Article 6
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Point (a) covers purposes that require cookie-banner. Point (b) covers login or shopping cart cookies, as these are necessary for the performance of a contract to which the data subject is party.
Also relevant to cookies, ePrivacy directive Article 5 (3):
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
That says nothing useful. The legislation refuses to be specific and you have to know what all the relevant ICO decisions are, which is why compliance is so frustratingly vague.
That’s cynical and edgy, but misses the mark. There are several reasons why rules tend to be more specific about the outcomes than the ways to get there.
This decreases the attack surface for loopholes. What is desirable is the end result, not the technical details.
The law is actually clearer because the intent is clearly spelt out. The point of the law is to protect privacy, not cover every screen with cookies banners.
This leaves room for different implementations and flexibility (yay, competition).
It makes the law more resilient, because it does not need to be re-engineered every time anything happens. 10 years from now, even if cookies and banners have completely vanished, the core of the law will still be relevant.
This is why debates about the spirit and the letter of laws translate poorly across the Atlantic. Different places have different approaches.
I completely agree with your points. However, my admittedly snarky comment was regarding the idea that simply searching for a term across a document is how one decides legal validity, with no regard to alternate jargon, definitions, and of course, as you point out outcomes.
The law is written to prevent loopholes and exploits -- an extremely hard task, given the number of people willing to break it for even the slightest profits. The sheer number of these "false exits", that, then need to be covered, makes making reading and interpreting the law a hard endeavor. And a very precise one. It could be easier by some fraction, but never anywhere near easy.
There are competing incentives. Governments/politicians want to make it easy for companies to comply in order to encourage economic investment, and also to gain goodwill among their voters. Legal institutions want to make things appear as complicated and uncertain as possible so that they make more money selling lawyers.
The end result is that you get mixed messages, depending on where the information ultimately came from.
I personally don't know how hard it actually is to comply with GDPR, but I know that it has to be easier than it's made out to be.
0