Cookies, Google Analytics, transfers of PRN data and new guidelines on the right of access… Wrapping-up January events in data protection

The New Year brought us some interesting developments in the data protection landscape. There are a few January facts worth noting:

Fines imposed on Google and Facebook for non-compliance with the cookie rules 

At the beginning of January*, the French supervisory authority, Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a 150 million euro fine on Google and a 60 million euro fine on FACEBOOK IRELAND LIMITED - both for violations related to the use of cookies. According to the authority, users of sites owned by the companies (namely google.fr, youtube.com and facebook.com) cannot reject cookies as easily as they can accept them. Accepting cookies is possible with a single click of a button on the page, while the equivalent option is not available for refusing cookies. Denying consent to cookies requires more involvement on the part of the user and at least several clicks. As a result, such a complicated refusal mechanism may act as a disincentive for users, so that they are more likely to accept cookies against their will. This in turn violates Article 82 of the French law transposing the provisions of the e-Privacy Directive. It also fails to meet the requirements of legally binding consent under the GDPR.

Freepik.com

As a reminder, this is not the first sanction imposed by the CNIL on Google. In December 2020, the CNIL also fined Google LLC and Google Ireland Limited 100 million euro, because a large number of cookies used for advertising purposes was automatically deposited on a user's computer, without obtaining prior consent and without providing adequate information. The Google companies filed an appeal against the decision, but the French Council of State in late January 2022 upheld the CNIL's decision. 

Use of Google Analytics not compliant with the GDPR

January was not a successful month for Google in terms of data protection. In addition to the above penalties, the Austrian Data Protection Authority found that a tool used on many websites, Google Analytics, violates the protection of EU citizens' personal data.** Why? Because the tool transfers personal data to the United States, and in the US, Europeans' personal data is not adequately protected. Previously, personal data from the EU to the US could be transferred under the EU Commission's decision on the adequacy of the protection provided by the EU-US Privacy Shield, but since the CJEU declared that decision invalid in mid-July 2020, data controllers should base data transfers on a different legal ground (for example, on standard contractual clauses). The problem is that the US law does not provide sufficient protection against access to personal data by various public authorities, regardless of the legal basis on which personal data is transferred. And regardless of the fact that EU-US data transfers became illegal literally overnight, many companies continue to transfer personal data to the United States, mainly using IT tools provided by US companies, just like Google Analytics or other similar technologies. The decision of the Austrian authority is therefore not surprising, but it certainly provides another confirmation that transfers of personal data to the US are legally questionable. Companies should examine their practices and consider choosing alternative European IT tool providers. But not only companies! Looks like the European Parliament should too - the European Data Protection Supervisor also issued a decision in January this year in which he questioned the legality of data transfers collected via cookies on one of the EP's websites. 

Freepik.com

EU rules on the collection of air passenger information are in line with the EU Charter of Fundamental Rights and the GDPR, but with some reservations

On the 27th of January, AG Pitruzzella delivered his opinion in case C-817/19 Ligue des droits humains concerning, inter alia, the interpretation of the provisions of Directive 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. AG Pitruzzella assumes that the transfer of PNR data and the pre-travel screening of air passengers by means of automated processing of such data is generally compatible with Articles 7 and 8 of the EU Charter of Fundamental Rights. However, he also pointed out that such data should only be stored when necessary in view of a serious and genuine threat to security and for a period limited to the minimum necessary. 

This case deserves a wider comment and a separate blog post, so we will come back to this topic shortly, as soon as the English version of the opinion is published on the Court's website. 

Guidelines on data subject rights - right of access

Finally, at the end of January, the European Data Protection Board published new guidelines on data subjects' rights, specifically on the right of access to data. For the time being, this is the version for public consultation. The feedback period is now open, so make your voice heard until March 11th!

* To be precise - CNIL's decisions were issued on December 31, 2021, but the information about the fines was published on the authority's official website in the first days of January. 

** Again, the decision was issued just before Christmas, but published on January 12, 2022. 

European Data Protection authorities speak up on targeted advertisement

 Dear readers, 

this is a teaching-intensive autumn across European universities - with all the excitement, uncertainty and overall strains of being mostly back in class after over a year of mostly living room lecturing. 

This, however, should not mean that we let crucial developments go unnoticed: last week, in fact, the European Data Protection Board (EDPB) has issued its most resolved opinion yet on the matter of privacy and behavioural tracking. Cookies, in other words - a staple not only of many people's secret kitchen stashes but also of equally elusive locations on our devices. 

The occasion for issuing this opinion is commenting on the Commission's Digital Services Act, which according to the Board should be brought more clearly in line with data protection rules. Couched among guidelines and standpoints on a number of highly salient issues - from counterterrorism to face recognition AI - the EDBP has called for 

1) considering a phase-out of targeted ads based on "pervasive tracking";

2) in any event, prohibiting targeted ads addressed at children.   

The opinion does not expand on the reasons for such standpoint, but mainly refers to previous positions  contained in comments on the DSA by the European Data Protection Supervisor (EDPS) and the European Parliament. In fact, criticism of the current rules' focus on informed consent has been around at least for the better part of the past decade (see for a classic Frederik Borgesius). 

The European data protection board is composed of representatives from the national data protection authorities. As a collective body mirroring positions in the Member States, its position can perhaps have more sway than the occasionally more principled stances of the EDPS. 

EDPB creates cookie banner taskforce

Last week European Data Protection Board (EDPB), which is a body that represents European data protection authorities (DPAs), decided to establish a cookie banner taskforce. Why? Because of 422 complaints filed with ten different DPAs by a non-profit organization None of Your Business (NOYB), founded by Max Schrems. Responding to all these complaints certainly requires coordinated action in order to ensure uniform application of GDPR across the EU, as well as to support DPAs and to facilitate communication between them. Hopefully, this will also accelerate national proceedings and provide better consumer protection in the context of cookies and data processing. 

Cookies and other tracking technologies have attracted the attention of some authorities in recent years. Some of them have adopted guidelines or FAQs (see for example Spanish DPA guidelines or French DPA guidelines and recommendations). The issue is important because in many cases the use of cookies is not in compliance with the GDPR, especially when it comes to providing information about them, collecting consent to data processing or allowing the withdrawal thereof. Not to mention that cookie banners can be annoying and rather discourage people from reading complex cookie policies. This is why NOYB analysed several thousand websites available in the EU to identify the most common breaches and then filed complaints where necessary. But firstly, letters notifying the infringements were sent directly to the site controllers. What’s interesting, based on NOYB statistics - 42% of all violations were remedied within 30 days. This is not a bad result, but certainly falls short of expectations. The most frequent violations include, inter alia: no option to reject cookies on the first layer, pre-ticked boxes, lack of possibility to withdraw consent as easily as it was given and using a deceptive contrast or color for the „reject button”. 

What do the violators say? According to an informal feedback that NOYB received, the companies usually fear that if they comply with the requirements they risk falling behind their competitors. Some of them also prefer to wait for a clear explanation from the DPAs before complying. 

In other words, the question remains the same - how to have your cake and eat it too? 

CJEU confirms stricter requirements for valid cookie consent - case C-673/17 Planet49

Yesterday the Court of Justice delivered its judgment in case C-673/17 Planet49, concerning the requirements for a valid consent to the storage of cookies. The judgment largely falls in line with the previous opinion of Advocate General Szpunar, on which we reported in an earlier post (see: Pre-ticked checkboxes NOT informed consent...).

Background of the case

Source: Pixabay

To recall, the case involved a promotional lottery whose prospective participants were asked, among others, to provide personal details and agree to be contacted by various sponsors. Besides several items, to which users agreed by ticking corresponding boxes, the form included another, already pre-ticked checkbox, which concerned the placement of cookies by Planet49. German consumer organisation vzbv questioned the validity of such 'consent' under Directive 2002/58/EC on privacy and electronic communications. Following a 2009 amendment, Article 5(3) of that Directive required Member States to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

As readers may remember, Directive 95/46/EC was, in the meantime, repealed and replaced by the General Data Protection Regulation. The E-Privacy Directive was also supposed to be replaced with a regulation, with the aim to increase coherence with the GDPR. The respective proposal, however, got stuck in the legislative pipeline. The Court was not distracted by these facts and decided to interpret Directive 2002/58 in the light of both Directive 95/46 and Regulation 2016/679.

Judgment of the Court

First of all, the Court agreed with the Advocate General that consent referred to in Article 2(f) and in Article 5(3) of Directive 2002/58 cannot validly be obtained by way of a pre-ticked checkbox which the user must deselect to refuse his or her consent. To support this conclusion, the Court referred to the requirements for consent to be 'specific' and 'unambiguous' under Directive 2002/58 as well as the even more detailed wording of the GDPR.

Importantly, the Court did not elaborate on the requirement that consent must be ‘freely given’, arguing that a corresponding question had not been asked by the referring court. Response to such a question - one of major importance to the digital economy - would involve an assessment whether user’s consent to the processing of personal data for advertising purposes constituted a prerequisite to that user’s participation in a promotional lottery. As noted in our previous post, the Advocate General elaborated on this matter in a way that was subject to criticism. Against this background, self-restraint showed by the Court is to be welcomed.

As regards the question whether the interpretation set out above should differ, depending on whether or not the information stored or accessed on user's terminal equipment qualifies as personal data, the Court responded with a clear 'no'. This remains in line with the rationale of Directive 2002/58 which aims to protect the user (including natural persons acting for business purposes) from interference with his or her private sphere, regardless of whether or not that interference involves personal data.

Finally, as regards the scope of information to be provided to the user before obtaining his or her consent, the Court opted for a broad reading of Article 5(3) of Directive 2002/58 in conjunction of Article 10(c) of Directive 95/46 and Article 13(1)(e) of the GDPR. In this respect, the Court, once again, sided with the Advocate General, stressing that "clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed" (para. 74). The Court considered that information on both the duration of the operation of cookies and whether or not third parties may have access to them had to be provided to the user.

 

Concluding thought

The judgment in Planet49 strengthens the protection of privacy in the digital sphere, not only of consumers stricto sensu, but of internet users more generally. Moreover, the Court confirmed that the standard of 'cookies protection' does not depend on whether or not user's personal data is involved. Privacy, according to this reading, concerns the very fact of placing pieces of software on user's 'terminal equipment'. This resembles the way in which some consumer authorities have read the notion of 'aggressive practices' under Directive 2005/29/EC on unfair commercial practices, also beyond the cookie context (see especially the Italian decision against Facebook). Whether or not such an approach to the UCPD will hold, and how it might be related to standards of disclosure, is still an open question (on the latter, see the judgment of the Court in Wind Tre, para. 45 et seq). When it comes to the E-Privacy Directive these questions do not emerge: here, without doubt, the duty to inform provides a further layer of protection to the one provided by the consent framework. The E-Privacy Directive, therefore, is quite remarkable: it combines high standards of consumer law and data protection law and applies them beyond their traditional scope. Hopefully, internet users will truly be able to benefit from it.

CJEU in Fashion ID (C-40/17): some consequences of embedding social plugins

Yesterday, the CJEU published its judgment in Fashion ID, a case concerning mainly the notion of "controller" under EU data protection law.

The facts of the case are relatively simple: Fashion ID had placed a "like" button on its website which was connected to Facebook. What Fashion ID's customers may not realise is that - even if they did not use it - the button's presence meant that information concerning them was being transmitted to Facebook. In the proceedings it was uncontested that this information qualified as personal data.

Verbraucherzentrale NRW, a consumer association, brought an injunction against Fashion ID demanding that it abandon such practice. The question whether Fashion ID has any obligations in connection with the data processing - including the duty to inform consumers that their data are being collected and/or require their consent - depends on whether the website is to be considered a data controller.

The referring court doubted whether this is the case since the website operator has no control over the processing of the data transmitted to the plugin provider (para 37).

The Court, in essence, answered that the operator of the website acts as a controller, and is thus responsible for informing the consumer or collecting their consent, insofar as the collection of information and transmission to Facebook is concerned. In particular concerning the collection of the user's consent, the court highlighted that it would not be in line with efficient and timely protection of the subject's rights if the consent would be given only to the second controller, which is involved at a later stage (para 102). Even more strongly, when a customer is not a Facebook user, their data will be processed by the social media operator without them having any direct connection to the latter- which makes the responsibility of the other provider all the greater (para 83).

However, the website operator is not responsible vis à vis the data subjects for any other uses that Facebook itself will make of the data, nor for collecting their consent in that respect (para 102).

While the website has no control on the use of the transmitted data, the purpose of such collection is in part related to the website's benefit as it allows better promotion of its products (para 77-81).

As concerns the collection of data without the subject's consent - ie data that is necessary for the pursuit of a legitimate interest - the court importantly clarified that where both the website and the provider of the social plugin are controllers, they must both be pursuing a legitimate interest for the ground of processing to apply (para 96).

The decision interprets relevant provisions in the "old" Data pProtection directive, which has meanwhile been replaced by the GDPR - but the concepts that it deals with have been kept in the Regulation, so the decision can be transposed to the new rules.

Quite unsurprisingly, the Court rejected Fashion ID's claim that consumer associations would not be entitled to bring any claims under data protection rules - while article 80(2) of the GDPR quite

famously invites MS to set collective enforcement mechanisms, nothing in the previous directive, which only contained general indications on enforcement, can be seen to stand in the way of Member States allowing consumer associations to bring such claims (see in particular paras 57-62).

The Court seems to be aware of the potentially high-profile nature of this case and has accompanied the publication of its decision with a press release. 

French tribunal invalidates many terms in Google+ T&Cs

On Tuesday, the Tribunal de Grande Instance of Paris decided on a claim presented by the French consumer association Que choisir against Google and challenging the company's practices and contract terms involved in the (recently discontinued) Google+ service. 

The association challenged Google's Terms of Service and Privacy policy in their entirety, but also a large number of individual clauses contained therein. 

The Court analysed these terms in light of consumer legislation, and in particular unfair terms provisions in the Code de la consommation, and data protection rules. They also, possibly quite crucially, relied on a number of provisions in the same Code which dictate the information which consumers must receive prior to contract conclusion. 

Different types of terms were, in this context, considered as invalid:

1) Terms which described the purpose of data collection in a way that did not allow the consumer to really understand what their information was going to be used for

In particular, the Court condemned certain terms for presenting data collection as (exclusively) aimed at providing better services, rather than making the consumer aware of the commercial value and utilisation of the information collected (see clause 4 privacy policy, p. 88 of the decision).

2) Terms concerning geo-localisation

In this case, the main challenge is that the geo-localisation information is in no direct connection to the service and takes place through connecting to information stored by different services. Consumers should, the decision implies, have the chance to accept or reject this separately. See Clause 9 Privacy Policy, p. 93.

3) Terms allowing the provider to change the data concerning certain users, and to keep a log of old data that a user has sought to rectify

This is against data protection principles, which put individuals in control of their personal data after it has been collected. See clause 14 and 17 Privacy policy, p 98-100. 

4) Terms requiring users to accept that their information may be stored outside of the EU/EEA, without safeguards 

Such terms are not so much unfair as they are plainly in contrast with mandatory rules restricting the transmission of data outside of the EEA, except when provided for by "safe harbour" agreements. See Clause 19 Privacy Policy, p. 102.

5) Terms allowing the provider to change their conditions, or to terminate the provision, without indication on which grounds such measures could be taken

6) One of the terms in the Terms of Use was declared invalid for its attempt at waiving all sort of liabilities without any clear delimitation of the waiver's reach

7) Another term, concerning cookies, alerted consumers that "not all services" could reasonably work without them, but did not give any indication as to what the specific impact of refusing cookie collection could be 

The Court considered both the Terms of Use and the Privacy Policy as parts of one global contractual agreement. Contrary to the association's submissions, it considered that in itself, the presentation of the two documents was sufficient to provide users information concerning the nature and scope of what consumers agree to: in particular, the use of hyperlinks and "fragmentation" of relevant information is suitable to avoid an excessive concentration of information in a single text in limited space, the lexicon is sufficiently informal and it includes a glossary, and the personal nature of the information processed is sufficiently highlighted. 

In particular to the extent that, such as for geo-localisation, the Court seems to indicate separate approval - i.e., approval that is not obligatory in order to get access to the service - Que choisir has commented that the decision marks an end to "les conditions générales interminables à accepter en bloc". In some cases, where the terms contested were plainly against data protection legislation, the decision should also mean that the terms should no more be employed. 

On the other hand, in so far as transparency was the reason for invalidating many of the controversial clauses, it will remain to be seen what the practical consequences of the decision - which, is, furthermore, still subject to appeal - will be. Interesting times!

(A PDF copy of the decision, in French, is available on Que Choisir's website as linked above)

GDPR, e-Privacy and beyond: more certainty and coherence for the online sector (or quite the opposite)?

The interplay of GDPR and e-Privacy Directive

One of the objectives of the General Data Protection Regulation (GDPR), which was adopted earlier this year and will effectively replace Directive 95/46/EC in 2018, was to make the European data protection framework fit for the 21st century. The extensive regulation does indeed bring the existing framework up to date and promises greater uniformity of national standards and interpretations. Driven by the desire to empower data subjects to fully exercise their right to personal data protection (Article 8 of the European Charter of Fundamental Rights, Article 16 TFEU, Article 8 ECHR), the instrument builds on the existing safeguards and extends or clarifies them where it deems necessary. Among many other things, the new data protection regulation strengthens the conditions for a valid consent, ensures that data subjects are provided with information and access to their data and can effectively object to the processing, reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. It also introduces a widely cited right to be forgotten and the equally important right of data portability. All these are correlated with the corresponding obligations of data controllers according to the newly formulated principles of data protection ‘by design’ and ‘by default’. Both principles bring about a significant paradigm shift as they not only require data controllers to ensure data protection compliance ex ante (i.e. already at the planning stage), but also to design standard settings in a way that only the minimum amount of personal data necessary is being processed. The regulation also elaborates on the data controller’s obligation to ensure data security and report data breaches.

In line with the previous personal data protection directive, the principles laid down in GDPR apply to any information concerning an identified or identifiable person (as explained in recital 26). The novelty, however, lies in the clarification that online identifiers provided by devices, applications and protocols as well as location data may be used to identify a person (see further clarification in recital 30). Without going into detail, it seems fair to assume that under the new regime many online identifiers – such as IP addresses, device IDs and cookies, in particular third-party cookies used for profiling and targeting – will be regarded as personal data.

In short, what emerges from the updated data protection act is an increasingly comprehensive regime with an intentionally broad scope of application. Nevertheless, believe it or not, there are still several issues that have not been addressed by data protection framework. These relate more broadly to the protection of privacy (Article 7 of the Charter), and have so far been regulated by Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive). In the words of the European Commission the directive “sets out rules on how providers of electronic communication services, such as telecoms companies and Internet Service Providers, should manage their subscribers’ data”. It touches upon issues such as: confidentiality of communications, security of networks and services, data breach notifications as well as requirements regarding, among other things, unsolicited commercial communications (spam), storing of information in subscribers’ terminal equipment [Article 5(3) – the source of the ubiquitous cookie consent pop-ups] and processing of traffic and location data. The interplay between e-Privacy Directive and the general personal data protection legislation is mentioned in recital 173 of the GDPR, which stipulates that:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation

As a result, the directive is currently undergoing review and has yet again attracted considerable public interest. In August the European Commission presented a summary report on the public consultations which were carried out in this context. A careful, consumer-oriented analysis was, as usual, submitted by BEUC and is now available on its website.

Review of e-Privacy Directive and BEUC response

Why do we need an e-privacy instrument and which services should be included in its scope?

BEUC: While recognising the important developments within the framework of personal data protection, BEUC remains convinced that the e-Privacy Directive should continue to form a lex specialis for the online sector, complementing and particularising the provisions of GDPR. In view of BEUC, sector-specific rules should address, in particular, the issue of data mining and tracking/profiling of users as well as confidentiality of communications. The scope of such an act (ideally – a regulation) should cover both traditional electronic communication services and over-the-top (OTT) services such as Voice over IP and instant messaging (Skype, Whatsapp, Messenger). OTTs are currently outside the scope of e-Privacy Directive, as they do not fall under the definition of an electronic communication service, which requires inter alia "conveyance of signals".

Which issues remain unresolved under the current data protection regime?

Security and confidentiality

BEUC: Providers of electronic communication services should be obliged to secure all communications by using the best available techniques to ensure security and confidentiality. Users should remain free to apply other techniques.

Comment: While the need to ensure security of electronic communications seems undisputed, a potential overlap of the e-Privacy instrument and other pieces of legislation, in particular GDPR, NIS Directive and their implementing acts, should be taken into account. At the same time, there seems to be a strong case to maintain and even extend the scope of existing provisions referring to confidentiality to OTTs, as this issue does not seem to be addressed elsewhere.

Accessing users’ devices (e.g. in order to place a cookie)

BEUC supports the existing consent requirement laid down in Article 5(3) of e-Privacy Directive. More importantly, however, it argues that users should not be prevented from accessing non-subscription based services if they refuse the storing of identifiers (i.e. cookies) that are not necessary to provide the service. Furthermore, according to BEUC, the lifespan of cookies should be linked to their purpose.

Comment: Five years after the implementation of the cookie consent provision, no one dares to deny that the directive failed to achieve its desired impact. Indeed, consent requests are generally treated as a formality and essentially confront the users with a take-it-or-leave-it situation. BEUC proposal appears suitable to address this problem. At the same time, questions relating to the interface between e-Privacy Directive and the remaining EU acquis continue to arise. Couldn’t the requirement to provide users with a clearer and more granular choice and to adhere to the principle of data minimisation be derived from GDPR (now that online identifiers are clearly in its scope)? To what extent could the collection of data for purposes of tracking/profiling, without the knowledge of the user, be considered a misleading omission of material information and potentially an unfair commercial practice? Does anyone still remember the recent UCPD guidance which has actually elaborated on this matter? What about the proposed Digital Content Directive and Distance Sales Directive - shouldn't they have something more to say about this? Is the privacy rationale sufficient to extend the legal effects of Article 5(3) and, consequently, is the e-Privacy Directive the right instrument to regulate this issue? Before reopening of the whole cookie debate once again, it would seem reasonable to first assess where we stand.

Traffic and location data

BEUC: The consent requirement for the processing of traffic and location data should be maintained and the exemptions to this rule should not be broadened. On the contrary, the scope of the provision should be extended to cover GPS location data and Wi-Fi network location data used by information society services in mobile devices.

Comment: Stricter conditions for the lawful processing of traffic and location data (consent requirement for certain types of the processing) along with specific requirements as to erasure or anonymisation of data can indeed be seen as justifiable, given the undeniable privacy concerns at hand. There also seem to be no convincing reasons for maintaining a distinction between data collected by electronic communications service providers and by other information society services providers. At the same time, while understanding BEUC concerns about anonymisation, it needs to be recognised that traffic and location data are essential for the proper functioning of many digital services. The European legislator should therefore make sure that the revised instrument does not throw the baby out with the bathwater.

Unsolicited commercial communications

BEUC argues that marketing messages sent through social media should be subject to the same opt-in obligation that applies to email. Indeed, both channels of communication share certain similarities. In fact, however, unsolicited commercial messages on social media do not seem to present a serious problem and in this domain the issue of targeted advertisements appears much more pressing. 

Conclusion

Beyond doubt, the principles of personal data protection ‘by design’ and ‘by default’ enshrined in GDPR constitute a significant development in the data protection regime. In the technologically-mediated digital ecosystem, where traditional concepts are often difficult to apply and even harder to enforce, an increased focus on ex ante compliance (e.g. already at the stage of designing products/services or programming algorithms) could present a promising way forward. According to BEUC, the concepts of ‘privacy by design’ and ‘privacy by default’ should become “fundamental guiding principles in the online environment”. Given the growing importance of data-driven business models this appears to be a noble aim. The European legislator should, however, also make sure that innovation is not killed on the way – and to ensure that, more clarity as to the practical application and the interdependence of particular legal acts is necessary. 

Press digest

Telecommunication

The European Commission announces not to further regulate fixed telephone lines, since the market moved towards mobile and online telecommunication. (Europe says goodbye to fixed line regulation, hello to mobile era)

Tobacco Products Directive

UK e-cigarette manufacturer, Totally Wicked, challenges the validity of art. 20 of the Tobacco Products Directive at the CJEU, claiming that e-cigarettes should not be regulated as "tobacco related products" if they don't contain tobacco. (E-cig manufacturer wins right to challenge Brussels in EU courts; Totally Wicked vs. the EU's tobacco directive; First e-cig TV adverts from next month)

EU Data Protection and ePrivacy rules

Worries are being expressed about strengthening existing data protection rules even when businesses do not seem to be able to hold to currently existing ones (EU set to strengthen data protection laws). Data Protection Authorities across the EU are currently stepping up enforcement of the compliance with the existing EU data protection rules, by conducting a widespread cookie sweep (Are you ready? The EU "Cookie Sweep" is upon us). Other sources report widespread non-compliance of cloud-based storage service providers with the existing EU data protection rules (Most cloud apps flout EU data protection rules - study).

Tourism sector

TUI Travel argues in the UK for more support to be given to the reform of the Package Travel Directive and the Regulation No 261/2004 on air passenger rights. (TUI Travel calls on UK government to support the travel and tourism sector at home and abroad)

Competition

European booksellers plead with the European Commission and BEUC to set up investigation into the monopoly position of Amazon in the online book market, which harms European consumers by depriving them of a rich and diversified online book offering. (Booksellers raise Amazon monopoly concerns with European Commission)

Health claims

The new rules on food labelling (EU Regulation 1169/2011 on food information to consumers) are to enter into force as of December 2014 (nutrition information as of December 2016). Especially the sport nutrition sector may have to invest time and money to adjust the labels of their products to the new rules. While this regulation forces producers to be very specific in listing ingredients of their products, it may be even more difficult for the producers to justify placement of easy claims on how certain products may boost energy etc. (which are also regulated by Regulation 1924/2006). (Claim, set and match)

Consumer behaviour

Two new survey results have been published showing us growing trends of consumer online shopping habits. (UK leads European online shopping; Northern European web shoppers spent €1,780 each in 2013) In the meantime, Facebook sets up a new division - Facebook IQ - to try to understand consumer behaviour better... (Facebook forms new unit to study consumer behaviour).

Pingback: first fines for cookie rules violation in Spain!

As reported by the Privacy Law Blog, the first known fines since the implementation of the new cookie rules in Europe have been issued. We refer our readers to that interesting post for further information...