Archive for the ‘Cookie rule’ Category

« Older Entries

Cookie consent update – implied consent now widespread

avatar Posted on May 15th, 2013 by Phil Lee

Our latest EU cookie consent tracking table has just been published here.

Latest regional developments:

Our latest table reveals:

* ‘Implied consent’ is currently a valid solution for cookie compliance in nearly three-quarters of EEA Member States.

* Since our last update, cookie consent implementations have been introduced in Norway and Poland.

* Ongoing cookie regulatory developments in Denmark, the Netherlands, Slovenia and Spain.

Other notable developments

Aside from the regional developments shown in our table, other notable developments include:

* Growing recognition that cookie consent is every bit as relevant in mobile platforms as in desktop platforms – see, for example, the Working Party’s latest opinion on mobile apps (here).

* Major online players like Facebook and Google are adopting notice and choice solutions, likely driving wider industry compliance efforts (see here).

* Consumer protection and advertising regulatory bodies like the OFT and ASA are increasingly showing interest in online tracking and notice/choice issues (see here and here).

* Increasing co-operation between global DPAs on online privacy compliance issues (see here).

All in all, online privacy compliance continues to attract ever greater attention, both within data protection circles and from the wider regulatory environment.  As this issue continue to run and run, the picture emerging is that implied consent is the clear compliance front-runner – both from a regulatory and also from a market-adoption perspective.

Posted in Consent, Cookie rule, Profiling, Targeted advertising

UK e-privacy enforcement ramps up

avatar Posted on April 29th, 2013 by Brian Davidson

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

Tags:, , , ,
Posted in Cookie rule, Direct marketing, DPAs competence, Sanctions, Uncategorized

Poland and cookies – what’s the story?

avatar Posted on April 22nd, 2013 by Dominika Kupczyk

Last month Poland joined the club of EU Member States to implement Europe’s consent requirement for cookies set on users’  devices.  Rumoured to be one of the Member States contemplating strict opt-in, all eyes were watching to see how exactly it would implement the cookie consent rule.

Cookie rules

Poland’s cookie consent law entered into force only on 25 March 2013 and seemingly introduced an opt-in requirement before setting cookies - with potential fines of up to 3% of revenue for website operators in breach.

Specifically, the new law imposes an obligation to inform users in advance, in a clear, unambiguous and easily understandable manner about:

1)      The fact that cookies are being placed on their devices;

2)      The purposes for which cookies are used;

3)      The user’s right to access information about them; and

4)      The ability to accept or refuse the cookie.

Like most Member States, consent is not needed for strictly necessary cookies.

So does Poland really require opt-in?

During the legislative work on the amendment various approaches to valid consent form were proposed: implied, written and even signified through  a  simple “I accept” button. In the end, Article 173 (2) of the amended Telecommunication Law says that:

The subscriber or end user can express consent (…) by means of settings of a software installed on the telecommunication device they are using or through settings of the service

The two main regulator’s websites in Poland have both adopted an implied cookie consent banner approach and even the Polish Ministry of Administration and Digitization (Ministerstwo Administracji i Cyfracji)  has indicated it supports consent obtained through browser settings.  It is unclear whether this would extend to default browser settings.

What does this mean?

For businesses still building out their cookie consent strategy for the EU, this is good news: Poland was one of a couple of  ‘outlier’ states threatening to adopt strict opt-in consent for cookies.  Had it adopted strict opt-in as the standard for consent, businesses operating on a pan-EU basis would have had to implement a different consent solution for Poland than for other, more relaxed EU territories where they could instead rely on implied consent.

In the end, this hasn’t happened and the other key outlier territory, the Netherlands, also looks set to acknowledge the validity of implied consent in the very near future.  When the cookie consent rule first came into effect in Europe back in 2011, nobody knew what a robust but pragmatic cookie consent solution would look like; now, two years on, both business and regulators alike are increasingly settling on implied consent as the answer.

Posted in Consent, Cookie rule, Sanctions

If Google cares about cookie consent, so should you.

avatar Posted on April 16th, 2013 by Phil Lee

Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you’re a visitor from the US, you may have missed it: the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google’s consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that “By using our services, you agree to our use of cookies“, the banner provides a “Learn more” link that visitors can click on to watch a video about Google’s cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:

* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.

* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

This post first appeared in the IAPP’s Privacy Perspectives blog, available here.

Posted in Consent, Cookie rule, Profiling, Targeted advertising

Dutch to accept implied consent for cookies?

avatar Posted on February 26th, 2013 by Phil Lee

Recent developments in the Netherlands indicate that the Dutch may soon exempt first party analytics cookies from EU cookie consent requirements and allow website operators to imply their visitors’ consent for other types of cookies.

Background to Dutch rules on cookies

By way of a re-cap, European cookie consent rules (article 5(3) e-Privacy Directive) were implemented in article 11.7a of the Dutch Telecommunication Act in June of last year. These rules, overseen by the Telecommunication Authority, became effective on 5th June 2012 and require anyone who uses cookies to:

(a) obtain consent from the user on whose terminal equipment the cookies are stored, and

(b) clearly and comprehensively inform the user about the purposes of the cookie usage.

However, the Dutch cookie regulation went one step further and created a legal (refutable) presumption that the use of tracking cookies (over multiple websites) for commercial purposes constitutes processing of “personal data” under the Dutch Data Protection Act and this presumption became effective on 1st January 2013.

During the parliamentary debate, the Telecommunication Authority was urged not to enforce all rules before the 1st of January 2013 and the Telecommunication Authority accepted this grace period. As a result, most Dutch businesses have therefore only just started to make their websites compliant with the new consent rules. Since the start of the new year, Dutch residents have therefore started to see cookie pop-ups on almost every site they visit.

Recent developments

The government has concluded that there is widespread unhappiness amongst users with this practice.  The Minister for Economic Affairs (Mr. Kamp) has therefore encouraged Parliament to “soften” the effects of the cookie regulation and proposed two measures:

First-party analytics cookies

Firstly, the Minister has indicated that the Telecommunication Act will be amended. As a result of the amendment, the use of first-party analytics cookies will be allowed without consent. The duty to inform users about their use will still apply.

The Minister had previously announced in December, and reiterated in early February, that he was working with the Telecommunication and Data Protection Authority on crafting a more lenient regulatory regime for first-party analytics cookies. Initially, it therefore seemed this cooperation between the Telecommunication Authority, the Data Protection Authority and the government would result in regulatory guidelines concerning analytics cookies. Now it seems that the government will introduce legislation instead.

This proposal is expected to be submitted to Parliament mid-March.

Implied consent

Secondly, the Minister said the government is considering new regulations that would make it possible to obtain users’ “implied” consent. The Minister indicated that if a user is informed of the fact that a website uses cookies and how he can refuse those cookies, his consent can be implied if he continues to browse the website without changing his cookie settings.

If this approach is implemented, website owners would then no longer need to actively seek explicit consent for the use of cookies in the Netherlands. The approach would be in line with the position adopted by the UK Information Commissioner (ICO), who already acknowledges implied consent as a viable solution. However, implied consent was not an option previously accepted by the Telecommunication Authority: in each of the FAQs issued it stated that a user must actively supply its consent with the use of cookies. The government’s proposal is therefore a major departure from the current state of affairs.

As for the applicable timeline, this will depend on the legislative instrument used to implement this change but could potentially be a matter of weeks.

What this means now

In the meantime, these announcements by the Minister do not change the law (yet) and the Dutch Telecommunication Authority is still authorized to enforce the current cookie rules. The Minister is competent to instruct the Telecommunication Authority to suspend enforcement of the provisions but there is currently no information on whether the Minister has ordered (or will order) this.   However, taking these latest developments into account, it seems likely that the strict opt-in consent standards currently in force in the Netherlands will transition to implied consent over the coming months, bringing the Netherlands into line with much of the rest of Europe. 

With thanks to our friends Nicole Wolters Ruckert and Hester de Vries from Kennedy Van der Laan for this update.

Posted in Consent, Cookie rule

Europe continues to embrace cookie consent

avatar Posted on February 5th, 2013 by Phil Lee

We’ve just published an updated table of European cookie consent requirements (available here), which makes clear that Member State adoption of local cookie consent laws continues to spread.

Our latest update reveals that:

*  24 out of 30 EEA Member States have now adopted national cookie consent rules.

*  Since our last update, Poland, Portugal and Slovenia have adopted new local laws governing cookie consent.

*  There are ongoing regulatory developments with regard to cookie consent guidance and enforcement in Denmark, Italy, Ireland and the UK.

With cookie consent rules have now been adopted across nearly all European territories, online businesses operating without a notice and consent strategy face real exposure that they need to address and resolve promptly.  And given the recent news of the first ever group privacy claim in the UK relating to cookies, non-compliance risk is rising from “simmering” to “boiling”!

Posted in Consent, Cookie rule, Profiling, Targeted advertising

Cookie consent enforcement – ICO’s latest

avatar Posted on December 19th, 2012 by Eduardo Ustaran

The UK Information Commissioner’s Office has quietly published today a report detailing the concerns reported to them, the current picture and the action they are taking as of December 2012 in relation to the cookie consent requirement.

The highlights of the report are as follows:

*   Consumers are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.

*   Consumers often complain about the fact that they have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.

*   The ICO is continuing to write to websites they receive concerns about – This means that nobody is off the hook.

*   The ICO has also looked at the types of cookie in use – This means that the regulator has the means to investigate and find out about cookie practices on a per site basis.  If a site operator does not have this information, how is that going to look???

*   The provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.

*   Failure to comply will result in formal action to ensure compliance, and the ICO may decide to name the site in order to make consumers aware of its use of cookies – In other words, the ICO is not going to sit still.  The prospect of facing enforcement action is there.

*   If an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using formal regulatory powers in line with our criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties – This is the clearest threat of enforcement action to date!

 

Posted in Cookie rule, Financial penalties, Sanctions

Technology issues that will shape privacy in 2013

avatar Posted on December 13th, 2012 by Eduardo Ustaran

Making predictions as we approach a new year has become a bit of a tradition.  The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today’s uncertain world are pretty low.  Having said that, it wouldn’t be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission’s power to adopt ‘delegated acts’.  But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year’s key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time.

A so far low profile issue from a regulatory perspective has been the ever growing mobile app phenomenon.  Like having a website in the late 90s, launching a mobile app has become a ‘must do’ for any self-respecting consumer-facing business.  However, even the simplest app is likely to be many times more sophisticated than the early websites and will collect much more useful and clever data about its users and their lifestyles.  That is a fact and, on the whole, apps are a very beneficial technological development for the 21st century homo-mobile.  The key issue is how this development can be reconciled with the current data protection rules dealing with information provision, grounds for processing and data proportionality.  Until now, technology has as usual led the way and the law is clumsily trying to follow, but in the next few months we are likely to witness much more legal activity on this front than what we have seen to date.

Mobile data collection via apps has been a focus of attention in theUSAfor a while but recent developments are a clue to what is about to happen.  The spark may well have been ignited by the California Attorney General who in the first ever legal action under the state’s online privacy law, is suing Delta Air Lines for distributing a mobile application without a privacy policy.  Delta had reportedly been operating its mobile app without a privacy policy since at least 2010 and did not manage to post one after being ordered by the authorities to do so.  On a similar although slightly more alarming note, children’s mobile game company Mobbles is being accused by the Center for Digital Democracy of violating COPPA, which establishes strict parental consent rules affecting the collection of children’s data.  These are unlikely to be isolated incidents given that app operators tend to collect more data than what is necessary to run the app.  In fact, these cases are almost certainly the start of a trend that will extend toEuropein 2013 and lead EU data protection authorities and mobile app developers to lock horns on how to achieve a decent degree of compliance in this environment.

Speaking of locking horns, next year (possibly quite early on) we will see the first instances of enforcement of the cookie consent requirement.  What is likely to be big about this is not so much the amount of the fines or the volume of enforcement actions, but the fact that we will see for real what the regulators’ compliance expectations actually are.  Will ‘implied consent’ become the norm or will websites suddenly rush to present their users with hard opt-in mechanisms before placing cookies on their devices?  Much would need to change for the latter to prevail but at the same time, the ‘wait and see’ attitude that has ruled to date will be over soon, as the bar will be set and the decision to comply or not will be based purely on risk – an unfortunate position to be in, caused by an ill-drafted law.  Let that be a lesson for the future.

The other big technological phenomenon that will impact on privacy and security practices – probably in a positive way – will be the cloud.  Much has been written on the data protection implications of cloud computing in the past months.  Regulators have given detailed advice.  Policy makers have made grand statements.  But the real action will be seen in 2013, when a number of leaders in the field start rolling out Binding Safe Processor Rules programmes and regulators are faced with the prospect of scrutinising global cloud vendors’ data protection offerings.  Let us hope that we can use this opportunity to listen to each other’s concerns, agree a commercially realistic set of standards and get the balance right.  That would be a massive achievement.

 

This article was first published in Data Protection Law & Policy in December 2012.

Posted in Binding Safe Processor Rules, Children Privacy, Cloud computing, Cookie rule, Mobile telecoms, Smartphones

What will happen once the ASA starts to regulate Online Behavioural Advertising?

avatar Posted on December 11th, 2012 by Phil Lee

Early next year, the UK Advertising Standards Authority (“ASA“) will start regulating Online Behavioural Advertising (“OBA“) in the UK – meaning that online advertisers who serve targeted ads to website visitors will have to worry not only about the risk of cookie consent enforcement by the ICO, but also the risk of investigation and public admonishment by the ASA.  A regulatory double-jeopardy, if you will.

This is a consequence of recent changes to the “UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing” (“CAP Code“) that will come into effect on 4 February 2013.  In effect, the CAP Code changes are designed to implement the earlier European Advertising Standards Alliance “Best Practice Recommendation on Online Behavioural Advertising” published in April 2011 – which, you may recall, the Article 29 Working Party wasn’t exactly excited about

Anyone who’s read the EASA recommendation won’t be surprised by the CAP Code’s proposals – that website visitors must be given notice and choice, with advertisers encouraged to display a small icon licensed by the European Interactive Digital Advertising Alliance (or eDAA) alongside the adverts they serve by way of achieving this goal.  Nor will they be surprised by the ‘gaps’ in the CAP Code, most notably that it doesn’t apply to first party tracking by a publisher across its own website domains.

But what are the real consequences of the ASA wading into the murky waters of OBA regulation?   Broadly speaking, they can be boiled down to the following:

1.  Cookie regulation is not going to go away.  The revised CAP Code is simply implementing recommendations already published at a European level by the European Advertising Standards Alliance.  When it published its recommendations, EASA set an ambitious – and, as it turned out, unrealistic – goal of ensuring “at least 70% of its EU SROs [national advertising self-regulatory organisations] have implemented the BPR [best practice recommendation] within a year (i.e. by the end of April 2012)“.  When the UK took the lead on implementing cookie consent rules and guidance, other EU member states quickly followed suit – so it seems a relatively safe bet here that a similar regulatory flurry will follow now among EU advertising regulators.  This means that the amount of national regulation governing online tracking will continue to grow, not decline – with all the disharmony that entails. 

2.  Confusion about what qualifies as lawful visitor tracking.   Being based on the EASA best practice recommendation, the CAP Code promotes a notice and opt-out approach.  That’s fine, but it’s not the law – which instead requires consent when serving tracking cookies.  The Article 29 Working Party have already been vocal in expressing their view that the EASA recommendation is not sufficient for obtaining consent, and CAP even acknowledges likewise – the new rules say that they “are not designed to provide compliance with the law and companies should seek their own legal advice when working to comply with privacy and data protection legislation.  The net result?  Yet more confusion about what standards, exactly, businesses are to apply when tracking online visitors.  It seems an inevitability that many businesses will (mistakenly) assume that compliance with the CAP Code is, in itself, sufficient to comply with legal cookie consent requirements – risking exposure under local data protection laws.

3.  Expansion in enforcement remit for the ASA:  The new rules regulating website tracking for targeted advertising are interesting for another reason:  they represent a significant expansion of the ASA’s enforcement remit beyond simply regulating the content of adverts into regulating the technology used to generate and deliver those advert.   The ASA’s remit already underwent a massive expansion in March 2011 when it grew beyond adverts in paid-for space to also include marketers’ own websites and communications on social networks, amid concerns over the ASA’s resourcing to effectively regulate these spaces.  That expanded remit could at least be characterised in terms of the ASA doing ‘more of the same’ online; this time around, however, its further expanded remit will require it to develop technological knowledge and skillsets it may not currently possess – raising questions over how consistent and effective its enforcement will be.

4.  Prepare for real enforcement.  Historically, the ASA has generally proven itself a better resourced and more active regulator than the ICO, having forced changes to or the withdrawal of some 4,591 ads in 2011 from a total of nearly 32,000 complaints.  While it doesn’t have the ability to fine, ASA investigations are costly, time-consuming and can result in embarrassing adjudications that are made publicly available and widely reported by the press.  The ASA is also a more familiar regulatory “brand” to many consumers who may more instinctively complain to the ASA than the ICO with concerns about targeted ads.  Long story short, there’s a good chance the ASA may well prove a more active regulator of targeted advertising than the ICO once the new rules come into effect.

So what does all this mean?  Ultimately, that online visitor tracking will remain high on the regulatory agenda for some time to come and, while it does so, the likelihood of some manner of regulatory enforcement grows all the time.  What form that enforcement will take – whether by a data protection authority, an advertising standards authority, or a consumer protection body, and whether in the UK, rest of Europe or even by a country outside the EU – remains to be seen. 

All that can be said with certainty is that businesses that aren’t already thinking about their visitor transparency, choice and education strategies for their website tracking need to get their act together and do so – now!

Posted in Consent, Cookie rule, Targeted advertising, Uncategorized

Privacy’s greatest threat and how to overcome it

avatar Posted on October 22nd, 2012 by Phil Lee

After some erroneous newspaper reports in 1897 that he had passed away, Mark Twain famously said that the reports of his death were greatly exaggerated.  The same might also be said of privacy.  Scott G. McNealy, former CEO of Sun Microsystems, reportedly once said “You already have zero privacy. Get over it.“.  However, if last week’s IAPP Privacy Academy in San Jose was anything to go by, privacy is very much alive and kicking.

It’s easy to understand why concerns about the death of privacy arise though.  Today’s data generation, processing and exploitation is simply vast – way beyond a level any of us could meaningfully hope to comprehend or, dare I suggest, control.  The real danger to privacy though is not the scale of data processing that goes on – that’s simply a reality of living in a modern day, technology-enabled, society; a Pandora’s box that, now opened, cannot now be closed.  Instead, the real danger to privacy is excessive and unrealistic regulation.

Better regulation drives better compliance

From many years of working in privacy, it’s been my experience that most businesses work hard to be compliant.  Naturally, there are outliers, but these few cases should not drive the regulation that determines how the majority conduct their business.  It’s also been my experience that compliance is most often achieved where the standards applied by legislators and regulators are accurate, proportionate and not excessive – the same standards they expect our controllers to apply when processing personal data.  In other words, legislation and regulation drives the best behaviour when it is achievable.

By contrast, excessive, disproportionate regulation that does not accurately reflect the way that technology works or recognise the societal benefits that data processing can deliver often brings about the opposite effect.  By making compliance impossible, or at least, disproportionately burdensome to achieve, businesses, unsurprisingly, often find themselves falling short of expected regulatory standards – in many cases, wholly unintentionally.

The recent “cookie law” is a good example of this: a law that, though well-intentioned, is effectively seen as regulating a technology (cookies) rather than a purpose (tracking), leading to widespread confusion about the standards that apply and – let’s be honest – non-compliance currently on an unprecedented scale throughout the EU.

Why the Regulation mustn’t make the same mistake

In its current form, the proposed General Data Protection Regulation also runs this risk.  The reform of Europe’s data protection laws is a golden, once-in-a-generation opportunity to re-visit how we do privacy and build a better, more robust framework that fosters new technologies and business innovation, while still protecting against unwarranted privacy intrusions and harm.

But instead of focussing on the “what”, the legislation focuses too much on the “how”: rather than looking to the outputs we should strive to achieve (namely, ensuring that ever-evolving technologies do not make unwarranted intrusions into our private lives) the draft legislation instead mandates excessive accountability standards that do not take proper account of context or actual likelihood of harm.

For example:

*  How, exactly, does an online business ensure that its processing of child data is predicated only on parental or guardian consent (Article 8)?  My prediction: many websites will build meaningless terms into their website privacy policies that children must not use the site – delivering no “real” protection in practice.

*  Why is it necessary for an organisation transferring data internationally to inform individuals “on the level of protection afforded by that third country … by reference to an adequacy decision of the Commission” (Article 14)? Do data subjects really care where their data goes and whether the Commission has made an adequacy decision – or do they just want assurance that their data will be used for legitimate purposes and at all times kept safe and secure, wherever it is?  How does this work in a technology environment that is increasingly shifting to the cloud?

*  Why should controllers be required to provide data portability to data subjects in an “electronic and structured format which is commonly used” (Article 18)?  Surely confidentiality and data security is best achieved through the use of proprietary systems whose technology is not “commonly used”, therefore less understood and vulnerable to external attack?  Are we legislating for a future of security weakness?

*  Why should data controllers and processors maintain such extensive levels of data processing documentation (Article 28)?  How will smaller businesses cope with this burden?  Yes, an exemption applies for businesses employing less than 250 persons but only if their data processing is “ancillary” to the main business activities – immediately ruling out most technology start-ups.

*  And how can we still, in this day and age, operate on a misguided assumption that model contracts provide a sound basis for protecting international exports of data (Article 42)?  Wouldn’t it make more sense to require controllers to make their own adequacy assessment and to hold them to account if they fall short of the mark?

Make your voice heard!

For the past 17 years, the European Union has been a standard-bearer in operating an effective legal and regulatory framework for privacy.  That framework is now showing its age and, if not reformed in a way that understands, respects and addresses the range of different (and competing) stakeholder interests, risks being ruinous to the privacy advancements Europe has achieved to date.

The good news is that reforming an entire European legal framework doesn’t happen overnight, and the process through to approval and adoption of the General Data Protection Regulation is a long one.  While formal consultation periods are now closed, there remain many opportunities to get involved in reform discussions through legislative and regulatory liaisons at both a European and national level.

To make their voices heard, businesses throughout the data processing spectrum must seize this opportunity to get involved.  Only through informed dialogue with stakeholders can Europe hope to output technology-neutral, proportionate legislation that delivers meaningful data protection in practice.  If it does this, then Europe stands the best chance of remaining a standard-bearer for privacy for the next 17 years too.

Posted in 95 directive, Accountability, Children Privacy, Cloud computing, Cookie rule

« Older Entries