1. Privacy & cookies
The Reference CRM inspiration day 2013
Bart Van den Brande
Advocaat – partner
Sirius Legal advocaten
www.siriuslegal.be
bart@siriuslegal.be
@BartVdBrande

2. Short update on privacy

3. Short update on privacy
Current Situation
Current privacy directive (including Belgian privacy law of 1992 based on that directive) is no longer
effective
No unified rules between member states
Lack of control over big player (a.o. Ireland has very liberal rules)
Basic principle of server location or company location is no longer relevant in cloud computing era
Potential loss of business due to ineffective legal system: 2,3 billion euro/year according to EU

4. Short update on privacy
Basic principles of Belgian privacy law of 8 December 1992
There is no general “right to privacy”
Definition of personal data is very broad
Prior opt-in required for all data collecting and processing
“Free and informed” opt-in
Separate opt-in for data transfer to third party
Demand of opt-in by “data controller” (as opposed to “data processor”)
Declaration at privacy commission required in most cases
(online at www.privacycommission.be, cost is 25 euro)
Limited exceptions (if processing is unavoidably needed)

5. Short update on privacy
Basic principles of Belgian privacy law of 8 December 1992
Individual’s rights
Right to refuse
Right to access and correct
Right to oppose to future processing
Right to be informed (through privacy policy)

6. Short update on privacy
Proposal of new EU regulation
Regulation ≠ directive: uniform rules througout entire EU
Work in progress since 2012
First draft text released in May 2013
Currently being amended and voted by committees
LIBE Committee voted on 21 October 2013 (civil liberties, justice and home affairs)
Next steps: Agreement of Counsel of Ministers and Commission is sought
If no agreement, Plenary vote in EU Parliament in April 2014 (?)

7. Short update on privacy
Main objectives
One stop shop throughout EU
Greater hamonization
Strengthening individual rights
Less administrative burden
More effective enforcement of rules

8. Short update on privacy
Main principles
Applicable to anyone offering services on the EU territory (LIBE: “even free services”)
Personal data = any data allowing identification, including online identifiers, “pseudonymous data”
Consent has to be given explicitely (LIBE: “purpose limited”)
Extended information obligation (LIBE: use of standard icons)

9. Short update on privacy
Main principles
Obligation to notify data subjects and authorities of data breach (LIBE: “without undue delay”)
“Data protection by design” and “data protection impact assessment”
“Data protection officer” if + 250 employees, with obligation to document processes (LIBE: “or +5000
data subjects processed over last 12 months”)
Cross border data transfer: current system to remain in force for 5 more years
Sanctions: LIBE: up to 5% of annual sales or 100 million

10. Short update on privacy
Main principles
Right of erasure
Right of data portability
Prohibition against profiling
Article 29 Working party (advisory body) replaced by European Data Protection Board (official body)

11. Short update on privacy
Practical tips (if nothing changes)
Stay up to date with regulation drafts
Review notice forms, consent forms, privacy policies, data controller/data processor contracts
Implement data breach notification readiness
Implement data processing documentation system
Data protection by design and data protection by default
Conduct data processing impact assessment
Pseudonimize/Anonymize/encrypt data where possible to escape stringent rules
Secure personal data adequatly

12. One last time:
the truth about cookies
Again with the cookies?

13. One last time:
the truth about cookies
Again with the cookies?
Tools like Kméléo:
Remarketing/OBA tools
Do not use cookies
Read out users browser history just before page landing
Display advertisements based on that browsr history
Claim not to use personal data
Claim to escape cookie regulations

14. One last time:
the truth about cookies
So yes, once last time again with the cookies

15. A bit of background
What are cookies?

16. A bit of background
What are cookies?
A cookie is a small amount of data generated by a website and saved on your
computer by your web browser.
Its purpose is to remember information about you, similar to a preference file created
by a software application.
Why all the fuss about cookies?
In one word: privacy…

17. A bit of background
What are cookies?
first party cookies
vs.
placed by website
functional cookies
placed by Google Analytics or ad brokers
vs.
log-in, registration, language
permanent cookies
remain present
third-party cookies
non-functional cookies:
statistics, remarketing, OBA
vs.
session cookies
erased after surfing session

18. A bit of background
The legal small print

19. A bit of background
The legal small print
EU e-privacy directive 2002/58/EC
Obligation for member states to adapt national law before end 2012
Belgium: new article 129 in Telecom law since October 2012

20. A bit of background
The legal small print
“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of
een gebruiker is slechts toegestaan op voorwaarde dat :
1° de betrokken abonnee of gebruiker, overeenkomstig de voorwaarden bepaald in de wet van 8 december 1992 tot bescherming van de persoonlijke
levenssfeer ten opzichte van de verwerking van persoonsgegevens, duidelijke en precieze informatie krijgt over de doeleinden van de verwerking en
zijn rechten op basis van de wet van 8 december 1992;
2° de abonnee of eindgebruiker zijn toestemming heeft gegeven na ingelicht te zijn overeenkomstig de bepalingen in 1°.
Het eerste lid is niet van toepassing voor de technische opslag van informatie of de toegang tot informatie opgeslagen in de eindapparatuur
van een abonnee of een eindgebruiker met als uitsluitend doel de verzending van een communicatie via een elektronische- communicatienetwerk uit te
voeren of een uitdrukkelijk door de abonnee of eindgebruiker gevraagde dienst te leveren wanneer dit hiervoor strikt
noodzakelijk is. De toestemming in de zin van het eerste lid of de toepassing van het tweede lid, stelt de verantwoordelijke voor de verwerking niet vrij
van de verplichtingen van de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van
persoonsgegevens die niet opgelegd worden in dit artikel.
De verantwoordelijke voor de verwerking biedt de abonnees of eindgebruikers gratis de mogelijkheid om op eenvoudige wijze de gegeven
toestemming in te trekken.“

21. A bit of background
The legal small print
Belgian law does not contain any further details on
How to warn and inform
How to obtain opt-in
How to enable opt-out
Who is responsible
Law is vague, unclear and leaves room for interpretation
Entire sector is waiting for clear guidelines from Privacy Commission or BIPT/IBPT

22. A bit of background
The legal small print
Meanwhile
EU standpoint is clear (directive + declarations commissioners Kroes and Reding)
“Working Party 29” standpoint is clear (Belgian Privacy Commission is part of WP29)
Neighbouring countries regulations are clear

23. What does this mean for you?

24. What does this mean for you?
By deduction:
Functional first party cookies (language, shopping cart, settings, password, technical):
No need to obtain opt-in, but obligation to inform (e.g. in privacy policy)
Non-functional cookies or third party cookies (remarketing and OBA, Google Analytics, …):
Obligation to inform prior to placing cookies
Obligation to obtain explicit opt-in prior to placing cookies
Possibility to opt-out in future

25. What does this mean for you?
By deduction:

26. What does this mean for you?
So, by deduction:
Opt-in has to be
Free of obligation (i.e. be able to visit website even without opt-in)
Explicite (requires active intervention of visitor)
Informed (requires prior information of visitor)
Given before any cookie is installed
Revocable

27. What does this mean for you?
So, by deduction:
From a practical point of view
Information on use of cookies, type of cookies used, aim of cookies (in privacy policy)
Clear warning upon first visit + link to information
Clear free choice for visitor to opt-in or not (possibility of layered approach)
Clear information about opt-out possibility (in privacy policy)

28. What does this mean for you?
So, by deduction:
Pop-up?
Splash screen?
Warning in banner or footer?
“Implicite opt-in”?
All seem acceptable as long as active decision by visitor is required and free choice is
guaranteed (this excludes “by visiting this website you accept…”)

29. What does this mean for you?

30. What does this mean for you?

31. What does this mean for you?

32. What does this mean for you?
Oh, and also:
If cookie is used to store and/or process personal, prior opt-in under privacy law is
required on top of cookie warning and privacy law applies…
This means
Declaration at privacy commission
Right to access, correct and oppose
Obligation of information through privacy policy
No transfer of data outside EU, unless under very strict conditions
Warning: almost all data is personal data, including IP address, browser history, any
data that might allow to identify someone directly or indirectly

33. What does this mean for you?
Consequences of cookie law

34. What does this mean for you?
Consequences of cookie law
Not very effective
Disturbing for visitor
Loss of traffic and/or data for websites

35. What does this mean for you?
Consequences of cookie law
Trying to escape cookie law obligations
Alternative solutions sought
Browser fingerprinting (Kméléo and others)
Web beacons

36. What does this mean for you?
Browser fingerprinting
Does not use cookies
Reads out users browser history just before page landing
Displays advertisements based on that browser history
Claims not to use personal data
Claims to escape cookie regulations

37. What does this mean for you?
Browser fingerprinting
Unfortunately, article 129 Telecom law is quite clear:
“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de
eindapparatuur van een abonnee of een gebruiker…”

38. What does this mean for you?
Browser fingerprinting
Unfortunately, article 129 Telecom law is quite clear:
“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de
eindapparatuur van een abonnee of een gebruiker…”
As is the Working Party 29’s advise 1/2008 (doc 00737/NL WP 148), which confirms
that browser history data should be considered personal data under privacy law

39. What does this mean for you?
Browser fingerprinting
Consequently, even if no cookie is placed, but data from a visitor’s computer is in any
way collected, accesed or analysed, prior consent is required.
This includes browser fingerprinting, web beacons, plugins, …

40. What does this mean for you?
And what if I do not comply?

41. What does this mean for you?
International context

42. What does this mean for you?
International context
As many laws as there are member states
All differ slightly, definitions vary, opt-in requirements vary, …
Problem: as soon as you target audience in one member state, local authorities will
claim te be competent (e.g. local extension, local language, local content, …)
Need to comply to most stringent legal systems seems to be the consequence

43. What does this mean for you?
International context
Working Party 29 advise of October 2013:
Basis for pan-European cookie requirements
Carefull: this is only an advise

44. What does this mean for you?
International context
Working Party 29 advise of October 2013:
Opt-in should concern only cookies (not combine privacy or direct marketing)
Opt-in should occur prior to placing or activating cookie
Opt-in requiers active decision (which may show through decision to continue visit to
website)
Opt-in should be free and may be layered
Visit to website has to be possible without opt-in (although this seems to exclude “by
visiting you accept…”?)
Explicite warning from WP29 for tracking cookies: if personal data is collected, prior
and separate opt-in for data processing is required

45. Specific questions? Need quick advise?
www.campaignchecker.be
Sirius Legal Campaign Checker service
Specific service for (digital) agencies, advertizers, sweepstake organizers, website
owners, …
Quick legal check of campagne, campagne site, landing page, …
Pragmatical and useable advise
Online available
First contact within 1 hour
Advise within 24 hours
Fixed price: 300 euro

46. Specific questions? Need quick advise?
www.campaignchecker.be
All questions concerning:
copyright
trademarks
Comparative advertising
Consumer protection rules
Contests, sweepstakes, lotteries
Privacy and cookies
Direct marketing actions and member-get-member actions
Actions via social media, respect for Facebook rules and guidelines, …
Viral actions

47. Need more elaborate help for your website?
www.websitecertifier.be
Sirius Legal Website Certifier service
Extensive legal check of websites and webshops
Full analyses of website set up, legal documents and disclaimers, legals mentions,
communication towards visitor/consumer
Analyses document
Changes to legal texts where needed or draft of general terms, disclaimer, privacy
policy and cookie policy
2 languages NL/FR or NL/UK included
Fixed price: 650 euro
First contact withing 1 hour
Full report withing 5 business days

48. Need more elaborate help for your website?
www.websitecertifier.be
Check includes
Obligatory mentions for all websites
Privacy law and cookies for all websites
Respect for market practices and consumer protection in e-commerce (pricing,
delivery, 14 day cooling down period, sales) – comparative and misleading
advertisement and information of consumers
Set up of your sales process in e-commerce
Content of your general terms of sale or use in e-commerce, auction sites, discussion
forums

49. Privacy & cookies
The Reference CRM inspiration day
2013
Bart Van den Brande
Advocaat – partner
Sirius Legal advocaten
www.siriuslegal.be
bart@siriuslegal.be
@BartVdBrande