EU to legislate on cookies

UK readers will probably remember one of those legal wrangles which make for such easy satire – the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course…)
It looks as though the European Commission is heading towards a similar argument about cookies – though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.
This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn’t often you see a lawyer describe proposed legislation as “breathtakingly stupid”… but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.
The amendments in question are apparently intended to regulate the storing and use of cookies on end users’ devices. I say “apparently”, because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.
I’ve no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter – several of them probably fatal.
The way the amendment is phrased (it’s a replacement of Article 5.3, for those who like to read that kind of thing – see Struan’s post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user’s machine. In other words, if you want to put something on my PC, or read something you put their earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

  • What if I’m using my PC outside the EU?
  • What if I’m inside the EU, but accessing a cookie-setting site which is outside the EU?
  • What about non-EU citizens, in the EU, accessing EU sites?
  • Or non-EU citizens accessing EU sites from elsewhere?
  • Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
  • … and so on and so on…

There are many other aspects one could dive into similarly – such as “what counts as consent?”, or “how on earth will users cope with all those pop-ups” – but we haven’t got all week.
Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

  • the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the “up-link”, the “down-link”, or some combination of both;
  • internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.
All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn’t follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty’s Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale… whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.