The European Commission said on Thursday it will take five E.U. member states to the highest court in Europe after they failed to implement the so-called "cookie law" more than a year after it came into effect.
Poland, Portugal, Slovenia, The Netherlands, and Belgium --- the home of the European Commission --- will have their day at the European Court of Justice to explain why they have done little or nothing in way of enacting out the wider European privacy directive.
The sooner the better, as the Commission has suggested a daily penalty payment that could run into the six-figures for at least two of the countries listed, until the law is rolled out.
Only Denmark, Estonia, and the U.K. --- which only did the barest minimum --- complied with the cookie law that was May 25, 2011.
A Commission spokesperson for Digital Agenda confirmed it had begun the "three-step infringement procedure" against the remaining member states --- with the exception of the U.K. --- following the passing of the deadline.
However, during the following weeks and months, the remaining member states transposed the necessary elements of the revised E.U. e-Privacy Directive into their own national laws.
"Since then 15 member states implemented the laws in full in addition to the original seven. We expect the Netherlands to complete implementation tomorrow," the spokesperson said.
"That leaves four likely court cases to be defended by the governments [not the regulators] Belgium, Poland, Portugal and Slovenia."
The directive caught the attention of many because it meant E.U. websites had to obtain the "consent" of its visitors to set cookies on a user's computer. It also includes data breach rules ahead of a wider E.U. Data Protection Regulation, and allowing customers to switch fixed or mobile operators without forfeiting their phone number within one business day.
But the "consent" factor has caused some headaches. It's not specifically outlined in the directive, and many nation states do not know how to define it.
The U.K.'s data protection authority, the Information Commissioner's Office, doubled-back its position only days before its grace period was over to include implied consent. Explicit consent pushes a popup to a user, while implied consent presumes that if a user continues to browse the site, they accepting the terms.
Only this week, the European Commission, despite pushing for the law, was left red-faced after it was found it did not abide by its own rules.
The directive has to be implemented into E.U. member states' legal systems, but because the European Commission and Parliament are not strictly part of the member states, they could argue their institutions are exempt.
- Sweet irony: EU imposes cookie law, ignores own rules
- CNET: What Britons need to know about U.K. ‘cookie law’
- ZDNet: UK data regulator issues cookie warning; Google faces compliance challenge
- ZDNet UK: ICO to enforce cookie law from this weekend
- Most government sites to miss cookie deadline
- Privacy watchdog to chase big companies over cookie law
- CNET UK: European ePrivacy directive cooks up anti-cookie laws
- Cookie law set to shake up UK websites, but won’t be enforced for a year