EU Cookie Law in Germany

As we are quickly moving towards Germany’s 1st anniversary of non-compliance with the infamous “EU Cookie Directive“, one would expect the legislator to really make a push to get something on paper, right? Well, not so. In fact, there isn’t even a legislative silver lining anywhere to be seen. We have witnessed one draft of a change to the “Telemedia Act” (the place where any transforming the EU’s wisdom into German law would take place) submitted by the federal state of Hessen last year that no one has really talked much about, and one draft submitted by the current opposition in the Bundestag that has now been rebuffed on committee level without before even getting a proper hearing in parliament – without spoiling us by publishing any reasons for the government’s stance, sadly. That said, that’s all good news, really.

The problem is this: German legislative acts tend to work on a very abstract level, especially in fields that the legislator doesn’t know much about (Computers? Internet? Cookies?). In this case the latest draft essentially takes the wording of the Directive, makes it worse by changing it (for instance, it says “data” instead of the Directive’s term “information”. Don’t even get me started) and then leaves us alone with the result. And that is no good for anyone who operates an even remotely advanced website.

For behold the new wording of Article 5(3) of Directive 2002/58/EC:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

As said, the German drafts that we have seen essentially repeat the wording. And now starteth the interpretation:

It is clear that cookies used for such things as tracking, advertising, especially behavioural targeting (aka the devil’s workings), require prior consent. But what about cookies used for language settings? Or cookies that make it possible to show you the videos you have recently chosen to watch? Well, that depends on how you interpret the law, doesn’t it? The ICO in the UK sees a requirement even for such cookies. But is that actually right given that the intention of the Directive (the way I see it, admittedly) was to stop the wide spread tracking and targeting practices without the average user even knowing that such things exist?

And how do you make sure that the user gives his consent? If you look at what has been suggested in the UK and start thinking about what our authorities would think of that, given their Stalin-like dogmatism (I personally think it’s quite alright actually even if certainly a rather bizarre-feeling change to¬† the user experience), loads of fun lie ahead. I bet you that even the ICO’s own implementation

“The ICO would like to place cookies on your computer to help us make this website better. To find out more about the cookies, see our privacy notice.

[Checkbox] I accept cookies from this site”

would be ruled unlawful. Reasons? Well, because the ICO uses GA. Because the ICO claims to use cookies to make the website better, and how could that be true? Because it isn’t actually the ICO setting all the cookies but rather, in part, third parties (YouTube! GA! Microsoft!). Because the user is required to click the link before being informed on any details about the cookies, effectively enticing the user to just tick the ckeckbox. Because of whatever else.

And, equally important, how do you make sure that you can prove that the user, i.e. the human being, not the browser, has given consent? That’ll be interesting, won’t it? Do you present a logfile (that you are not even supposed to have if you believe the German data protection authorities)? Will there be IP disanonymization (I’m sure that’s not an actual word), someting that can only be legal in the land of Mordor for German data protection authorities. And even then, how do you know that it was Mr. Smith hitting the “I agree” button and not his 10 year old son? ? I could spend all day…

I am all for data protection (seriously!). But the more time we have with the Directive not having been transformed into German law the better. Of course, we lawyers would do our best to come up with workable suggestions on how things could be done in compliance with the law without killing our clients’ businesses. Rest assured, though, that the first, one could say “instinctive”, reaction of the data protection hardliners would be a resounding “no, you shall not track and target!”.

My main hope therefore is that other countries in the EU, in particular the UK, establish certain practical standards that are accepted as lawful by the authorities in those countries before Germany even gets to transforming the law, thus forcing the authorities to go with the flow, as it were, in order to avoid an unharmonized playing field for online businesses in the EU when we finally do have the legislative act in place.

Then again, who knows, we might have an EU Regulation by that time anyway.


For more updates on German and EU IT law and other IT-related matters please follow us on Twitter @germanitlaw.



Leave a Reply

Your email address will not be published. Required fields are marked *