Yesterday I discussed how difficult it is to put a financial figure on the projected benefits, as well as the costs, of the EU cookie law’s practical implementation across Europe. Today we turn to the other side of the balance sheet and look at how much money the cookie law has actually made. This refers to any fines and penalties levied in member states for violations of the law.
I felt inspired to write this post because the law only went into effect in Italy this week, well over three years after implementation nearly everywhere else. (Insert joke about Italian stereotypes here.) In the buildup to Italian implementation, this blog’s posts on the topic (here, here, and here) have had a lot of Italian traffic. Naturally, posts pertaining to penalties and fines are quite popular. I have also seen concerned Italians tweeting questions about how many fines have been levied on Italian web sites…barely 48 hours after the law took effect.
It might help to first understand how cookie law fines work.
While I can only speak with accuracy for the UK, where I am, the situation here is the same as across much of Europe. When it comes to the cookie law, EU member states, through their national data protection authorities, are not parking wardens. They are not patrolling the streets of the world wide web looking for web sites to ticket and fine for cookie law violations, nor do they work to quotas or targets. Most data protection agencies, like the UK’s ICO, can only respond to specific cookie law complaints filed by the public through formal reporting procedures. And as I explained here, cookie law complaints, at least in the UK, have been filed about…well, just about everything but cookies and privacy.
Abuse of the cookie law as a griping mechanism is so bad that ICO did not bother releasing an aggregated annual report about complaints for 2013 or 2014. The numbers suggest that compiling an annual report related to cookie law activities, such as they are, would have resulted in a polemic about the absurdity of having to police the law in the first place rather than a meaningful contribution to today’s privacy dialogue. In other words, annual reports could only serve to make the EU look bad, which is a very politically sensitive swamp to wade into these days in the UK. For what numbers are available, ICO’s 2012 report tells the whole story, while I connected the dots for 2013 and 2014.
If the UK’s situation holds true across Europe, only a tiny fraction of the cookie law complaints made across the content have any validity or merit. Data protection authorities have learned very quickly that cookie law complaints do not equal cookie law violations, most of the complaints they receive are timewasting or personal, and when complaints do have some sort of merit, the burden of proof required to show that an individual’s privacy rights were substantially damaged due to a cookie is as complex as it is high.
None of these practical or human factors were foreseen in the black-and-white world of EU legislators when they legislated the cookie law provisions as a 2009 amendment to 2003’s directive on privacy and electronic communications. That 2009 amendment, in turn, was the result of a process which began with a year 2000 working paper (.pdf, 550kb) citing cookie data from 1997 (see footnote 20). The paper refers to the cookie options being rolled out as part of browser settings in what was then the upcoming web browser: Internet Explorer 5. We can spot the birth of the cookie law in a 2002 working paper (.pdf, 60kb) citing that paper from 2000. In other words, here I am at my desk in 2015 helping you get to grips with a law first sketched out in 2002 on the basis of 1997 data and the technical spec of Internet Explorer 5.
This absurdity is something that it’s absolutely critical to understand in the cookie law debate. As web designers and web developers we work in a profession which changes at light speed. Work we did five years ago is outdated and often barely usable. If you’re not laughing at code you wrote two years ago, that’s a danger sign that you haven’t learned anything.
That’s not how it works in the EU. The pace of their legislative and consultative process is absolutely glacial. It takes literally years for them to move through processes which would take the web profession a matter of weeks. What that means is that, like the familiar viral comic about Internet Explorer, EU legislation dealing with tech and code is always several years out of date by the time it comes into law. National data protection authorities, like the UK’s ICO, are therefore placed in the impossible position of being required to implement and enforce EU directives which deal with yesterday’s tech problems. The time they have to spend dealing with yesterday’s tech issues is time they cannot spend dealing with today’s threats.
The Italian data protection authority is no exception. It is highly unlikely that they have rolled out some sort of automatic web scanning software, barely seven days after the law took effect, searching for Italian web sites to attack and penalise for cookie law violations. This article, in Italian, certainly suggests that is the case, with the Italian privacy commissioner saying something which Google translates as “Do not be afraid, at this point we are not going to make any fines.” The articles I have read on Italy’s implementation (again, being run very roughly through Google Translate) also hint at the same passive-aggressive frustration we have seen time and time again from other national DPAs: we are doing this because the EU says we have to, not because we want to.
Italy also throws up a unique problem. When I gave my first talk on the EU cookie law at a WordPress conference in February 2012, I discussed its relevance vis-a-vis other privacy issues. But if I had taken out a box of aluminium foil, fashioned a tinfoil hat, and told my audience a story about a multinational surveillance apparatus tapping the subsea cables, building backdoors into our hardware, and storing every keystroke I type in a data centre in the Utah desert, the conference organisers would have ensured that I spent the evening in a hospital evaluation ward rather than the afterparty in a pub. How things change. Italy’s delay means the cookie law, which was already barely relevant three years ago, is only now being put into play in a post-Snowden world. Going back to my original analogy from that 2012 conference: Italians are now being asked to curate grains of sand. Meanwhile, the whole damn beach is being hoovered up from under their feet. Is there any appetite, then, for issuing penalties and fines to small businesses for innocuous violations of the cookie law – which are not necessarily violations of privacy – when total privacy violations are being committed on an industrial scale by the surveillance apparatus?
(While I have been writing this article, Italy’s DPA has finally clarified the provisions of the Italian cookie law, several days after it went into effect. Did Italy have another situation like we had in the UK, where everyone implemented a compliance strategy based on the guidance the DPA had provided, only for the DPA to turn around and change the guidance on the literal day that the law went into effect? I welcome any insight you might be able to provide outside me running things through Google Translate.)
Having explained the context behind penalties and fines, we can now move on to the bottom line.
What fines have been issued?
As of June 2015 – and to the best of my knowledge, in a topic spanning thirty two data protection authorities and several dozen languages – just three cookie law fines have been issued.
The first fines came in Spain. Two fines were issued to a family of jewellery shops for €3,500 and €500. This case took fourteen months to be adjudicated – nine months to be heard and six months for the fine to be levied – making it unlikely that the fines levied would have covered the court costs alone. While certain quarters were quick to herald the fines as a sign of the law’s success, they failed to view the Spanish fines in their wider political context. Spain is in the process of a rather disturbing crackdown on civil liberties and digital rights. Encryption has been criminalised, Google News was shut down, and a draft security bill is a throwback to the 1970s. The cookie law fines must be seen as a part of this wider crackdown on the digital economy. Anyone celebrating the Spanish cookie law fines as a victory for privacy is making a very Faustian pact.
The largest fine to date was levied in the Netherlands for €25,000 against the public service broadcaster for failure to comply. However, it turns out that they did comply after being ordered to do so, but missed the DPA-appointed deadline. The fine is therefore about a missed deadline rather than the law itself. The Netherlands have, in any case, relaxed their cookie law, which started out as the strictest in Europe but quickly led to a “crisis of consent”. The Netherlands have also since been slapped down for their own domestic data retention law, which was ruled to be a breach of privacy on a massive scale.
So there we have it: three fines issued across the entire continent, for reasons which turn out to have very little to do with cookies and privacy, totalling €29,000 (roughly £21,000 or $32,000), by countries which used the cookie law as leverage to distract from other digital matters.
I think Leonard Bernstein put it best when he wrote the showtune:
“What a waste, what a waste, what a waste of money and time.”