By Krzysztof Markiewicz, Associate, PETERKA & PARTNERS
OVERVIEW
As Internet-based services are spreading, it is virtually impossible to imagine a modern economic entity not having a comprehensive website. However the more contact with potential user, the more legal requirements regarding privacy and protection of personal data must be taken into account by international companies and, by consequence, their counsels. One of the most important legal issue when creating and operating a website is the use of the so called "cookies". This paper outlines the general legal framework regarding cookies used on the websites in Poland. It focuses mainly on the aspects concerning the requirements of providing sufficient information to the user in a manner described in the legal provisions, as well as obtaining the user's consent to the use of cookies on the websites they enter. Further on, it also briefly describes the question on whether cookies may be considered as personal data.
Relevant Polish legislation
Questions related to cookies are regulated in the Polish Act of July 16th, 2004 on Telecommunication Law (hereafter referred to as the "Telecommunication Act"). Recent amendment of March 22nd, 2013 served to implement the provisions of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by the Directive 2009/136/EC).
Cookies
The Telecommunication Act does not provide for legal definition of cookies, it mentions a wider and more general category of "information stored in the devices of end users". According to the information on the website of the EU Internet Handbook: "A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to "remember" your actions or preferences over time". The relevant provisions of Telecommunication Act explicitly allow for storing information in the user's device and accessing them. In addition, the transfer of this information and triggering its saving into the device's memory can also be implicitly interpreted from these provisions.
Information obligation
The main condition, upon which cookies may be stored in the end user's device is to inform the user in advance, directly, in an unambiguous, easy and understandable manner with regard to:
The information must be provided in advance, before the storing of cookies commences, in order for the user to decide whether he or she wants to use the service. The information must be provided directly, which means, in practice, that the entity using cookies should inform he user on its own, without intermediaries. Also, the information should indicate, in an unambiguous manner, that a cookie will be stored in the user's device. Finally, the manner of informing should be easy and understandable, i.e. that it should not use the technical language or require any special skills or experience from the user.
Consent: Opt-out vs. Opt-in
Apart from the obligation to inform the user about cookies on the website, the Polish law requires obtaining the user's consent to the use of cookies. In general, two principal models of expressing consent have been known and used with regard to cookies: the opt-out and the opt-in model.
Before the amendment resulting from the implementation of the Directive 2009/136/EC, the Telecommunication Act stated that the user's consent for the installation and use of cookies was presumed with the possibility for the user to opt-out from such default acceptance of cookies.
The newly adopted solution is somewhat ambiguous as to opt-in/opt-out scenario. On one hand, the principal requirement provides for necessity to obtain the user's consent after having him or her duly informed about the use of cookies on the website.
The Telecommunication Act emphasizes the fact that this consent may not be presumed or implied by a declaration of will of a different content.
However, the Telecommunication Act also provides for the possibility that the "subscriber or end user may give its consent (...) using settings of the software installed on its telecommunications terminal equipment or service configuration". The Polish doctrine generally agrees that this provision is the lex specialis to the general rule of providing user's consent in the Telecommunication Act. It is then possible that the consent is given in advance by the user activating the relevant setting in its web browser.
In practice the vast majority of websites in Poland have adopted the full "opt-in" solution, prompting users for active consent for the use of cookies. It is then via a pop-up window with a general consent form and a hyperlink to the "Cookie Policy" or "Privacy Policy" that both the requirement of providing information to the user and the one regarding obtaining the user's consent to the use of cookies on the website, are usually fulfilled.
Cookies and personal data protection
The Polish law - Act of August 29th, 1997 on Personal Data Protection (hereafter referred to as the "PDP Act") - does not provide a clear answer to the question whether cookies and information contained therein may be qualified as personal data and covered by regulations regarding their protection.
Within the meaning of the PDP Act, personal data are defined as any information relating to an identified or identifiable natural person. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
In the light of this definition it is important to determine whether cookies are information relating to an identified or identifiable natural person.
According to the Polish doctrine, the key aspect to analyzing cookies as personal data would be their content. Although cookies generally contain information regarding the identity of the computer (IP address) they are installed on and, sometimes, also the session opened by the user and its duration, it can be assumed that these information are not sufficient to determine the identity of the user. In particular, it is possible that one computer has more than one user and the IP address may be dynamically allocated. In such cases extracting information regarding the identity of users would be burdensome or impracticable and the cookies would fall under the exclusion contained in the PDP Act which states that: "A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower".
However, according to the Polish doctrine, it would be possible that some cookies, in particular those installed on a computer exclusively used by one person and having singular IP address, would in fact allow for identification of such user. In such case it cannot be excluded that those cookies could be qualified as personal data and fall under the set of regulations regarding their processing contained in the PDP Act.
Up to date, the Polish authority in charge of personal data protection - the General Inspector for Protection of Personal Data (Polish: GIODO, http://www.giodo.gov.pl/168/j/en) has not expressed any official opinion regarding cookies as personal data.
Sanctions
Noncompliance with the requirements of the Telecommunication Act with regard to storing cookies in device of an end user or the use of information stored therein is, as well as the non-obtaining of the user's consent, is heavily sanctioned by the President of the Office of Electronic Communication (Polish: UKE, http://en.uke.gov.pl/). The fine imposed by UKE may reach 3% of the turnover of the infringing party from the calendar year preceding the year in which the infringement took place.
CONCLUSIONS
Although the Polish law does not provide for the definition of cookies, they fall under a wide category of information stored and accessed in the end user's device, regulated in the Telecommunication Act.
The Polish regulations on cookies has a precise set of requirements regarding the manner of informing the user about the use of cookies.
While the general principle is the opt-in consent for the use of cookies, the Telecommunication Act provides also the option of expressing consent to the use of cookies by using settings of the software installed on the telecommunications terminal equipment or service configuration.
The cookies are generally not considered by the Polish regulations to be personal data, however in certain cases it cannot be excluded that they might be qualified as such.
ADDITIONAL RESOURCES
1. Polish Act of July 16th, 2004 on Telecommunication Law, unofficial English translation: http://en.uke.gov.pl/files/?id_plik=41
2. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector - English version: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML;
3. EU Internet Handbook: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm;
4. Act of August 29th, 1997 on Personal Data Protection, English translation: http://www.giodo.gov.pl/plik/id_p/193/j/en/;
5. General Inspector for Protection of Personal Data, official website: http://www.giodo.gov.pl/168/j/en
