Kinstellar acts as trusted legal counsel to leading investors across Emerging Europe and Central Asia. With offices in 11 jurisdictions and over 350 local and international lawyers, we deliver consistent, joined-up legal advice and assistance across diverse regional markets – together with the know-how and experience to champion your interests while minimising exposure to risk.
With France and Austria deciding on data protection issues in relation to Google Analytics, many more countries have followed suit in relevant changes to so-called web browser cookies.
With France and Austria deciding on data protection issues in
relation to Google Analytics, many more countries have followed
suit in relevant changes to so-called web browser cookies. In
order to limit the amount and quality of data retrieved by
providers from users, mainly without them realising the true scope
of this data and the use of such data by providers, legislators are
passing stricter rules on data collection.
Below is an overview of new legislation adopted to combat the
extensive collection and usage of user data:
Bulgaria
The current legislative environment provides a more relaxed
opt-out model of user consent regarding the use of cookies. In
particular, the Bulgarian Electronic Commerce Act does not
expressly stipulate a general obligation to ask for user permission
when installing cookies. In fact, the Electronic Commerce Act only
requires that:
the user is informed upon their visit to the Internet web page
that cookies will be installed on the user's device; and
the user has the option to restrict the use of cookies from the
settings of their browser.
However, this opt-out model does not apply to cookies that process
personal data, as such cookies fall under the scope of GDPR and
shall thus only be processed on an appropriate legal basis, such as
clear affirmative consent by the user.
Croatia
The Act on Electronic Communications (the
“AEC”, most recently updated in 2017)
is the tool that (among others) implements the EU Cookie Act
(Directive 2009/136/EZ). The AEC requires that in case electronic
communication networks are used for data storage or to access data
in the user's terminal equipment, the user must give their
consent after being properly notified in accordance with the
GDPR.
Exemptions are:
technical data storage or access that is necessary for the
purpose of communications transfer; or
the provision of information society services at the request of
a user.
The Croatian National Cyber Security Authority (
“CERT”) periodically issues
publications on cybersecurity threats that might be connected to
cookies (e.g., no cookie consent as an indicator that the web site
is fake, cookies as proof of a user's digital trail, specific
malware cookies, etc.).
Romania
Since the implementation of GDPR, there have been no draft
amendments or other proposals concerning the process of regulating
these aspects.
Basically, Law no. 506/2004 stipulates that access to
information stored in terminal equipment by telecommunication
service providers is only permitted if
the user has consented (even implicitly by setting the web
browser application or other similar technologies to accept such
information); or
on the basis of clear and comprehensive information given in
accordance with the GDPR.
On 23 February 2022, the Slovak National Security Authority
(the “Slovak NSA”) issued a warning of cyberattacks on
elements of critical infrastructure.
The Romanian Data Protection Authority has not published any
guidance / communicated any official information on the validity of
Google Analytics that considers the recent position taken by other
European Data Protection Regulators.
Serbia
Pursuant to the current version of the Serbian Law on
Electronic Communications, cookies are governed by the
“opt-out principle”, as use of electronic
communications networks and services to store or gain access to
user data stored in the terminal equipment of subscribers or users
is allowed on the condition that the subscriber or user concerned
is provided with clear and comprehensive information about the
purpose of data collection and processing and has been given an
opportunity to refuse such processing.
Based on publicly available information, a new law has passed
the public debate phase, which suggests that it may be forwarded to
the Serbian parliament for adoption in the near term.
Slovakia
Slovakia has introduced a new Act on Electronic Communications,
which sets out new rules regarding cookies and marketing.
Until now, providers were obliged to ask users for permission
to use cookies. Following the legislative change, the requirements
for the permission have been increased, with the exception of
cookies that are essential to the operation of the website.
Providers must acquire verifiable consent that follows the
requirements for consent set out by the GDPR.
The method of acquiring such consent is up to the providers; it
will be interesting to see how providers will implement this new
obligation.
Monetary sanctions for failing to acquire such consent can
reach up to 10% of the provider's annual turnover.
Turkey
On 11 January 2022, the Turkish Personal Data Protection Board
(the “Board”) published draft
guidelines (the “Guidelines”) in order
to provide an advisory and guiding document for data controllers
that process personal data through cookies. In the Guidelines, the
Board mainly elaborates on the following matters:
The definition of and types of cookies;
The relationship between the Turkish Data Protection Law and
Electronic Communications Law;
Guidance on when explicit consent is necessary regarding the
use of cookies; and
Several cookie implementation examples (both correct and
incorrect ways of usage).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.