Sweet irony: EU imposes cookie law, ignores own rules

You would think an executive body of 27 member states that dictates part of their respective laws would adhere to its own? Think again.
Written by Zack Whittaker, Contributor

On all European Union institution websites, you will be lucky to find a single page that asks the visitor for permission to set cookies. But they're using them all the same.

The 'cookie law' requires any company with an E.U.-targeted website to seek permission from its visitors to install cookies. These small bits of data often help personalise the website experience, but can also be used by advertisers to track behaviour and other online activity.

The Article 29 Working Party --- the group which advises individual European privacy authorities on matters of data protection, and the European Data Protection Supervisor --- a cross-nation group of data protection officials, both fail to adhere to the E.U.-wide so-called "cookie law".

Despite the U.K. "cookie law" taking effect over the weekend, wider E.U. institutions --- including the European Parliament and the European Commission --- are not practicing what they preach.

Field Fisher Waterhouse partner and data protection expert Stewart Room said Europe "may argue that they’re not bound by the new cookie rule, but that’s unlikely to impress anyone."

Room told ZDNet that the scope of the E.U. cookie law, that stemmed from the 2009 amendments to the E.U. E-Privacy Directive, applies only to member states.

"Therefore, the E.U. may argue that, technically speaking, the new cookie rule does not apply to the E.U." He notes that it may not be as simple as that, and that the argument may be flawed.

"The EU is bound by the 2001 Data Protection Regulation (45/2011) --- not to be confused with the draft Data Protection Regulation 2012 --- and there are strong grounds to suspect that some parts of the EU's cookie use constitutes the processing of personal data."

If you thought Europe was the prime example of bureaucracy and red tape, well, you would be pretty much spot on.

The rules for governing E.U. institutions were spun off from everyone else's some years ago. Updating the rules in 2009 when the amendments were put through would have required a whole new Regulation, which would have been difficult if not impossible to achieve at the time. The amendments were hard enough to get through the Parliament and the governments of the member states without opening another can of worms.

Instead of updating all the rules at the same time, only around 99 percent were. But the Commission likely doesn't see the legalities as a major issue. One E.U. official told me that while the Commission is "entirely willing" to follow the same path as everyone else.

In spite of this, the E.U. does have an example to set to its member states. Whether or not a law does in fact apply to the institutions of European government makes little difference. It's not as though it would limit the executive functions of E.U. governance from ticking over. If member state governments have to enact the E.U. cookie law, the E.U. itself should as well.

"Its very hard to see why the EU should be in a special category," Room added.

"The point is that the E.U. should comply with the spirit of the law, particularly when it is being so strident on the need for good data protection and when it is lecturing non-E.U. bodies, such as those in the U.S., on how the Internet should be run."

A Commission spokesperson for Digital Agenda said the executive body is pushing for changes to its online services, and plans to implement Do Not Track in the near future.

"Neelie Kroes [Digital Agenda Commissioner] is committed to the idea of the European Commission practising what it preaches. If there is proof of a part of the EU institutions not being transparent about cookies, please let us know, so we can work to address it," the spokesperson said.

Ms. Kroes, consider this a heads up.

Image credit: CNET UK.


Editorial standards