Privacy Commissioner examines EU cookie laws

No Australian guidelines despite directive's May deadline.

Federal agencies are looking to the Office of the Australian Information Commissioner (OAIC) for advice on Europe’s new ‘opt in’ approach to web cookies.

European Union (EU) member states were required to adopt the 2009 amendment (pdf) to the Directive 2002/58 on Privacy and Electronic Communication by 25 May.

The new rules require websites to obtain users’ permission before storing or accessing information about them, unless that data is needed for services explicitly requested by the user.

A majority of websites currently use cookies for e-commerce session management, personalisation and targeted behavioural advertising.

On iTnews, cookies are used to allow users to log in and comment on stories, and to determine which advertisements to display.

Privacy Commissioner Timothy Pilgrim told iTnews that the OAIC was examining the European amendments “to better understand their intent and application”.

He said the OAIC would consider whether the European approach could support existing obligations for Australian organisations under the Privacy Act.

“We will be reviewing our advice and guidance based on what we learn from this,” he said, noting that a timetable for examining the Directive was yet to be determined.

Pilgrim acknowledged industry concerns about complying with the amended E-Privacy Directive, noting that only two of the 27 EU member states fully implemented the changes by May.

In a blog post last week, public sector executive and Gov 2.0 blogger Craig Thomler raised concerns that the E-Privacy laws may apply not only to European-hosted sites, but also to those viewable in European countries.

Thomler’s interpretation echoed advice issued to Adobe customers by the software company’s chief privacy officer MeMe Jacobs Rasmussen in May.

“Generally speaking, European companies or other companies with a presence in Europe that target European users will have to comply,” Rasmussen wrote.

“Companies based outside of Europe who may have no physical presence in Europe but who target users in Europe will also likely need to comply.”

Thomler warned that the laws may apply to Australian government websites using cookies for applications such as Google Analytics, ‘share’ tools and shopping carts.

However, he speculated that the matter would likely remain in “legal limbo” until a legal ruling occurs.

“Even if found to apply to foreign websites, there would be difficulty extending the law outside of Europe - you can't really extradite foreign governments or companies,” he told iTnews.

“If Europe began blocking websites this would prompt a civil backlash, and the law would pretty much collapse.”

Representatives of the Department of Foreign Affairs and Trade and Australian Government Information Management Office deferred to the OAIC when questioned about implications of the E-Privacy Directive.

The Attorney-General’s Department referred iTnews to the Department of Broadband, Communications and the Digital Economy (DBCDE).

A DBCDE spokesman said it awaited implementation of the Directive by EU member states in their individual jurisdictions.

“As with other international laws, Australian businesses operating overseas should ensure that they comply with all relevant local regulation,” the Department stated.

“DBCDE continues to liaise with relevant government, industry and consumer stakeholders on privacy matters in the online environment, including the impact of international regulatory developments on the Australian telecommunications industry.”

Cookies in Australian privacy law

Privacy Commissioner Pilgrim said the Government would address new technologies in a law reform process that has been ongoing since 2008.

He noted that Australia’s Privacy Act may not currently regulate the use of cookies, since the Act only addresses the collection of ‘personal information’.

“Personal information is defined as ‘information or an opinion … about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion’,” he noted.

“Information collected by cookies often may not be enough to identify a person, and in such cases, the information collected would not be covered by the Privacy Act.

“However, it is important to remember that new technologies make it increasingly easy to develop a detailed picture of who a person is by combining the information that they reveal when transacting online.”