This approach, however, does not satisfy the EU’s Article 29 Working Party, which is composed of national data protection officers and oversees the implementation of data protection laws in the EU. According to the Art. 29 WP, the self-regulatory framework does not meet the requirements of EU law since ‘consent’ to OBA can only be given in an opt-in framework with the Internet user actively agreeing to it. This interpretation of existing law was recently confirmed in a meeting between representatives of the Art. 29 WP and the advertising industry. Even though the opinions of the Art. 29 WP are not legally binding, they provide guidance in implementing data protection laws across the EU.
It is noteworthy that the restrictive viewpoint of the Art. 29 WP comes at a time in which the EU (as well as the U.S.) is in the midst of rewriting its data protection laws. The EU Commission is expected to publish a new data protection framework, including provisions specifically addressing the online world. The Commissioner responsible, Viviane Reding, initially wanted to publish it in November but it is very likely that it will take the Commission longer to finalize the proposal. Furthermore, the Art. 29 WP is expected to adopt an official opinion on the advertising industry’s self-regulatory scheme by the end of this year.
In the current situation, the legal implications remain uncertain. The implementation and enforcement of the ‘Cookie Directive’ is the responsibility of individual Member States, which increases the risk of regulatory variations across the EU. The difficulties and uncertainties with the implementation of key provisions of the Directive can clearly be seen in the mixed implementation records of Member States. Even though all of them should have implemented the provisions by end of May this year, most of them have not met this deadline.
Against this background, any future rules should pursue three basic goals. First, increase legal certainty by laying down less ambiguous provisions. Second, continue to work with international partners to develop common approaches in order to minimize costs resulting from discrepancies in legal regimes. Third, account should be taken of the importance of a more flexible regulatory approach. It should be remembered that OBA has greatly benefited consumers by enabling applications providers to offer their services at minimal or even no costs. In lowering barriers to entry, OBA greatly contributed to a competitive online environment that not only encourages companies to innovate in various types of products and services, but it also drives them to compete over privacy practices that are closest to customers’ preferences. Rigid, regulatory approaches entail the risk of chocking off these healthy competitive forces.