Out-Law News 3 min. read
15 Jan 2013, 10:58 am
Last week MEP Jan-Phillip Albrecht published a report containing proposed changes to plans the European Commission outlined last year to reform the EU's data protection framework. Albrecht is a rapporteur to the European Parliament's Civil Liberties, Justice and Home Affairs Committee on the proposed reforms.
However, ISBA said that Albrecht's proposals would impact negatively on advertisers.
"The EU’s data protection proposal just got much worse," ISBA director of public affairs, Ian Twinn, said in a statement. "Advertisers will be concerned about the widening of the definition of ‘personal data’ and the extension of the need for ‘explicit consent’. The ‘right to be forgotten’ is also included without any acknowledgement that it is in fact undeliverable."
Whether information is deemed to be 'personal data' is a fundamental issue in relation to data protection laws because the framework of rules governing data protection issues only apply to information that qualifies as personal data.
Under the Commission's draft Data Protection Regulation 'personal data' is defined as "any information relating to a data subject". In his report, Albrecht proposed to alter the Commission's proposed definition of 'data subject'.
Albrecht proposed that the definition should read: "'Data subject' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, social or gender identity or sexual orientation of that person."
Albrecht also set out to explain when certain 'unique identifiers' in an online context could be said to constitute 'personal data'.
"When using online services, individuals may be associated with one or more online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, cookie identifiers and other unique identifiers," Albrecht said a non-binding explanatory recital to the draft Regulation should state. "Since such identifiers leave traces and can be used to single out natural persons, this Regulation should be applicable to processing involving such data, unless those identifiers demonstrably do no relate to natural persons, such as for example the IP addresses used by companies, which cannot be considered as 'personal data' as defined in this Regulation."
Website operators and advertising networks often use 'cookies' and other identifying means to record the activity of website visitors in order to serve targeted ads based on that behaviour to those internet users. Generally, the companies require individuals' consent in order to track their website activities for the purpose of serving online behavioural advertising.
Under the Commission's proposed new regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".
Albrecht, though, has recommended clarifications to those rules which would generally prohibit online businesses from using "pre-ticked boxes" in order to establish individuals' consent to personal data processing.
"In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment," Albrecht has proposed one of the recitals in the draft Regulation state. "The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent."
Albrecht also set out proposed amendments to the Commission's draft rules on what businesses must do to illustrate that they have consumers' permission to process their personal data for specified purposes. In addition, companies that hold a dominant position in a particular market would also face more stringent rules on consent if Albrecht's proposals are adopted.
Albrecht also proposed new rules that would allow companies to rely on "automated means using a technical standard" to obtain individuals' consent to the processing of pseudonymised data. However, the standard through which that consent could be gleaned would have to be approved by the European Commission.
In addition, Albrecht said that data subjects should "have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data" under certain conditions. The UK's data protection watchdog, the Information Commissioner, has previously expressed concern about the so-called 'right to be forgotten' drafted by the European Commission because it said it is "unclear" how the right "will be delivered in practice".
Albrecht's report was welcomed by EU Justice Commissioner Viviane Reding in a development which Twinn said would lead to there being "tough negotiations with Member States this summer” on the proposed reforms. Twinn added that it would "continue to lobby Brussels" in a bid to "bring some common sense back into the debate and try to mitigate the harm that these ill-thought out proposals represent to our members."
