns, as we need some help from you and the Commission in improving the text during the final stages.
As you know, the EPC is mainly concerned about the article which relates to cookies (5.3). Although we would have preferred an opt-out regime for email and SMS we believe that we can live with the Council wording as far as the e-marketing activities of publishers are concerned. The same is not true however for the wording on cookies. As currently worded, we face real practical problems.
The EPC accepts the obligation upon publishers to provide notice to consumers about the use of cookie techniques on their sites (including those of our third party ad-servers). We also think this should be provided in a way which is clear and easy to follow with links to information on how to reject cookies and to prevent their storage on an individual’shard disk. We feel that the combination of clear, practical information combined with opt-out advice is a sensible, proportionate approach, which achieves a balance between functionality of websites and users’ privacy rights. Also it is in line with existing data protection legislation and in particular with Directive 95/46/EC on processing of personal data.
I have set out below the wording of Recital 25 and Article 5.3 of the Directive as agreed by the Council of Ministers on 6 December, showing the amendments we feel are necessary.
- However, such devices, for instance so-called cookies, can be a legitimate and useful tool, for example, in analysing the effectiveness of web site design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance so-called cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed in accordance with Directive 95/46/EC, on condition that clear and precise information about the purposes of cookies or similar devices is provided promptly by the operator of a web site sending such devices or allowing third parties to send them via his web site. The web site operator should also give users at least the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. Information and the right to refuse may be offered once for the use of various devices installed on the user’s terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The modalities for giving information, and offering a right to refuse (delete or requesting consent) should be as user-friendly as possible. Such modalities
- Member states shall ensure that the use of electronic communication networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the
subscriber or user concerned, is provided promptly with access to clear and comprehensive information, inter alia about the purposes of the processing in accordance with Directive 95/46/EC, and is offered the right to refuse
such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the user.
- When a cookie is sent to a user, the user’s computer is assigned a number (i.e., Mr. Smith’s computer will become “computer holder of cookie 007”). This allows the user’s browser to tell the web site operator certain basic information, e.g. that the computer holding cookie 007 uses an Internet browser in English or that it uses a UK-based access provider.
- The cookie itself will not provide any personal data from the user (unless the user has consented to provide such data himself/herself in accordance with existing Data Protection legislation).
- If a user chooses to reject cookies having logged onto a site, but after one has already been sent (which is common practice in both the public and private sector), this does not in any way affect or undermine his/her ability to enforce their right to refuse to have the cookie stored on their computer.
- This is because the user will be able to erase the cookie by following the web site operator’s instructions on how to delete the cookie,so that it will be as if the cookie had never been received.
- Further, by doing so, if any cookie-related information had been collected by the web site operator when the cookie was first sent, the user’s action of deleting the cookie from his/her hard disk would render the cookie-related data received by the web site operator redundant.
- The web site will still hold the information about cookie 007. However, the next time the former holder of cookie 007 visits the web site that sent him cookie 007, the site will not be able to identify that visitor as the former holder of cookie 007. Thus, the cookie-related information becomes redundant and completely unidentifiable, as soon as the holder of the cookie deletes it from his/her computer.
The EPC hopes very much that you will support our proposed amendments. Please do not hesitate to get in touch if you would like any further information.
With kind regards,
Angela C Mills
CC. Mr. Francisco Pinto Balsemão, Chairman, EPC
+ Mr. Jaakko Rauramo, Chairman and CEO, SanomaWSOY Corporation, Finland