Archive

Emma Callanan, assistant general counsel at ValueClick International Ltd, examines the issues of  e-privacy and the importance of getting the right legislation in Europe.

Markets hate uncertainty. So the conventional wisdom goes. And it is true. But the reduction of uncertainty through legislation is a mixed blessing if it is not interpreted correctly. The introduction of new amendments to the Data Protection Directive (95/46/EC) which was formally adopted on November 24th, 2009, went almost unnoticed during the negotiations as the requirements had been introduced as part of a wider EU telecommunications package.

The amendment to internet legislation has been wonderfully controversial and the question arose as to whether the new law would force companies to change the way internet cookies are used and thereby change the internet for users everywhere.

Article 5(3) allows the use of cookies provided the user is fully informed about the technology and has the right to refuse. The nightmarish situation of users being plagued with constant pop-up windows asking for permission to use cookies is exactly that - a nightmare. However, commercial and practical reality for the user can be saved when we look at the recital to the directive which outlines that the issue of permission for cookies can be dealt with through browser settings. And so the nightmare becomes a more safer and warmer reality of cookies...with milk.

The Data Protection Directive (95/46/EC; ‘DPD') protects individuals' personal data ensuring free movement while at the same time acknowledging the legitimate interests of businesses/commercial actors.

Digital advertising is pumping life into the EU's global-digital economy and is the foundation of many of the services, content and applications on the internet which we enjoy today, including  search engines, webmail, social-networking websites, price-comparison sites, blogs and video/photo sharing. Without digital advertising, consider the void.

E privacy directive

The amended directive, specifically Article 5(3), provides that the storing of information or that which is stored already in a user's terminal equipment  is allowable once the user concerned has given his or her consent, on the basis of explicit consent having been given. The exceptions to this are where the storage or access is for  transmission of a communication over an electronic communications network or where it is absolutely necessary for the provision of an information society service explicitly requested by the subscriber or user.

However, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application in accordance with the preamble to the directive.

Member states must now begin interpreting and implementing the amended e-privacy directive by enacting local laws in each EU member state.  Over the next 18 months, legislators in member states will be running  a consultation process prior to amending the local laws. As EU directives, by their nature, allow for interpretation at national level, local rules and implementation of the revised e-privacy directive may well differ from one member state to another.

The danger is that should a member state opt for a hard-line interpretation of the legislation, not only will this have serious consequences on the use of the internet but we will be adding yet another piecemeal layer of complication in Europe.

In the meantime, our neighbours across the water have deduced the icon for ads - a branded message to all users encompassing the education element of internet usage. What we must avoid, at all costs, is this notion of disparate icons such that there is one icon that appears for the EU and another for the US ads. The icon will become (hopefully) a universal symbol like the recycling symbol, a message that will help educate users while the  focus will be on how users are supposed to interact. The key is to ensure it is as user friendly as possible.

Cookies and milk

Behavioural targeting works using a cookie. Technology-wise, cookies are basic. They are plain text files and usually very small in terms of the amount of information they store. Simplicity aside, cookies perform essential functions that are taken for granted on the internet. Cookies are files that are stored on your internet-enabled device. They are used to improve the experience web users have when they see web advertisements and ensure that when a web user clicks on an advertisement, they are sent to the correct click-through destination. At all times, the user remains anonymous.

If I have watched 20 cookery programmes  and visited 20 cookery websites, you can assume I like to cook and therefore offering me  a new cooking product will be useful and convenient for me.

Behavioural advertising therefore aims to expand consumer experience and customisation rather than restrict consumer behaviour as is often mistakenly assumed. The internet becomes your virtual supermarket, the bookstore, the mortgage shop but instead of having to wander around aimlessly, you can get there within seconds, with the best value and most importantly... savings because you may have been served an ad.

The data collection - both online and offline - is the crux of the delivery of relevant advertising to consumers. In fact, advertising such as price-comparison sites, allow consumers to make decisions about products and services that they are already interested in. In addition, the online revolution is a badge for transparency so consumers have greater choice in comparing prices for goods and services than in the offline world. Make no mistake, the UK government's Digital Britain report (June 2009) welcomed targeted/behavioural advertising as an important business model to help "convert creativity into value".

So critical are cookies for the use of the internet that the online advertising industry  feeds most free content which we avail of every day, through  personalisation, transactional and analytical capabilities.

Consent from the digital citizen

The amended article 5(3) refers to the need for prior and explicit consent. If the consent requirement was to be interpreted in a non-purposive way, it will mean the crippling of online advertising.

Our loss of free content will follow and then the downloading processes will gradually splutter and fall miserably. Of most concern is the chasm between Europe's information society and the rest of the world. Europe runs a serious risk of losing a two-horse race. 

The real fear is that anything other than opt-out consent for the anonymous user will make the internet unrecognisable and dysfunctional at its core.

Requiring anonymous users to provide explicit prior consent for all processing operations on the internet  is a benevolent  approach and fails to recognise technological and commercial realities.

The alternatives include  multitudes of pop-ups, layered questions for consent that ask for cookie permission, unwanted ads, more complex content management and then consider the time taken to carry out just one transaction.

Imagine for a moment how a great idea goes from the dining room table to an organisation of hundreds or even thousands of people. Businesses go through a delicate teething process as they fight to go upstream.

One of the serious natural disadvantages of businesses is access to consumer data which they are dependent on to enter competitive business. The lack of access could cripple businesses and continue in a downward spiral with unprecedented control.

If the interpretation of Article 5(3) is not purposive in nature, the digital citizen may feel uncomfortable accepting consent requests, particularly if this is presented continuously while they are online and altogether smacks of sharp practice.

On the other hand, consent requirements can be fulfilled by using browser settings which would be envisaged in the preamble "where technically possible and effective". It can be assumed that Ireland, Austria, Belgium, Slovakia, Finland, Germany, Latvia, Sweden, Spain and the UK will support an opt-out mechanism and thereby copper-fasten correct practices as they currently exist.

Up to June 2011, there will need to be a sweeping acceptance to achieve uniform national implementation which does not muddy the waters of effective online advertising while, at the same time, bargaining  support from the European Commission.

Procedures involving  the control of cookies do not need prior consent but a practical mechanism to determine the role of the cookies which is flexible and responsive to technological development through the use of browser settings. And so we greet the realm of self-regulation.

Data-protection authorities may be the guardians of privacy in the future but there is the notion of over protection where unnecessary walls are created, stunting the growth of perfectly legitimate practices of organisations which is the lifeblood of the services we use on the internet and, most importantly, economic growth.

Self-regulatory principles and measures are committed to delivering industry standards and workable codes of conduct.

The increased role for self regulation is to assist in the application of core-data privacy principles so it is key that there is effective commitment from various industry players.

Econometricians are treated as the soothsayers of the finance world but even they would admit that the potential for an economic downturn, if this was followed, would be serious, especially for Ireland whose corporate tax rate has encouraged multi-national setups across a broad spectrum.

There are frameworks and codes of conduct to promote self regulation in this digital sphere. Associations and industry are working to create a common badge of compliance, to give a pledge of support and recognition, ensuring Europe is a leader in the digital economy.

Conclusion

The cornerstone of the e-privacy regime is the education of users in how cookies and internet technology work with clear and comprehensive information in a user friendly format for the digital citizen. It is necessary to trust the technology which is our constant companion.

The logical next step is for national legislators to use a purposive approach to the new wording which affects cookies. Otherwise, we run the risk of smothering innovation across Europe and crippling users' experience on the internet.

The free flow of data is acknowledged as the gem for the development of international trade in the digital economy.

We will have to wait and see if the transposition will lead to sensible legislation. All of which means that the future of internet is now heavily dependent on what each member state does. I just hope they like cookies with milk.

Back to top.