The cookie law in Tunisia: A legal vacuum leading to an obsolete fracture with the world’s data protection laws?

Article By : Chahenda Marsaoui

Abstract
Cookies are not always innocents; in particular the ones behind the pop-up banners on the first visit one makes to a platform. The cookies technology is still the backbone of the ultimate performance of platforms, as well as their income. In fact, the general advertisement of the navigation and use of platforms to be free of charges is a statement that deserves a serious contemplation as the statistics show that such platforms are generating most of their income from the sale of their users’ personal data. In light of such practices, most legislations around the world have taken a stance on the collection and use of data, in particular through cookies and similar tracking technologies. The most renown legislations, reflective in a way of the two general approaches taken to the data regulation are, the European GDPR and the Californian CCPA inspired by it. Mostly, these laws and others, are based on a notice and, or, consent approach to the regulation of cookies. As Tunisia was once the pioneer of data protection reforms in the African continent, its stance on the use of cookies may seems at a first glance reluctant. This research paper will track the outlines, of the Tunisian cookie law, if there is.

Keywords
Data protection, Cookie law, Personal data protection, Tunisia.

Introduction
The world has never been more connected. That is thanks to the advent of internet transforming life and economy in less than fifty years. Ever since, almost every aspect of the daily life involves at least one digital component as indeed: “No product is made today, no person moves today, nothing is collected, analyzed or communicated without some ‘digital technology’ being an integral part of it”; hence the inception of a digital era. In fact, the digitalization will only grow, as the Digital Cooperation is part of the UN’s SDGs goals. Consequently, the number of internet users will only rise, whereas both, the golden fruit and nutriment of using the internet is: data, often perceived as the “new gold”. Consumers or users’ data allows platforms’ income growth as they analyze consumers’ behaviors. The term platforms herein will be used in reference to “an application or website that serves as a base from which a service is provided”. Albeit consumers, herein referring to internet users, are made to believe their platform visit and use as free, such a statement is to be taken with caution. In a capitalist world, the “free” visit to platforms designed by giant multinational oligopolies such as Google, Facebook, TikTok, Instagram and others alike, although one that is not divulged monetary per se, definitely come with a cost. Verily, platforms are instead monetized mostly by targeted advertising that utilizes the personal data of consumers accessing the platforms. Indeed, after each website interaction, dozens of consumer’s information are sent back to platforms, in a text form; such technology is referred to as a cookie. Cookies are an online tracking technology, one that revolutionized internet’ use, as it has a dual function allowing the identification of one platform user on one hand, while collecting on the other hand consumers’ past, present and future information, using a text document, without any needed action from consumers. It should be noted that, while some cookies collect data for the basic and necessary functioning of platforms, as initially intended for, many extend their use for nonnecessary purposes, thus placing non-necessary cookies for statistical, marketing and tracking various user’s activities and creating refined profiles of users. Per the legal consideration of the consumer qualification as users, it shall be noted that “because of an assumption that an economic exchange was absent, historically, the provision of such content or services was presumed to not be covered under consumer protection rules”. Furthermore, the regulation of cookies specifically is of a lex specialis scope, referred to as the Cookie Law in the EU embodied in the e-Privacy Directive of 2002,16 and is part of the lex generalis of data protection.

Historically, Tunisia was one of the first countries in Africa to enact a comprehensive data protection law, while it “pioneered” the data protection reforms in the continent. Personal data protection remained a constitutionally protected right as renewed in the Article 30 of the 2022 Constitution. Notwithstanding, such achievements may at first sight seem miniscule, compressing in the face of the world’s digital/data law tsunami. In fact, Tunisia’s comprehensive law on data protection was enacted over two decades ago: it is the Organic Law No. 2004-63 on the Protection of Personal Data. Although when enacted in 2004, that law “made Tunisia one of the most progressive regimes for personal data protection in the world”, it soon grew into a criticized regime manifesting an illusion of protection. The most recent spark upon amendments of the 2004 law dates of 2018, aiming its harmonization with the EU’s General Data Protection Regulation (GDPR). Nevertheless, 7 years fast-forward, no official enactment have been taken. Such a legislative “choice” leaves room for a number of questions, whilst the one to be analyzed under this research regards the extent to which the Tunisian data protection law covers the use of cookies.

To unveil the reality of the cookie law in Tunisia, an analysis of the legal framework applicable to the use of cookies for personal data will be conducted in a first stance (Part I), followed by an overview of the mechanisms enforcing such framework (Part II), while the analysis will put forward certain contrasts it may have with the GDPR as numerous scholars consider it the golden standard for data protection and cookie law and almost a de facto global data protection norm, diverging from the general American approach.