Browsing by Author "From, Alexandra"

Data protection has become a pivotal topic in modern democratic societies. Lawmakers have, however, faced challenges in protecting data in the face of rapid technological growth and development in the online environment. ‘Cookies’ are a prominent tool for website operators that enable the collection and processing of vast amounts of personal data of internet users. The use of cookies is based on user’s consent as required under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive). It is, however, questionable whether cookie consent and notice practices are de facto effective in protecting internet users and providing them control over the use of their data obtained via cookies. The goal of this master’s thesis is to analyse whether the traditional model of consent and notice is the appropriate legal basis for the use of website cookies. The research question is divided into two parts. The first part concerns whether consent and notice are an effective tool in providing control and protection to individuals with respect to personal data processed through internet cookies. The second part concerns whether the EU’s data protection framework provides clear and harmonised rules on cookie consents and notices. It will focus especially on the General Data Protection Regulation 2016/679 (GDPR) and the ePrivacy Directive. This thesis uses mainly the legal doctrinal method and qualitative empirical evidence in answering its research question. After the introductory chapter, this thesis will in chapter 2 define cookies and its purposes, as well as outline the legal framework used in this research. Chapter 3 introduces the reader to the concept of consent and its different components, as well as the transparency principle and the accompanying information obligation. Consent consists of freely given, specific, informed and unambiguous elements. Chapter 4 will then discuss the first part of the research question. It will be seen that cookie consents and notices are burdened by many factors as evidenced through behavioural economics, cognitive and structural problems, as well as other factors. It is concluded, therefore, that cookie consents and notices in their traditional form are not an effective tool in providing control and data protection to internet users. Nevertheless, consent and notice are so enshrined in the EU’s data protection regime that they will not be easily abandoned. Chapter 5 discusses the second part of the research question by looking at practical examples in order to see how websites from the legal sector and different national data protection authorities have complied with cookie consent and notice obligations. It will be seen that cookie rules are interpreted inconsistently by even these websites, which has resulted in noncompliance in some instances. Hence, it is concluded that the GDPR and the ePrivacy Directive have failed to harmonise cookie consents and notices. Chapter 6 will look to the future and discuss briefly the proposed Regulation on Privacy and Electronic Communications (ePrivacy Regulation) in terms of i) ‘cookie walls’, which basically coerces website users to accept cookies or otherwise they will be denied access to the site or service, and ii) the legitimate interests ground, which has been introduced as an alternative legal basis to consent with respect to cookies in the latest revised draft of the ePrivacy Regulation adopted on 21 February 2020 by the Croatian Presidency. It will be concluded in chapter 7 that the traditional model of consent and notice might not always be the appropriate legal basis for cookies, hence legislators should look into other legal bases as well, such as, the legitimate interest ground. However, whether or not this ground will be able to provide better protection and control to internet users remains to be seen.