• 3
    interpretation. Simply using a cookie to assist, speed up or regulate the transmission of a
    communication over an electronic communications network is not sufficient. The
    transmission of the communication must not be possible without the use of the cookie. It can
    be noted that in the original version of Directive 2002/58/EC, Article 5.3 already included this
    exemption for cookies that were used “for the sole purpose of carrying out or facilitating the
    transmission of a communication over an electronic communications network”. The same
    wording was used in the revised directive, but the words “or facilitating” were removed,
    which could be interpreted as a further indication that the European Legislator intended to
    restrict the perimeter of the exemption afforded by Article 5.3 under CRITERION A.
    At least 3 elements that can be considered as strictly necessary for communications to take
    place over a network between two parties:
    1) The ability to route the information over the network, notably by identifying the
    communication endpoints.
    2) The ability to exchange data items in their intended order, notably by numbering data
    packets,
    3) The ability to detect transmission errors or data loss.
    The terms “the transmission of a communication over an electronic communications
    network” in CRITERION A –and in particular the word “over”– are understood to refer to
    any type of data exchange that takes place with the use of an electronic communication
    network (as defined in Directive 2002/21/EC), potentially including “application level” data
    which fulfills at least one of the properties defined above, without limitation to technical data
    exchanges needed to establish the electronic communication network itself.
    As such, CRITERION A encompasses cookies that fulfil at least one of the properties defined
    above for Internet communications.
    2.2 Criterion B
    Similarly, the wording of CRITERION B suggests that the European Legislator intended to
    ensure that the test for qualifying for such an exemption must remain high. Following a direct
    reading of the directive, a cookie matching CRITERION B has to pass simultaneously the two
    following tests:
    1) The information society service has been explicitly requested by the user: the user (or
    subscriber) did a positive action to request a service with a clearly defined perimeter.
    2) The cookie is strictly needed to enable the information society service: if cookies are
    disabled, the service will not work.
    Furthermore, recital 66 of Directive 2009/136/EC underlines that “Exceptions to the
    obligation to provide information and offer the right to refuse should be limited to those
    situations where the technical storage or access is strictly necessary for the legitimate
    purpose of enabling the use of a specific service explicitly requested by the subscriber or
    user.” In other words, there has to be a clear link between the strict necessity of a cookie and
    the delivery of the service explicitly requested by the user for the exemption to apply.

  1. 4
    Even with such a reading of the directive, it remains to define what constitutes the scope of an
    “information society service explicitly requested by the subscriber or user”. An information
    society service can be composed of many components, some of which are not used by all
    users or are provided for convenience. For example, an online newspaper can be free to access
    for all, but may provide some additional functionalities for users that are “logged-in” such as
    the ability to leave comments on articles. In turn these additional functionalities may operate
    with their own cookies. In this particular context, the Working Party considers that an
    information society service should be viewed as the sum of several functionalities, and that
    the precise scope of such a service may thus vary according to the functionalities requested by
    the user (or subscriber).
    As a consequence, CRITERION B can be rewritten in terms of “functionalities” provided by
    an information society service. In these terms, a cookie matching CRITERION B would need
    to pass the following tests:
    1) A cookie is necessary to provide a specific functionality to the user (or subscriber): if
    cookies are disabled, the functionality will not be available.
    2) This functionality has been explicitly requested by the user (or subscriber), as part of
    an information society service.
    2.3 Characteristics of a cookie
    Cookies are often categorized according to the following characteristics:
    1) Whether they are “session cookies” or “persistent cookie”.
    2) Whether they are “third party cookies” or not.
    A “session cookie” is a cookie that is automatically deleted when the user closes his browser,
    while a “persistent cookie” is a cookie that remains stored in the user’s terminal device until it
    reaches a defined expiration date (which can be minutes, days or several years in the future).
    The term “third party cookie” can be misleading:
     In the context of European data protection, the Directive 95/46/EC defines a third
    party as “any natural or legal person, public authority, agency or any other body
    other than the data subject, the controller, the processor and the persons who, under
    the direct authority of the controller or the processor, are authorized to process the
    data.” A “third party cookie” would thus refer to a cookie set by a data controller that
    is distinct from the one that operates the website visited by the user (as defined by the
    current URL displayed in the address bar of the browser).
     However, from the perspective of browsers, the notion of “third party” is solely
    defined by looking at the structure of the URL displayed in the address bar of the
    browser. In this case “third party cookies” are cookies that are set by websites that
    belong to a domain that is distinct from the domain of the website visited by the user
    as displayed in the browser address bar, regardless of any consideration whether that
    entity is a distinct datahttps://m.facebook.com/story.php?story_fbid=110613789644715&substory_index=2&id=100020882843622 controller or not. @
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.