- Email: [email protected]
The European Union's approach to online behavioural advertising: Protecting individuals or restricting business?
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
Available online at www.sciencedirect.com
ScienceDirect www.compseconline.com/publications/prodclaw.htm
The European Union’s approach to online behavioural advertising: Protecting individuals or restricting business? Desiree De Lima a, Adam Legge b,* a b
University of Hertfordshire, Hertfordshire, UK University of Hong Kong, Hong Kong
abstract Keywords:
The European Union (EU) has firmly set its stall out to protect individuals’ data and privacy
Online behavioural advertising
and has demonstrated this through the rejection of the old opt-out regime and the intro-
Consent
duction of the new opt-in rules. These require businesses to obtain individual’s prior and
Default inertia
informed consent before their data are collected, stored and used for the purposes of online
Proprietary Rights Model
behavioural advertising (OBA). Individuals in the EU are afforded protection from the apparent dangers relating to data privacy and misuse that is associated with OBA, which is beyond the expectation of most Internet users. However, there are some criticisms levelled at the law that the EU has produced. Is simply gaining informed consent sufficient for protecting all types of information? Do certain types of information require a higher level of consent than others? Does the law fulfil its aim of protecting data subject’s privacy and data? Is the current law restrictive to business? Do individuals know or care that their information is being collected for the purposes of targeted advertising and is there a better way to ensure that they do? Finally, will proposed new law to be found in the EU Data Protection Regulation solve any of these problems? This article will assess whether, as a policy decision, the EU’s current approach has been too cautious in its attempts to protect individuals or restrict business. ª 2014 Adam Legge and Desiree De Lima. Published by Elsevier Ltd. All rights reserved.
1.
Introduction
The law relating to OBA is governed by the Data Protection Act 19981 and the Directive on Privacy and Electronic Communications2 (e-Privacy directive). The Article 29 Working Party
Opinion3 (Working Party) defines OBA as the, “tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertisements matching their interests.”4 The European Union (EU) has firmly set its stall out to protect individuals’ data and privacy and has demonstrated
* Corresponding author. 2 Orchard Close, Ware, Herts SG12 0PY, UK. E-mail address: [email protected] (A. Legge). 1 The Data Protection Act 1998. 2 Directive 2002/58EC as amended by Directive 2009/136EC. 3 A committee made up of representatives from each of the EU Member States’ data protection authority. 4 Article 29 Data Protection working party, 171 Opinion 2/2010 on online behavioural advertising, Adopted on 22 June 2010, at pg. 3 accessed on the 20 June 2013. 0267-3649/$ e see front matter ª 2014 Adam Legge and Desiree De Lima. Published by Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.clsr.2013.11.004
68
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
this through the rejection of the old opt-out regime and the introduction of the new opt-in rules, which require businesses to obtain individual’s prior and informed consent before their data is collected, stored and used for the purposes of OBA.5 Individuals in the EU are afforded protection from the apparent dangers relating to data privacy and misuse that are associated with OBA, which is beyond the expectation of most Internet users. However, there are some criticisms levelled at law the EU has produced. First of all is the issue of ambiguity, partly due to differences in each member state6 and secondly, the failure to strike an effective balance between protecting individuals and the needs of businesses. It could be argued that in some instances the law sides with individuals to the detriment of business. The UK has aimed to obtain a balance between protecting individuals whilst allowing business to thrive, through the introduction of new guidance released by the UK Committee of Advertising Practice (CAP)7 who write and maintain the UK advertising codes. It is submitted that the law should help “enhance visibility.and our knowledge”8 to enable individuals to make informed choices. At present individuals are not being exposed to a balanced debate and there is a fundamental misunderstanding about what OBA is9 and its benefits10. A “vague queasiness”,11 felt by individuals, is compounded by the fact that it has now become something of a tedious annoyance to many individuals. This is due to the requirements for consent in the opt-in regime, which makes them disengage rather than engaging them and encouraging them to enhance their knowledge12 on online behavioural advertising. This is an issue that is inescapable and is key to the continued evolution of the Internet.
5 Article 29 Working Party Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising WP 188 at 3. 6 Article 29 Data protection working 187 opinion 15/11 on the definition of consent, adopted on 13 July 2011 at pg. 6, accessed on the 5th of July 2013. 7 The UK body which writes and maintains the UK advertising codes, which are administered and enforced by the UK Advertising Standards Authority (ASA) (Out-Law 3 February 2013)
2.
A consensual debate
An individual’s data is collected through the use of cookies and other tracking devices being placed on their terminal equipment. However, before they are placed on their device, the users are required to give their prior, informed opt-in consent,13 after they are provided with “clear and comprehensive information.” This is according to Article 5(3) of the amended EU e-privacy Directive.14 The definition of consent is taken from the EU Data Protection law and is defined as being “freely given, specific and an informed indication of the users’ wishes by which the individual signifies their agreement for their data to be processed”.15 In theory this should give individuals control as they can choose which cookies can be set on their computer and from whom and therefore the law should achieve its aim to provide individuals with a way to make informed decisions. It is submitted that this is a superficial analysis for a number of reasons. It can be said with some certainty that consent must be obtained prior to the setting of the cookie.16 This is as far as the certainty goes. What is unclear is how that consent is to be obtained by the business.17 The Working Party have suggested various ways to obtain consent,18 including an information banner, splash screen or a barrier page stopping individuals accessing the website until they have consented. The preferred way in 2009/136/EC19 and in Member States20 is browser settings. This is a solution that is anchored in both a browser’s technology21 and browser cooperation. However, browsers cannot replace the complex decision making of an informed individual and browsers like Google Chrome are geared to maximise the collection of data from its users,22 so are likely to be resistant to this. Default browser settings also rely on individuals being able to make that choice but the evidence suggests that they cannot and simply reject them by default,23 which defeats the objective of the Directive. The consent issue is muddied further by implied consent and the exemptions to obtaining consent. Implied consent is 13
Supra 2 at Art 2 (5) & (6). Ibid. 15 Supra 6 at 3. 16 Eduardo Ustaran & Victoria Hordern, “Clarifying Consent” 2011 PDP 11 8 (3) at 2. 17 Eduardo Ustaran, “Obtaining Consent for Cookies” 2012 P. & D.P. 6 at 6. 18 Supra 5 at 9. 19 Supra 13 at Recital 66. 20 William Long & Geraldine Scali, “Cookies: The cookie opt-in rule: how the EU is reacting so far” 2011 Data Protection Law & Policy, Vol 8 Issue 8, Amy Chandler, “New rules on the use of cookies” (Pannone 12 July 2011) accessed 15 June 2013. 21 Amy Chandler, “New rules on the use of cookies” (Pannone 12 July 2011) accessed 15 June 2013. 22 “How Google collects data about you and the internet” (Royal Pingdom 8 January 2010)
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
defined as when an individual has followed an informed course of action that has an “unmistakable conclusion that consent is given”.24 Whilst this precludes silence or inaction,25 again it is not clear how consent should be impliedly obtained. For example the UK Information Commissioner and Working Party have contrary views on this. The former adopts a sliding scale: the more intrusive the cookie into the lives of individuals the higher the level of consent needed.26 This seems reasonable; nevertheless the Working Party takes a broadbrush approach believing that all OBA entails a “high level of intrusiveness”.27 This approach is far too simplistic. OBA is here to stay and the Information Commissioner’s approach recognises that and attempts to strike a balance for both individuals and businesses, whilst the Working Party’s approach lacks “pragmatism”28 and refuses to strike that balance. Businesses can be exempt from obtaining consent under two circumstances29; viz. the cookie is “essential for the transmission of the communication to occur”30 or; if “necessary to provide functionality .[which is] explicitly requested”31 which some see as aiding businesses by expanding a narrow directive.32 The effect of this is to allow cookies that help with functionality of websites such as a shopping basket, but to require consent for analytical cookies.33 This extends to cookies that count the number of hits a website gets, as these don’t come under either of the two exemptions. This could be said to actually do little to mitigate the restrictiveness of the Directive or define what concepts such as “explicit request” are.34 Moreover interpretation of the definition of consent differs in each Member State of the European Union. The two consistent themes that all of the Member States agree on is that (i) “in order for consent to be given, a user must be provided with clear and comprehensive information about the cookies, what information they use and what the purpose of them is”35 and (ii) that “cookies defined as strictly necessary 24
Article 29 Working Party Opinion 15/2011 on the definition of consent WP187 at 8e11 & 23. 25 Ibid at 8e11 & C-92/09 and C-93/09 Volker und Markus Schecke [2010] ECR I-11063 at 63. 26 Information Commissioner’s Office, “Guidance on the rules on use of cookies and similar technologies” Version 2 13th December 2011 at 25 & Information Commissioner’s Office “Guidance on the rules on use of cookies and similar technologies” Version 3 May 2012 at 6. 27 Supra 4. 28 Supra 16 at 4. 29 Supra 2 at Article 5(3) & Supra 5 at 8 & Opinion 04/2012 on Cookie Consent Exemption WP 194. 30 Simon Elliott, “Guidance on exemptions to cookie consent” 2012 P. & D.P. 3 at 5 (citing Opinion 04/2012 on Cookie Consent Exemption WP 194 at 3). 31 Ibid. 32 Supra 16 at 4. 33 “Of Cookies and spam” (It Law Group June 21 2010) accessed 22 June 2013 at 2.c. 34 Julian Flamant, “Europe: Cookies, consent & exemptions: the evolving discussions” 2012 E-Commerce Data & Policy Vol 9 issue 6 June 2012. 35 “EU Cookie Law Landscape” (cookie Reports) accessed on 18 September 2013.
69
are exempt from the law”.36 Due to the lack of guidance from the European Union of the method in which consent should be obtained, Member States have differed in their view of whether explicit consent, informed consent or consent derived from browser settings should be used. Countries such as Portugal, Netherlands Lithuania, Latvia, France, Germany, Greece, Croatia and Cyprus opted for explicit consent, whilst Hungary, Ireland, Luxembourg, Poland Slovakia, Spain and Sweden are opting for Browser Setting and Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Romania and the United Kingdom are opting for implied consent.37 However the failure of the European Union to define consent and specifically state the method by which they expect consent to be obtained, has been criticised by the Working Party as well as the Commission.38 This signifies that there is a disagreement between Member States as to what the definition of consent is. It further suggests that the law is unclear and the aim that the European Union hoped to achieve in protecting individuals privacy and data on a European level was not achieved. In order to provide some guidance on the law of consent, the UK CAP has released guidance which they explicitly state are not to provide compliance with the law.39 This guidance aims to provide a balance between protecting individuals, whilst allowing businesses to access and use their data for the purpose of OBA by helping to “deliver greater transparency and user control. It does so whilst allowing relevant advertising to continue to underpin quality content and services”40 according to Nick Stringer the director of regulatory affairs at the Internet Advertising Bureau in the UK. However, the fact that Member States felt the need to provide guidance on the law, suggests that the law is unclear. Furthermore it opens the law up to interpretation consequently meaning that the aims of the EU fail to be achieved. However the Working Party in their opinion on consent criticise the current law for not being sufficient, “to ensure website operators comply with new requirements for obtaining users’ consent to cookies under EU law”.41 The Working Party maintains that the law on consent is inadequate in protecting individual’s data in so far as it stands. They argue that many public surveys suggest that individuals who rely on the Internet are not aware that their information is being used for the purpose of targeted advertising.42 It could be argued that most individuals accept cookies without reading the purpose for which their information will be used. They do this for a number of reasons such as to save time, or due to necessity in order to use the Internet site to its full potential. This
36
ibid. ibid. 38 Supra 6 at 6. 39 http://www.huntonprivacyblog.com/2012/12/articles/newuk-online-behavioral-advertising-code-released/ accessed on the 12 of June 2013. 40 ‘Online Behavioural Advertising transparency and opt out requirements to be set out in UK advertising rules’ (out-law.com published on 22 November 2012)
70
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
suggests that the EU’s aim of protecting data subject’s personal data by gaining their prior opt-in informed consent is not being achieved because individuals are not aware that their data is being collected and used for the purpose of OBA, thus negating the point of informed consent. It implies that individuals are ill-informed about what cookies are as they accept and consent to them without reading and understanding the implications this can have on their privacy: nor the benefits cookies may offer to the Internet experience. Some websites that use cookies to track individuals’ activities on their site, can, if they chose, not allow them to access the site, unless they first accept and consent to having cookies being placed on their device. It could be argued that this goes against what the EU was trying to achieve through the introduction of the new opt-in requirements, as individuals are forced into accepting them, rather than freely consenting to them. This further emphasises current problems in legal protection of an individual’s privacy and data. There are additional problems with consent, such as challenges relating to minors and those that lack full legal capacity to make an informed decision.43 This is because the directive states that ‘informed’ consent must be obtained44 and both of those categories of individuals are unable to give their consent explicitly, let alone impliedly.45 The lack of response here can be seen to be failing these individuals as it is difficult to monitor this situation. This is because it is next to impossible for a business to ensure that those vulnerable people are aware of what they are consenting to, given the anonymity of the Internet. It is submitted that such individuals should be given special protection and a higher level of consent should be obtained from them. The Working Party suggests that they would be better protected “if the directive contained additional provisions, specifically addressed to the collection and further processing of their data”.46 However, due the fact that the law is lagging behind technology, there is no way of ensuring and verifying that information obtained by businesses for the purposes of OBA are from people who are capable of reading, understanding and freely consenting to having their data collected. The anonymity of the Internet makes that nearly impossible. If the law intends to protect all individuals, it needs to be amended and take into account those that are unable to give their informed consent but who still currently consent without knowing the consequences. Different types of information, such as sensitive personal data47 regarding a person’s religious belief, sexual preference, require a higher level of consent to be obtained by businesses, which arguably is not enforced given the way the legislation currently stands. This suggests that the law does not protect individual’s data but allows businesses to have access to their personal sensitive information far more easily than they would have, had they had to obtain it on paper or through face to face communication. However, this should not be the case
43
Supra 6 at 28. Supra 2. 45 Oliver Bray & Paul Joseph, “Collecting data online: what is best practice?” 2010 C.T.L.R. 208 at 209 & Article 29 Working Party Opinion 15/2011 on the definition of consent WP187 at 28. 46 Ibid at pg. 28. 47 Section 2 of the Data Protection Act 1998. 44
as more and more people gain access to the Internet and become more reliant on it for everyday use.48 Academics,49 website owners50 as well as the UK advertising industry, have criticised the new opt-in requirements because they believe that the amendments threaten OBA and its future revenue.51 The draft wording of the recital, that brought about the change in the law, is criticised by business52 as they force a normally law abiding businesses to search for wriggle room to manage this change.53 Nonetheless, it must be questioned whether the new obligations placed on businesses, to provide individuals with clear and comprehensive information on whether their data is being collected, by whom it is being collected and for what purpose, so as to allow them to make an informed decision, has a detrimental effect on advertising which Struan Robertson describes is the “lifeblood of online publishing”.54 Do businesses suffer because individuals refuse to consent to their data being collected, or are individuals willing to offer their consent and give up their privacy and data in return for targeted advertisement? Raj Samini suggest that people are willing to give up their personal information so long as they get something in return for it55: in this case they get targeted advertisements and the benefits of a commercially viable Internet. His suggestion is supported by research done in a recent study conducted by the Internet Advertising Bureau UK and ValueClick. They found that as many as 45% of the 2001 Internet users aged sixteen or over surveyed said that they were happy for businesses to track their online activity in order to deliver personalised advertisements.56 This data illustrates two things: first of all, that a large number, if not a majority, are aware of the trade-off around the fact that businesses collect their data for the use of targeted advertisements and secondly, that they do not mind providing their consent as long as they feel that they get something in return for it. However there is obviously a sizeable majority of people that are possibly unaware of this and the EU rightly wants to help them make informed decisions as to what they are consenting to. This could explain why the law requires
48
Supra 5 at pg. 3. Supra 24 at pg. 8. 50 Bray, O. and Pickford, L.J. ‘C is for cookie but also Consent’ (Lexology, Published on 2 August 2010) accessed on the 5 June 2013. 51 Ibid. 52 Robertson, S. “Consent will be required for cookies in Europe” (outlaw.com, published on 9 November 2009) accessed on 4 June 2013. 53 Ibid. 54 Supra 8. 55 Samini, R. “How much do you value your personal data?” (The Telegraph, published on 14 October 2012) . 56 McHugh, P and Francis, C. ‘Survey reveals nearly half of web users happy with behavioural advertising’ (out-law.com, published on 14 May 2012)
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
businesses to make it as transparent57 as possible for individuals to know for what purpose they are collecting and using their data. However, if individuals do not read this and are only consenting to access websites, or consenting to cookies without fully understanding what they are, is the law achieving its purpose?
3.
Default inertia?
There are genuine concerns that must be addressed, especially around the misuse of people’s information.58 However, those concerns could perhaps be remedied, if not at least lessened, by increased awareness. It is of course only the job of the law to ensure that people are not exploited and it is not down to individuals to be up to date with every change in Internet technology. However, as stated before, the Working Party rhetoric on the matter says that ‘opt-in’ does not go far enough59 and companies’ PR60 seems to be doing nothing but exacerbate and play on people’s fears. It is submitted that such concerns need to be addressed rather than fuelled. There is a very real danger of “default inertia”61 whereby people simply reject or accept cookies by default, because of this lack of understanding. This is not only disadvantageous for industry; it is also disadvantageous for individuals. This is because if there are no accurate data upon which companies may base profiles, individuals will simply be bombarded by a whole spectrum of adverts, some possibly even highly offensive, rather than simply less adverts62 running counter to the wishes of individuals.63 Is there a solution then that will engage individuals and also empower them?
4.
A different solution?
A mooted solution to this issue is the “Proprietary Rights Model”.64 This suggests that individuals should be able to contract with and sell their information directly to companies. It starts from the premise that the information generated by individuals in their online activities should be a tradable commodity and that if companies wish to use it they should pay its creators (individuals) for it. Supporters of this view state that it is a solution to the general idea that businesses “internalize the gains.[and externalise].the negative”.65
One of these negatives is that there is very little consequence for a breach of the data that is collected by companies. In the UK, individuals are able to sue for damages66 but the main deterrent against data loss should be the damage to reputation that companies suffer. Yet the status quo means that individuals interact in a market where they have very little control or choice over the business that processes their data and therefore reputation matters very little. Individuals mostly do not realise who is collecting their data, so how can they make a judgement about which companies they want to ‘sell’ their data too? It is suggested that this approach would mean that people would be able to choose the company with the best record and the market would step in, which in turn would precipitate better service for customers67 and enhanced protection for their data.68 This is a right that seems to have been afforded to celebrities in various cases69 where, although applied mostly to photographs, “commercial exploitation of their names, likenesses and other indicia of the commercial value of their person”70 have been protected. Why then could this not be extended to the public at large? Whilst these cases may not be exactly the same, the principle stands. A person’s activity on the Internet creates a profile of their characteristics that has a value, a likeness and also personal investment. Bartow believes that a way to best encompass this is an approach similar to that of intellectual property, which is useful to those “who want to prevent unwanted commercial exploitation and protect against usurpation of the investment that they have in their own individual characteristics”.71 Because data has been created by a data subject’s activity, they should be able to sell that information. But individuals do not really have a choice as to whom they give their data. So this approach may give data subject’s contractual freedom, to trade with who they want. This is something that individuals are already beginning to do72, but this model would allow individuals to make deals, choose providers and personalise the Internet for them.73 This approach is not without serious issues though. Firstly, people have an inflated view of what their information is worth and also a very big misconception of what kind of information is actually being collected.74 From this assumption stems several problems. It is true that celebrities can pick and 66
Section 13 & 55a Data Protection act 1998. P Swire, “Markets, self-Regulation, and government enforcement in the protection of personal information”, in: Privacy and self-regulation in the information age by the U.S. Department of Commerce, 1997, available at. 68 K C Laudon, “Markets and privacy” 1996 Communications of the ACM vol 39 no 9 at 103. 69 McGregor v Fraser [2003] EWHC 2972, Campbell v Mirror Group Newspapers [2002] EWHC 499, Douglas v Hello [2005] EWCA Civ 595, Gasus Dosier-und Fo¨dertechnik GmbH v the Netherlands [1995] ECHR 306. 70 P Samuelson, “Privacy as intellectual property” 2000 Stanford Law Review 52 1125 at 1142. 71 A Bartow, “Our data, ourselves: Privacy, propertization and gender” 2000 University of San Francisco law review Vol 34 655 at 695. 72 Supra 8 at 276. 73 Supra 69 at 104. 74 Supra 57. 67
57
Supra 41. Ryan Calo, “The boundaries of privacy harm” 2011 Indiana Law Journal 86. 59 Supra 16 at 4. 60 Accessed 10 20 August 2013. 61 Supra 10 at 878. 62 Supra 10 at 882, Lenard & Rubin, “In defence of data” (Tech Policy Institute 2009) accessed 22 July 2013. 63 “Survey reveals nearly half of web users happy with behavioural advertising” (Out-Law 14 May 2012) accessed 23 June 2013. 58
71
72
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
choose to whom they sell their ‘data’,75 but there is no reason why this should apply to ordinary individuals.76 Celebrities’ images are cultivated, carefully managed and have a quantifiable monetary worth and they can be selective with what they sell because of the individual and limited nature of that ‘product’. The kind of information that is being gathered on individuals is not the result of a cultivated, carefully managed process. Whilst individuals do pay close attention to their Facebook profile for example, which provides a lot of personal data for advertisers, they are not consciously put together a portfolio to sell to advertisers in the same way that celebrities do. Neither is the data selective, individual or limited as it is business that filters, distils and makes usable the data gathered on individuals, not the individuals themselves. In order to make this model work the ‘product’ being sold by individuals would need to be bespoke and probably only businesses themselves have the time and knowledge to do that. The sheer volume of data created by a person77 in order to make ‘Big data’ work economically, means that it is inconceivable that an individual would be able to go through it properly to get themselves the best deal. They probably would not even recognise every ‘like’ on Facebook or every web page upon which they have featured that constitute their own profile. This would fundamentally change the nature of the Internet. If people were consciously having to put themselves in the best light to enhance their ‘portfolio’ would mean that the freedom the Internet gives you to do what you like (within reason) is lost. It is almost akin to a total loss of innocence, as the Internet would become only a commercial environment for those wishing to take part. There is also a fundamental difference between this model and that of intellectual property, namely that intellectual property rights protect investments in unique products.78 Intellectual property law is needed as an “incentive to invest”,79 that does not exist for personal data80. Personal data may relate to unique individuals, but there is a whole world of potential profiles from which companies can select to trade: negating any sense of scarcity or compulsion to invest. Profiles can also relate to different products; personal data simply exists by virtue of “natural existence”.81 That is to say if someone is using the Internet then by their interactions a profile will build up, probably without their direct knowledge. Intellectual property rights differ in that they stem from the fixation of a unique idea formulated by a person for a specific purpose that needs protecting because of the inherent value in the expression of the idea alone. Unlike copyrightable expression, there is no inherent value to an individual’s personal data, until it is processed by a business. It is that processing and the way the data is used and for what purpose 75
Douglas v Hello [2005] EWCA Civ 595. Supra 8 at 284. 77 Patrick Tucker “Has big data made anonymity impossible?” (Mashable.com 7 May 2013)
that means it has value. It is almost a collaborative effort that is more akin to a partnership than anything else between the individual and businesses, with both parties presently benefiting. Individuals get targeted advertising and websites that are economically viable and provide a service, whereas businesses make money. But this will not produce equality between individuals and businesses as asserted by some.82 Website providers are providing a service that individuals want and their life increasingly revolves around. Therefore, it is very unlikely that Facebook or Google would actively negotiate with an individual, with a lawyer or broker dealing with each ‘client’. What is more likely is that websites will have a “take it or leave it”83 attitude and that no amount of data selling will level that negotiation out. It has been postulated that the sheer number of contracts that companies will have to generate for every individual they get, will mean standard contracts with individuals “expected to fend for themselves.likely to accept whatever businesses offer them”.84 This is of central importance; the idea behind this approach is to empower people, yet a majority of individuals will probably not be savvy enough or have the time to be able to negotiate these complicated contracts. This is even worse for “unsophisticated individuals”85 or children, who will in all likelihood, become easy prey with no remedy. This might result in a kind of ‘exclusivity’ clause that would actually limit which websites a person could view? How much would a company be prepared to pay as well? It is submitted that if people were not already confused or intimidated by OBA, this would produce that outcome. Likewise, regulation of this would be very difficult, especially on a global level. That difference globally is also at the heart of this solution. The Proprietary Rights Model is fundamentally an American idea to deal with the problems of the American approach to human rights and property and “avoids tackling the hard policy questions”86 underlying it. It is contended that this approach runs counter to the idea of “personhood”87 i.e. that privacy is an innate part of a person that is part of the European model of human rights and it is “non-commodifiable”.88
5.
The future
The Proprietary Rights Model has been shown to be as flawed as the current system. Does the incoming law deal with this issue better? The General Data Protection Regulation, if it ever comes into force (possibly not until 201689) will no doubt result in a “uniform, transparent and accessible set of rules, which 82
Supra 55 at 104. Supra 8 at 292. 84 P M Schwartz, “Beyond Lessig’s Code for internet privacy: Cyberspace filters, privacy-control and fair information practices” 2000 Wisconsin Law Review 743 at 767. 85 Supra 8 at 297 & L Bergkamp, “European community law for the new economy” 2003 Antwerp: Intersentia at 123. 86 J E Cohen, “Examined lives: Informational privacy and the subject as object” 2000 Stanford Law Review 52 at 1436. 87 Supra 8 at 280. 88 M J Radin, “Incomplete commodification in the computerized world” 2002 The Hague: Kluwer Law International at 17e18. 89 Tanguy Van Overstraeten & Alana Van Casenegem, “Legislative Comment e EU: data protection” 2013 C.T.L.R. N-21. 83
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
can much more effectively be enforced across the EU.”90 It came out of a call for a regulation to harmonise the Law.91 Yet it remains to be seen if this will placate the views of the EU on OBA. One very interesting development within it, in the same vein as the Proprietary Rights Model, is the idea of data portability. Article 18 of the proposed Regulation would bring in the ability for individuals to “obtain an electric copy of their data”92 to enable them to move it somewhere else. Whilst this may be only a small empowerment for individuals, in large numbers the effects on companies could be significant. Will this have any affect though? Perhaps not, if allowing a data subject to have access to a particular network is dependent upon personal data being used as consideration (such as with Facebook) thus keeping power in the hands of business. There are other issues highlighted though by academics such as Gerrit Hornung.93 Chief among these is the fact that many EU nations (particularly Germany) already have a protective regime that is more stringent than the regulation would provide. What also needs to be pointed out is that this is only an EU measure. Although it is applicable to companies that reside outside the EU, if they are processing data from citizens of the EU94, it only affects EU citizens. By making it harder for companies to process data within the EU, is the EU damaging itself in a trading capacity? It cannot be dismissed that the EU at present represents a huge block of the Internet using public; however the rest of the world is catching up and presents much more fertile ground for growth. Hornung rightly points out that this “entails a serious institutional shift”95 in that the European Commission is now assuming largely all of the control for data protection in the EU rather than States. This highlights one of the problems with the EU and with Regulations; different States are at different stages of development. Those States, like Germany, that wish to have a stringent data protection policy are held back by this, whereas those that take a more liberal approach, such as the UK are burdened. A more immediate change in the legislation in this area has come though the European Commission which has amended Directive 2002/58/EC through a Regulation (611/2013).96 611/ 2013 came into effect on the 25 August 2013, the headline change being that “providers of publically available electronic communications services (provider)97.shall notify all personal data breaches to the competent national authority98.no later than 24 h after the detection of the personal
data breach, where feasible99”. Providers are also under an obligation to inform the subscriber or individual if the breach is “likely to adversely affect the personal data or privacy of a subscriber or individual”.100 There is a derogation provided by 611/2013 for notifying the subscriber or individual, which arises where the competent national authority is satisfied that the provider “has implemented appropriate technological protection measures. [which] render the data unintelligible”101. 611/2013 appears to provide a solution to a problem with OBA, namely that when a breach of data occurs there is rapid action to inform and remedy it. It has also been noted that, until now, legislation focused on data breaches have been focused on preventing fraud and identity theft whereas 611/2013 also includes “the prevention of social harm to the individual, including physical harm, significant humiliation or damage to reputation”.102 Individuals will welcome this, certainly because it recognises that it is not just financial data that is recognised as important, but personal data which could be exposed and which could cause embarrassment or quantifiable harm to them. However, this has been criticised as encompassing a “wide range of data that are not easy to define”.103 This appears to be also quite subjective in nature as it is down to the provider to ascertain whether or not the individual needs to be notified.104 Whilst providers may well be subject to fines if they do not inform individuals, because of this105 it remains to be seen how this subjectivity will be combated. It has also been suggested that there is in fact no need to inform the competent national authority, as the provider is “best placed to access the risks.has all the information.has a greater interest in acting correctly.will be responsible for damages”106 and essentially that the individual should be notified first, not the data controller.107 This is certainly true, but there must be some kind of public database where data breaches are collated. There are two aspects of 611/2013 that are particularly concerning. The first is Article 4 which allows providers a derogation if the information is sufficiently “securely encrypted.[or has] a standardized cryptographic keyed hash function”108 which is approved by the competent national authority. This is concerning because there is no level of encryption that is 100% safe if there is a determined enough person or entity looking to exploit it. For providers it is probably better simply to 99
90
Henri De Waele, “Implications of replacing the Data Protection Directive with a Regulation e a legal perspective” 2012 P. & D.P. 3. 91 Ashley Winton & Neal Cohen “The General Data Protection Regulation as it applies to online advertising, e-commerce and social media” 2012 C.TL.R. 97, Winston J. Maxwell “Data Privacy: the European Commission pushes for total harmonisation” 2012 C.T.L.R. 175. 92 Gerrit Hornung, “A General Data Protection Regulation for Europe? Light and Shade in the Commission’s Draft of 25 January 2012” Scripted Vol 9 Issue 1 April 2012 at 74. 93 Ibid. 94 Ibid at 72. 95 Ibid at 80. 96 Commission Regulation (EU) No 611/2013 of June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications. 97 Ibid at Article 1. 98 Ibid at Article 2 (1).
73
Ibid at Article 2 (2). Ibid at Article 3 (1). 101 Ibid at Article 4 (1). 102 Laura Vivet Tan˜a`, “EU Data Breach Notification Rule: The Key Elements” (Privacy Association 27 August 2013) (Accessed 12 September 2013) citing Supra 93 at Article 3 (2)(b). 103 Ibid. 104 Supra 97 at Article 2 & 3. 105 “Europe Harmonizes How Operators Must Notify Personal Data Breaches” (Jones Day Commentary July 2013) (Accessed 12th September 2013) at 2. 106 Supra 103. 107 Ibid. 108 Supra 97 at Article 4 2(a)&(b). 100
74
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
inform individuals, no matter what level of encryption is available. Secondly, there is the review period of three years.109 This period is too long to keep up with developments in the Internet. It is suggested that in order to keep pace, there needs to be a review carried out by the Working Party no later than one year thereafter in order to be effective. It has also been noted that this Regulation provides further confusion for businesses as there is a move to allow a 72 h notification period for data breaches.110 Furthermore, this Regulation still does not make an attempt to inform consumers about the use of OBA by companies. Instead, what appears likely to happen is that individuals will get an email or letter (or advertisement directed at them in some circumstances) saying that their data privacy may have been breached. They may not even know that the company writing had any of their personal data, which will only serve to further alienate individuals from OBA.
6.
Conclusion
It has been shown that EU law currently fails individuals. It is too restrictive of business although, contrary to the tone of this debate, there is a real and tangible reason why this is so. Online advertising makes the Internet as we know it possible. Whilst many may lament the commercialisation of the Internet, it is necessary to provide people with the services that they have become reliant upon. As with most innovation, even in the online world, everything has its price. Whilst it has not been argued that companies should have carte blanche to
use data of individuals in any way they wish, nor exploit them for it (especially those who are vulnerable), business does need to be able to use an individual’s data. There is a very strong case that can be made that “behavioural advertising’s.substantial benefits.[make it] more difficult to make a plausible case that individuals have an absolute right to privacy and/or complete control of their data”111 as it would have a detrimental effect on the Internet. Data inertia is a real cause for concern and the EU’s opinion on OBA (through the Working Party) only helps to further cement that as a problem for the online advertising community. With regard to the proposed Regulation, it is too early to say what impact this might have but, using a broad-brush approach with such an issue, seems to be a lazy option. It remains to be seen if individuals will take up the offer of Article 18 and use it for their advantage; however given the public’s response to the opt-in provisions this may begin to be even more of a tedious annoyance. This issue is of vital importance and individuals need to be encouraged to engage with it, not shy away from debate. People need to be able to make an informed choice, not one that is based on misconception and fear. The law needs to address this issue. For all its failings the Proprietary Rights Model would at least give individuals good reason to visualise OBA in a more positive light and engage with what happens to their data. However, the risks to individuals are very high too. What is needed therefore is more balance in the law and a higher profile given to these practices, especially as to the benefits. If people could imagine the consequences of an Internet starved of funds, they would be just as concerned.
109
Ibid at Article 6. “EU: New regulation may harmonise telcos’ breach notification timeframe” (Privacy this Week 27th June 2013) Accessed 27 September 2013. 110
111
Supra 12 at fn 107.
Available online at www.sciencedirect.com
ScienceDirect www.compseconline.com/publications/prodclaw.htm
The European Union’s approach to online behavioural advertising: Protecting individuals or restricting business? Desiree De Lima a, Adam Legge b,* a b
University of Hertfordshire, Hertfordshire, UK University of Hong Kong, Hong Kong
abstract Keywords:
The European Union (EU) has firmly set its stall out to protect individuals’ data and privacy
Online behavioural advertising
and has demonstrated this through the rejection of the old opt-out regime and the intro-
Consent
duction of the new opt-in rules. These require businesses to obtain individual’s prior and
Default inertia
informed consent before their data are collected, stored and used for the purposes of online
Proprietary Rights Model
behavioural advertising (OBA). Individuals in the EU are afforded protection from the apparent dangers relating to data privacy and misuse that is associated with OBA, which is beyond the expectation of most Internet users. However, there are some criticisms levelled at the law that the EU has produced. Is simply gaining informed consent sufficient for protecting all types of information? Do certain types of information require a higher level of consent than others? Does the law fulfil its aim of protecting data subject’s privacy and data? Is the current law restrictive to business? Do individuals know or care that their information is being collected for the purposes of targeted advertising and is there a better way to ensure that they do? Finally, will proposed new law to be found in the EU Data Protection Regulation solve any of these problems? This article will assess whether, as a policy decision, the EU’s current approach has been too cautious in its attempts to protect individuals or restrict business. ª 2014 Adam Legge and Desiree De Lima. Published by Elsevier Ltd. All rights reserved.
1.
Introduction
The law relating to OBA is governed by the Data Protection Act 19981 and the Directive on Privacy and Electronic Communications2 (e-Privacy directive). The Article 29 Working Party
Opinion3 (Working Party) defines OBA as the, “tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertisements matching their interests.”4 The European Union (EU) has firmly set its stall out to protect individuals’ data and privacy and has demonstrated
* Corresponding author. 2 Orchard Close, Ware, Herts SG12 0PY, UK. E-mail address: [email protected] (A. Legge). 1 The Data Protection Act 1998. 2 Directive 2002/58EC as amended by Directive 2009/136EC. 3 A committee made up of representatives from each of the EU Member States’ data protection authority. 4 Article 29 Data Protection working party, 171 Opinion 2/2010 on online behavioural advertising, Adopted on 22 June 2010,
68
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
this through the rejection of the old opt-out regime and the introduction of the new opt-in rules, which require businesses to obtain individual’s prior and informed consent before their data is collected, stored and used for the purposes of OBA.5 Individuals in the EU are afforded protection from the apparent dangers relating to data privacy and misuse that are associated with OBA, which is beyond the expectation of most Internet users. However, there are some criticisms levelled at law the EU has produced. First of all is the issue of ambiguity, partly due to differences in each member state6 and secondly, the failure to strike an effective balance between protecting individuals and the needs of businesses. It could be argued that in some instances the law sides with individuals to the detriment of business. The UK has aimed to obtain a balance between protecting individuals whilst allowing business to thrive, through the introduction of new guidance released by the UK Committee of Advertising Practice (CAP)7 who write and maintain the UK advertising codes. It is submitted that the law should help “enhance visibility.and our knowledge”8 to enable individuals to make informed choices. At present individuals are not being exposed to a balanced debate and there is a fundamental misunderstanding about what OBA is9 and its benefits10. A “vague queasiness”,11 felt by individuals, is compounded by the fact that it has now become something of a tedious annoyance to many individuals. This is due to the requirements for consent in the opt-in regime, which makes them disengage rather than engaging them and encouraging them to enhance their knowledge12 on online behavioural advertising. This is an issue that is inescapable and is key to the continued evolution of the Internet.
5 Article 29 Working Party Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising WP 188 at 3. 6 Article 29 Data protection working 187 opinion 15/11 on the definition of consent, adopted on 13 July 2011
2.
A consensual debate
An individual’s data is collected through the use of cookies and other tracking devices being placed on their terminal equipment. However, before they are placed on their device, the users are required to give their prior, informed opt-in consent,13 after they are provided with “clear and comprehensive information.” This is according to Article 5(3) of the amended EU e-privacy Directive.14 The definition of consent is taken from the EU Data Protection law and is defined as being “freely given, specific and an informed indication of the users’ wishes by which the individual signifies their agreement for their data to be processed”.15 In theory this should give individuals control as they can choose which cookies can be set on their computer and from whom and therefore the law should achieve its aim to provide individuals with a way to make informed decisions. It is submitted that this is a superficial analysis for a number of reasons. It can be said with some certainty that consent must be obtained prior to the setting of the cookie.16 This is as far as the certainty goes. What is unclear is how that consent is to be obtained by the business.17 The Working Party have suggested various ways to obtain consent,18 including an information banner, splash screen or a barrier page stopping individuals accessing the website until they have consented. The preferred way in 2009/136/EC19 and in Member States20 is browser settings. This is a solution that is anchored in both a browser’s technology21 and browser cooperation. However, browsers cannot replace the complex decision making of an informed individual and browsers like Google Chrome are geared to maximise the collection of data from its users,22 so are likely to be resistant to this. Default browser settings also rely on individuals being able to make that choice but the evidence suggests that they cannot and simply reject them by default,23 which defeats the objective of the Directive. The consent issue is muddied further by implied consent and the exemptions to obtaining consent. Implied consent is 13
Supra 2 at Art 2 (5) & (6). Ibid. 15 Supra 6 at 3. 16 Eduardo Ustaran & Victoria Hordern, “Clarifying Consent” 2011 PDP 11 8 (3) at 2. 17 Eduardo Ustaran, “Obtaining Consent for Cookies” 2012 P. & D.P. 6 at 6. 18 Supra 5 at 9. 19 Supra 13 at Recital 66. 20 William Long & Geraldine Scali, “Cookies: The cookie opt-in rule: how the EU is reacting so far” 2011 Data Protection Law & Policy, Vol 8 Issue 8, Amy Chandler, “New rules on the use of cookies” (Pannone 12 July 2011)
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
defined as when an individual has followed an informed course of action that has an “unmistakable conclusion that consent is given”.24 Whilst this precludes silence or inaction,25 again it is not clear how consent should be impliedly obtained. For example the UK Information Commissioner and Working Party have contrary views on this. The former adopts a sliding scale: the more intrusive the cookie into the lives of individuals the higher the level of consent needed.26 This seems reasonable; nevertheless the Working Party takes a broadbrush approach believing that all OBA entails a “high level of intrusiveness”.27 This approach is far too simplistic. OBA is here to stay and the Information Commissioner’s approach recognises that and attempts to strike a balance for both individuals and businesses, whilst the Working Party’s approach lacks “pragmatism”28 and refuses to strike that balance. Businesses can be exempt from obtaining consent under two circumstances29; viz. the cookie is “essential for the transmission of the communication to occur”30 or; if “necessary to provide functionality .[which is] explicitly requested”31 which some see as aiding businesses by expanding a narrow directive.32 The effect of this is to allow cookies that help with functionality of websites such as a shopping basket, but to require consent for analytical cookies.33 This extends to cookies that count the number of hits a website gets, as these don’t come under either of the two exemptions. This could be said to actually do little to mitigate the restrictiveness of the Directive or define what concepts such as “explicit request” are.34 Moreover interpretation of the definition of consent differs in each Member State of the European Union. The two consistent themes that all of the Member States agree on is that (i) “in order for consent to be given, a user must be provided with clear and comprehensive information about the cookies, what information they use and what the purpose of them is”35 and (ii) that “cookies defined as strictly necessary 24
Article 29 Working Party Opinion 15/2011 on the definition of consent WP187 at 8e11 & 23. 25 Ibid at 8e11 & C-92/09 and C-93/09 Volker und Markus Schecke [2010] ECR I-11063 at 63. 26 Information Commissioner’s Office, “Guidance on the rules on use of cookies and similar technologies” Version 2 13th December 2011 at 25 & Information Commissioner’s Office “Guidance on the rules on use of cookies and similar technologies” Version 3 May 2012 at 6. 27 Supra 4. 28 Supra 16 at 4. 29 Supra 2 at Article 5(3) & Supra 5 at 8 & Opinion 04/2012 on Cookie Consent Exemption WP 194. 30 Simon Elliott, “Guidance on exemptions to cookie consent” 2012 P. & D.P. 3 at 5 (citing Opinion 04/2012 on Cookie Consent Exemption WP 194 at 3). 31 Ibid. 32 Supra 16 at 4. 33 “Of Cookies and spam” (It Law Group June 21 2010)
69
are exempt from the law”.36 Due to the lack of guidance from the European Union of the method in which consent should be obtained, Member States have differed in their view of whether explicit consent, informed consent or consent derived from browser settings should be used. Countries such as Portugal, Netherlands Lithuania, Latvia, France, Germany, Greece, Croatia and Cyprus opted for explicit consent, whilst Hungary, Ireland, Luxembourg, Poland Slovakia, Spain and Sweden are opting for Browser Setting and Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Romania and the United Kingdom are opting for implied consent.37 However the failure of the European Union to define consent and specifically state the method by which they expect consent to be obtained, has been criticised by the Working Party as well as the Commission.38 This signifies that there is a disagreement between Member States as to what the definition of consent is. It further suggests that the law is unclear and the aim that the European Union hoped to achieve in protecting individuals privacy and data on a European level was not achieved. In order to provide some guidance on the law of consent, the UK CAP has released guidance which they explicitly state are not to provide compliance with the law.39 This guidance aims to provide a balance between protecting individuals, whilst allowing businesses to access and use their data for the purpose of OBA by helping to “deliver greater transparency and user control. It does so whilst allowing relevant advertising to continue to underpin quality content and services”40 according to Nick Stringer the director of regulatory affairs at the Internet Advertising Bureau in the UK. However, the fact that Member States felt the need to provide guidance on the law, suggests that the law is unclear. Furthermore it opens the law up to interpretation consequently meaning that the aims of the EU fail to be achieved. However the Working Party in their opinion on consent criticise the current law for not being sufficient, “to ensure website operators comply with new requirements for obtaining users’ consent to cookies under EU law”.41 The Working Party maintains that the law on consent is inadequate in protecting individual’s data in so far as it stands. They argue that many public surveys suggest that individuals who rely on the Internet are not aware that their information is being used for the purpose of targeted advertising.42 It could be argued that most individuals accept cookies without reading the purpose for which their information will be used. They do this for a number of reasons such as to save time, or due to necessity in order to use the Internet site to its full potential. This
36
ibid. ibid. 38 Supra 6 at 6. 39 http://www.huntonprivacyblog.com/2012/12/articles/newuk-online-behavioral-advertising-code-released/ accessed on the 12 of June 2013. 40 ‘Online Behavioural Advertising transparency and opt out requirements to be set out in UK advertising rules’ (out-law.com published on 22 November 2012)
70
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
suggests that the EU’s aim of protecting data subject’s personal data by gaining their prior opt-in informed consent is not being achieved because individuals are not aware that their data is being collected and used for the purpose of OBA, thus negating the point of informed consent. It implies that individuals are ill-informed about what cookies are as they accept and consent to them without reading and understanding the implications this can have on their privacy: nor the benefits cookies may offer to the Internet experience. Some websites that use cookies to track individuals’ activities on their site, can, if they chose, not allow them to access the site, unless they first accept and consent to having cookies being placed on their device. It could be argued that this goes against what the EU was trying to achieve through the introduction of the new opt-in requirements, as individuals are forced into accepting them, rather than freely consenting to them. This further emphasises current problems in legal protection of an individual’s privacy and data. There are additional problems with consent, such as challenges relating to minors and those that lack full legal capacity to make an informed decision.43 This is because the directive states that ‘informed’ consent must be obtained44 and both of those categories of individuals are unable to give their consent explicitly, let alone impliedly.45 The lack of response here can be seen to be failing these individuals as it is difficult to monitor this situation. This is because it is next to impossible for a business to ensure that those vulnerable people are aware of what they are consenting to, given the anonymity of the Internet. It is submitted that such individuals should be given special protection and a higher level of consent should be obtained from them. The Working Party suggests that they would be better protected “if the directive contained additional provisions, specifically addressed to the collection and further processing of their data”.46 However, due the fact that the law is lagging behind technology, there is no way of ensuring and verifying that information obtained by businesses for the purposes of OBA are from people who are capable of reading, understanding and freely consenting to having their data collected. The anonymity of the Internet makes that nearly impossible. If the law intends to protect all individuals, it needs to be amended and take into account those that are unable to give their informed consent but who still currently consent without knowing the consequences. Different types of information, such as sensitive personal data47 regarding a person’s religious belief, sexual preference, require a higher level of consent to be obtained by businesses, which arguably is not enforced given the way the legislation currently stands. This suggests that the law does not protect individual’s data but allows businesses to have access to their personal sensitive information far more easily than they would have, had they had to obtain it on paper or through face to face communication. However, this should not be the case
43
Supra 6 at 28. Supra 2. 45 Oliver Bray & Paul Joseph, “Collecting data online: what is best practice?” 2010 C.T.L.R. 208 at 209 & Article 29 Working Party Opinion 15/2011 on the definition of consent WP187 at 28. 46 Ibid at pg. 28. 47 Section 2 of the Data Protection Act 1998. 44
as more and more people gain access to the Internet and become more reliant on it for everyday use.48 Academics,49 website owners50 as well as the UK advertising industry, have criticised the new opt-in requirements because they believe that the amendments threaten OBA and its future revenue.51 The draft wording of the recital, that brought about the change in the law, is criticised by business52 as they force a normally law abiding businesses to search for wriggle room to manage this change.53 Nonetheless, it must be questioned whether the new obligations placed on businesses, to provide individuals with clear and comprehensive information on whether their data is being collected, by whom it is being collected and for what purpose, so as to allow them to make an informed decision, has a detrimental effect on advertising which Struan Robertson describes is the “lifeblood of online publishing”.54 Do businesses suffer because individuals refuse to consent to their data being collected, or are individuals willing to offer their consent and give up their privacy and data in return for targeted advertisement? Raj Samini suggest that people are willing to give up their personal information so long as they get something in return for it55: in this case they get targeted advertisements and the benefits of a commercially viable Internet. His suggestion is supported by research done in a recent study conducted by the Internet Advertising Bureau UK and ValueClick. They found that as many as 45% of the 2001 Internet users aged sixteen or over surveyed said that they were happy for businesses to track their online activity in order to deliver personalised advertisements.56 This data illustrates two things: first of all, that a large number, if not a majority, are aware of the trade-off around the fact that businesses collect their data for the use of targeted advertisements and secondly, that they do not mind providing their consent as long as they feel that they get something in return for it. However there is obviously a sizeable majority of people that are possibly unaware of this and the EU rightly wants to help them make informed decisions as to what they are consenting to. This could explain why the law requires
48
Supra 5 at pg. 3. Supra 24 at pg. 8. 50 Bray, O. and Pickford, L.J. ‘C is for cookie but also Consent’
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
businesses to make it as transparent57 as possible for individuals to know for what purpose they are collecting and using their data. However, if individuals do not read this and are only consenting to access websites, or consenting to cookies without fully understanding what they are, is the law achieving its purpose?
3.
Default inertia?
There are genuine concerns that must be addressed, especially around the misuse of people’s information.58 However, those concerns could perhaps be remedied, if not at least lessened, by increased awareness. It is of course only the job of the law to ensure that people are not exploited and it is not down to individuals to be up to date with every change in Internet technology. However, as stated before, the Working Party rhetoric on the matter says that ‘opt-in’ does not go far enough59 and companies’ PR60 seems to be doing nothing but exacerbate and play on people’s fears. It is submitted that such concerns need to be addressed rather than fuelled. There is a very real danger of “default inertia”61 whereby people simply reject or accept cookies by default, because of this lack of understanding. This is not only disadvantageous for industry; it is also disadvantageous for individuals. This is because if there are no accurate data upon which companies may base profiles, individuals will simply be bombarded by a whole spectrum of adverts, some possibly even highly offensive, rather than simply less adverts62 running counter to the wishes of individuals.63 Is there a solution then that will engage individuals and also empower them?
4.
A different solution?
A mooted solution to this issue is the “Proprietary Rights Model”.64 This suggests that individuals should be able to contract with and sell their information directly to companies. It starts from the premise that the information generated by individuals in their online activities should be a tradable commodity and that if companies wish to use it they should pay its creators (individuals) for it. Supporters of this view state that it is a solution to the general idea that businesses “internalize the gains.[and externalise].the negative”.65
One of these negatives is that there is very little consequence for a breach of the data that is collected by companies. In the UK, individuals are able to sue for damages66 but the main deterrent against data loss should be the damage to reputation that companies suffer. Yet the status quo means that individuals interact in a market where they have very little control or choice over the business that processes their data and therefore reputation matters very little. Individuals mostly do not realise who is collecting their data, so how can they make a judgement about which companies they want to ‘sell’ their data too? It is suggested that this approach would mean that people would be able to choose the company with the best record and the market would step in, which in turn would precipitate better service for customers67 and enhanced protection for their data.68 This is a right that seems to have been afforded to celebrities in various cases69 where, although applied mostly to photographs, “commercial exploitation of their names, likenesses and other indicia of the commercial value of their person”70 have been protected. Why then could this not be extended to the public at large? Whilst these cases may not be exactly the same, the principle stands. A person’s activity on the Internet creates a profile of their characteristics that has a value, a likeness and also personal investment. Bartow believes that a way to best encompass this is an approach similar to that of intellectual property, which is useful to those “who want to prevent unwanted commercial exploitation and protect against usurpation of the investment that they have in their own individual characteristics”.71 Because data has been created by a data subject’s activity, they should be able to sell that information. But individuals do not really have a choice as to whom they give their data. So this approach may give data subject’s contractual freedom, to trade with who they want. This is something that individuals are already beginning to do72, but this model would allow individuals to make deals, choose providers and personalise the Internet for them.73 This approach is not without serious issues though. Firstly, people have an inflated view of what their information is worth and also a very big misconception of what kind of information is actually being collected.74 From this assumption stems several problems. It is true that celebrities can pick and 66
Section 13 & 55a Data Protection act 1998. P Swire, “Markets, self-Regulation, and government enforcement in the protection of personal information”, in: Privacy and self-regulation in the information age by the U.S. Department of Commerce, 1997, available at
57
Supra 41. Ryan Calo, “The boundaries of privacy harm” 2011 Indiana Law Journal 86. 59 Supra 16 at 4. 60
71
72
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
choose to whom they sell their ‘data’,75 but there is no reason why this should apply to ordinary individuals.76 Celebrities’ images are cultivated, carefully managed and have a quantifiable monetary worth and they can be selective with what they sell because of the individual and limited nature of that ‘product’. The kind of information that is being gathered on individuals is not the result of a cultivated, carefully managed process. Whilst individuals do pay close attention to their Facebook profile for example, which provides a lot of personal data for advertisers, they are not consciously put together a portfolio to sell to advertisers in the same way that celebrities do. Neither is the data selective, individual or limited as it is business that filters, distils and makes usable the data gathered on individuals, not the individuals themselves. In order to make this model work the ‘product’ being sold by individuals would need to be bespoke and probably only businesses themselves have the time and knowledge to do that. The sheer volume of data created by a person77 in order to make ‘Big data’ work economically, means that it is inconceivable that an individual would be able to go through it properly to get themselves the best deal. They probably would not even recognise every ‘like’ on Facebook or every web page upon which they have featured that constitute their own profile. This would fundamentally change the nature of the Internet. If people were consciously having to put themselves in the best light to enhance their ‘portfolio’ would mean that the freedom the Internet gives you to do what you like (within reason) is lost. It is almost akin to a total loss of innocence, as the Internet would become only a commercial environment for those wishing to take part. There is also a fundamental difference between this model and that of intellectual property, namely that intellectual property rights protect investments in unique products.78 Intellectual property law is needed as an “incentive to invest”,79 that does not exist for personal data80. Personal data may relate to unique individuals, but there is a whole world of potential profiles from which companies can select to trade: negating any sense of scarcity or compulsion to invest. Profiles can also relate to different products; personal data simply exists by virtue of “natural existence”.81 That is to say if someone is using the Internet then by their interactions a profile will build up, probably without their direct knowledge. Intellectual property rights differ in that they stem from the fixation of a unique idea formulated by a person for a specific purpose that needs protecting because of the inherent value in the expression of the idea alone. Unlike copyrightable expression, there is no inherent value to an individual’s personal data, until it is processed by a business. It is that processing and the way the data is used and for what purpose 75
Douglas v Hello [2005] EWCA Civ 595. Supra 8 at 284. 77 Patrick Tucker “Has big data made anonymity impossible?” (Mashable.com 7 May 2013)
that means it has value. It is almost a collaborative effort that is more akin to a partnership than anything else between the individual and businesses, with both parties presently benefiting. Individuals get targeted advertising and websites that are economically viable and provide a service, whereas businesses make money. But this will not produce equality between individuals and businesses as asserted by some.82 Website providers are providing a service that individuals want and their life increasingly revolves around. Therefore, it is very unlikely that Facebook or Google would actively negotiate with an individual, with a lawyer or broker dealing with each ‘client’. What is more likely is that websites will have a “take it or leave it”83 attitude and that no amount of data selling will level that negotiation out. It has been postulated that the sheer number of contracts that companies will have to generate for every individual they get, will mean standard contracts with individuals “expected to fend for themselves.likely to accept whatever businesses offer them”.84 This is of central importance; the idea behind this approach is to empower people, yet a majority of individuals will probably not be savvy enough or have the time to be able to negotiate these complicated contracts. This is even worse for “unsophisticated individuals”85 or children, who will in all likelihood, become easy prey with no remedy. This might result in a kind of ‘exclusivity’ clause that would actually limit which websites a person could view? How much would a company be prepared to pay as well? It is submitted that if people were not already confused or intimidated by OBA, this would produce that outcome. Likewise, regulation of this would be very difficult, especially on a global level. That difference globally is also at the heart of this solution. The Proprietary Rights Model is fundamentally an American idea to deal with the problems of the American approach to human rights and property and “avoids tackling the hard policy questions”86 underlying it. It is contended that this approach runs counter to the idea of “personhood”87 i.e. that privacy is an innate part of a person that is part of the European model of human rights and it is “non-commodifiable”.88
5.
The future
The Proprietary Rights Model has been shown to be as flawed as the current system. Does the incoming law deal with this issue better? The General Data Protection Regulation, if it ever comes into force (possibly not until 201689) will no doubt result in a “uniform, transparent and accessible set of rules, which 82
Supra 55 at 104. Supra 8 at 292. 84 P M Schwartz, “Beyond Lessig’s Code for internet privacy: Cyberspace filters, privacy-control and fair information practices” 2000 Wisconsin Law Review 743 at 767. 85 Supra 8 at 297 & L Bergkamp, “European community law for the new economy” 2003 Antwerp: Intersentia at 123. 86 J E Cohen, “Examined lives: Informational privacy and the subject as object” 2000 Stanford Law Review 52 at 1436. 87 Supra 8 at 280. 88 M J Radin, “Incomplete commodification in the computerized world” 2002 The Hague: Kluwer Law International at 17e18. 89 Tanguy Van Overstraeten & Alana Van Casenegem, “Legislative Comment e EU: data protection” 2013 C.T.L.R. N-21. 83
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
can much more effectively be enforced across the EU.”90 It came out of a call for a regulation to harmonise the Law.91 Yet it remains to be seen if this will placate the views of the EU on OBA. One very interesting development within it, in the same vein as the Proprietary Rights Model, is the idea of data portability. Article 18 of the proposed Regulation would bring in the ability for individuals to “obtain an electric copy of their data”92 to enable them to move it somewhere else. Whilst this may be only a small empowerment for individuals, in large numbers the effects on companies could be significant. Will this have any affect though? Perhaps not, if allowing a data subject to have access to a particular network is dependent upon personal data being used as consideration (such as with Facebook) thus keeping power in the hands of business. There are other issues highlighted though by academics such as Gerrit Hornung.93 Chief among these is the fact that many EU nations (particularly Germany) already have a protective regime that is more stringent than the regulation would provide. What also needs to be pointed out is that this is only an EU measure. Although it is applicable to companies that reside outside the EU, if they are processing data from citizens of the EU94, it only affects EU citizens. By making it harder for companies to process data within the EU, is the EU damaging itself in a trading capacity? It cannot be dismissed that the EU at present represents a huge block of the Internet using public; however the rest of the world is catching up and presents much more fertile ground for growth. Hornung rightly points out that this “entails a serious institutional shift”95 in that the European Commission is now assuming largely all of the control for data protection in the EU rather than States. This highlights one of the problems with the EU and with Regulations; different States are at different stages of development. Those States, like Germany, that wish to have a stringent data protection policy are held back by this, whereas those that take a more liberal approach, such as the UK are burdened. A more immediate change in the legislation in this area has come though the European Commission which has amended Directive 2002/58/EC through a Regulation (611/2013).96 611/ 2013 came into effect on the 25 August 2013, the headline change being that “providers of publically available electronic communications services (provider)97.shall notify all personal data breaches to the competent national authority98.no later than 24 h after the detection of the personal
data breach, where feasible99”. Providers are also under an obligation to inform the subscriber or individual if the breach is “likely to adversely affect the personal data or privacy of a subscriber or individual”.100 There is a derogation provided by 611/2013 for notifying the subscriber or individual, which arises where the competent national authority is satisfied that the provider “has implemented appropriate technological protection measures. [which] render the data unintelligible”101. 611/2013 appears to provide a solution to a problem with OBA, namely that when a breach of data occurs there is rapid action to inform and remedy it. It has also been noted that, until now, legislation focused on data breaches have been focused on preventing fraud and identity theft whereas 611/2013 also includes “the prevention of social harm to the individual, including physical harm, significant humiliation or damage to reputation”.102 Individuals will welcome this, certainly because it recognises that it is not just financial data that is recognised as important, but personal data which could be exposed and which could cause embarrassment or quantifiable harm to them. However, this has been criticised as encompassing a “wide range of data that are not easy to define”.103 This appears to be also quite subjective in nature as it is down to the provider to ascertain whether or not the individual needs to be notified.104 Whilst providers may well be subject to fines if they do not inform individuals, because of this105 it remains to be seen how this subjectivity will be combated. It has also been suggested that there is in fact no need to inform the competent national authority, as the provider is “best placed to access the risks.has all the information.has a greater interest in acting correctly.will be responsible for damages”106 and essentially that the individual should be notified first, not the data controller.107 This is certainly true, but there must be some kind of public database where data breaches are collated. There are two aspects of 611/2013 that are particularly concerning. The first is Article 4 which allows providers a derogation if the information is sufficiently “securely encrypted.[or has] a standardized cryptographic keyed hash function”108 which is approved by the competent national authority. This is concerning because there is no level of encryption that is 100% safe if there is a determined enough person or entity looking to exploit it. For providers it is probably better simply to 99
90
Henri De Waele, “Implications of replacing the Data Protection Directive with a Regulation e a legal perspective” 2012 P. & D.P. 3. 91 Ashley Winton & Neal Cohen “The General Data Protection Regulation as it applies to online advertising, e-commerce and social media” 2012 C.TL.R. 97, Winston J. Maxwell “Data Privacy: the European Commission pushes for total harmonisation” 2012 C.T.L.R. 175. 92 Gerrit Hornung, “A General Data Protection Regulation for Europe? Light and Shade in the Commission’s Draft of 25 January 2012” Scripted Vol 9 Issue 1 April 2012 at 74. 93 Ibid. 94 Ibid at 72. 95 Ibid at 80. 96 Commission Regulation (EU) No 611/2013 of June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications. 97 Ibid at Article 1. 98 Ibid at Article 2 (1).
73
Ibid at Article 2 (2). Ibid at Article 3 (1). 101 Ibid at Article 4 (1). 102 Laura Vivet Tan˜a`, “EU Data Breach Notification Rule: The Key Elements” (Privacy Association 27 August 2013)
74
c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 6 7 e7 4
inform individuals, no matter what level of encryption is available. Secondly, there is the review period of three years.109 This period is too long to keep up with developments in the Internet. It is suggested that in order to keep pace, there needs to be a review carried out by the Working Party no later than one year thereafter in order to be effective. It has also been noted that this Regulation provides further confusion for businesses as there is a move to allow a 72 h notification period for data breaches.110 Furthermore, this Regulation still does not make an attempt to inform consumers about the use of OBA by companies. Instead, what appears likely to happen is that individuals will get an email or letter (or advertisement directed at them in some circumstances) saying that their data privacy may have been breached. They may not even know that the company writing had any of their personal data, which will only serve to further alienate individuals from OBA.
6.
Conclusion
It has been shown that EU law currently fails individuals. It is too restrictive of business although, contrary to the tone of this debate, there is a real and tangible reason why this is so. Online advertising makes the Internet as we know it possible. Whilst many may lament the commercialisation of the Internet, it is necessary to provide people with the services that they have become reliant upon. As with most innovation, even in the online world, everything has its price. Whilst it has not been argued that companies should have carte blanche to
use data of individuals in any way they wish, nor exploit them for it (especially those who are vulnerable), business does need to be able to use an individual’s data. There is a very strong case that can be made that “behavioural advertising’s.substantial benefits.[make it] more difficult to make a plausible case that individuals have an absolute right to privacy and/or complete control of their data”111 as it would have a detrimental effect on the Internet. Data inertia is a real cause for concern and the EU’s opinion on OBA (through the Working Party) only helps to further cement that as a problem for the online advertising community. With regard to the proposed Regulation, it is too early to say what impact this might have but, using a broad-brush approach with such an issue, seems to be a lazy option. It remains to be seen if individuals will take up the offer of Article 18 and use it for their advantage; however given the public’s response to the opt-in provisions this may begin to be even more of a tedious annoyance. This issue is of vital importance and individuals need to be encouraged to engage with it, not shy away from debate. People need to be able to make an informed choice, not one that is based on misconception and fear. The law needs to address this issue. For all its failings the Proprietary Rights Model would at least give individuals good reason to visualise OBA in a more positive light and engage with what happens to their data. However, the risks to individuals are very high too. What is needed therefore is more balance in the law and a higher profile given to these practices, especially as to the benefits. If people could imagine the consequences of an Internet starved of funds, they would be just as concerned.
109
Ibid at Article 6. “EU: New regulation may harmonise telcos’ breach notification timeframe” (Privacy this Week 27th June 2013) Accessed 27 September 2013
111
Supra 12 at fn 107.