Kinstellar acts as trusted legal counsel to leading investors across Emerging Europe and Central Asia. With offices in 11 jurisdictions and over 350 local and international lawyers, we deliver consistent, joined-up legal advice and assistance across diverse regional markets – together with the know-how and experience to champion your interests while minimising exposure to risk.
With France and Austria deciding on data protection issues in relation to Google Analytics, many more countries have followed suit in relevant changes to so-called web browser cookies.
May 2022 – With France and Austria
deciding on data protection issues in relation to Google Analytics,
many more countries have followed suit in relevant changes to
so-called web browser cookies. In order to limit the amount and
quality of data retrieved by providers from users, mainly without
them realising the true scope of this data and the use of such data
by providers, legislators are passing stricter rules on data
collection. Below is an overview of new legislation adopted
to combat the extensive collection and usage of user data.
Bulgaria
The current legislative environment provides a more relaxed
opt-out model of user consent regarding the use of cookies. In
particular, the Bulgarian Electronic Commerce Act does not
expressly stipulate a general obligation to ask for user permission
when installing cookies. In fact, the Electronic Commerce Act only
requires that:
the user is informed upon their visit to the Internet web page
that cookies will be installed on the user's device; and
the user has the option to restrict the use of cookies from the
settings of their browser.
However, this opt-out model does not apply to cookies that
process personal data, as such cookies fall under the scope of GDPR
and shall thus only be processed on an appropriate legal basis,
such as clear affirmative consent by the user.
Croatia
The Act on Electronic Communications (the
"AEC", most recently updated in 2017) is
the tool that (among others) implements the EU Cookie Act
(Directive 2009/136/EZ). The AEC requires that in case electronic
communication networks are used for data storage or to access data
in the user's terminal equipment, the user must give their
consent after being properly notified in accordance with the
GDPR.
Exemptions are:
technical data storage or access that is necessary for the
purpose of communications transfer; or
the provision of information society services at the request of
a user.
The Croatian National Cyber Security Authority (
"CERT") periodically issues publications
on cybersecurity threats that might be connected to cookies (e.g.,
no cookie consent as an indicator that the web site is fake,
cookies as proof of a user's digital trail, specific malware
cookies, etc.).
Romania
Since the implementation of GDPR, there have been no draft
amendments or other proposals concerning the process of regulating
these aspects.
Basically, Law no. 506/2004 stipulates that access to
information stored in terminal equipment by telecommunication
service providers is only permitted if
the user has consented (even implicitly by setting the web
browser application or other similar technologies to accept such
information); or
on the basis of clear and comprehensive information given in
accordance with the GDPR.
On 23 February 2022, the Slovak National Security Authority
(the "SlovakNSA")
issued a warning of cyberattacks on elements of critical
infrastructure.
The Romanian Data Protection Authority has not published any
guidance / communicated any official information on the validity of
Google Analytics that considers the recent position taken by other
European Data Protection Regulators.
Serbia
Pursuant to the current version of the Serbian Law on
Electronic Communications, cookies are governed by the
"opt-out principle", as use of electronic communications
networks and services to store or gain access to user data stored
in the terminal equipment of subscribers or users is allowed on the
condition that the subscriber or user concerned is provided with
clear and comprehensive information about the purpose of data
collection and processing and has been given an opportunity to
refuse such processing.
Based on publicly available information, a new law has passed
the public debate phase, which suggests that it may be forwarded to
the Serbian parliament for adoption in the near term.
Slovakia
Slovakia has introduced a new Act on Electronic Communications,
which sets out new rules regarding cookies and marketing.
Until now, providers were obliged to ask users for permission
to use cookies. Following the legislative change, the requirements
for the permission have been increased, with the exception of
cookies that are essential to the operation of the website.
Providers must acquire verifiable consent that follows the
requirements for consent set out by the GDPR.
The method of acquiring such consent is up to the providers; it
will be interesting to see how providers will implement this new
obligation.
Monetary sanctions for failing to acquire such consent can
reach up to 10% of the provider's annual turnover.
Turkey
On 11 January 2022, the Turkish Personal Data Protection Board
(the "Board") published draft guidelines
(the "Guidelines") in order to provide
an advisory and guiding document for data controllers that process
personal data through cookies. In the Guidelines, the Board mainly
elaborates on the following matters:
The definition of and types of cookies;
The relationship between the Turkish Data Protection Law and
Electronic Communications Law;
Guidance on when explicit consent is necessary regarding the
use of cookies; and
Several cookie implementation examples (both correct and
incorrect ways of usage).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.