Five EU countries taken to court for cookie law failures

Five E.U. member states will face the highest court in Europe after their governments failed to implement the E.U. 'cookie law'.

The European Commission said on Thursday it will take five E.U. member states to the highest court in Europe after they failed to implement the so-called "cookie law" more than a year after it came into effect.

Poland, Portugal, Slovenia, The Netherlands, and Belgium --- the home of the European Commission --- will have their day at the European Court of Justice to explain why they have done little or nothing in way of enacting out the wider European privacy directive.

The sooner the better, as the Commission has suggested a daily penalty payment that could run into the six-figures for at least two of the countries listed, until the law is rolled out.

Only Denmark, Estonia, and the U.K. --- which only did the barest minimum --- complied with the cookie law that was May 25, 2011.

A Commission spokesperson for Digital Agenda confirmed it had begun the "three-step infringement procedure" against the remaining member states --- with the exception of the U.K. --- following the passing of the deadline.

However, during the following weeks and months, the remaining member states transposed the necessary elements of the revised E.U. e-Privacy Directive into their own national laws.

"Since then 15 member states implemented the laws in full in addition to the original seven. We expect the Netherlands to complete implementation tomorrow," the spokesperson said.

"That leaves four likely court cases to be defended by the governments [not the regulators] Belgium, Poland, Portugal and Slovenia."

The directive caught the attention of many because it meant E.U. websites had to obtain the "consent" of its visitors to set cookies on a user's computer. It also includes data breach rules ahead of a wider E.U. Data Protection Regulation, and allowing customers to switch fixed or mobile operators without forfeiting their phone number within one business day.

But the "consent" factor has caused some headaches. It's not specifically outlined in the directive, and many nation states do not know how to define it.

The U.K.'s data protection authority, the Information Commissioner's Office, doubled-back its position only days before its grace period was over to include implied consent. Explicit consent pushes a popup to a user, while implied consent presumes that if a user continues to browse the site, they accepting the terms.

Only this week, the European Commission, despite pushing for the law, was left red-faced after it was found it did not abide by its own rules.

The directive has to be implemented into E.U. member states' legal systems, but because the European Commission and Parliament are not strictly part of the member states, they could argue their institutions are exempt.