All your resources at your fingertips.Learn More
By Zia Akhtar
In January 2013 the European Commission published a blueprint for the implementation of the General Data Protection Regulation that sets out to amend the law. (http://europa.eu/rapid/press-release_MEMO-13-4_en.htm?locale=en) This updates the fragmented data protection regime that currently exists across the EU. Under these proposals, businesses in the Member States engaging in direct marketing activities would have to obtain express specific and informed consent from individuals in order to be able to lawfully process their personal data.
The online businesses in the European Union (EU) often record users' online behaviour in order to serve personalised content to them as part of their subscription effort. The businesses often use ‘cookies', which are small text files that detail users' web activity, in order to store such information. The website operators often sell this information to advertising networks which serve targeted ads to internet users. The networks then draft the ‘behavioural' ads by gleaning from the stored information what they deem the internet users will be interested in to increase their economic demand.
If the Regulation amendment becomes effective then the direct marketing firms would have to provide consumers with the right to object to the free of charge processing of their personal data for such marketing. The right to object would have to be ‘explicitly offered ... in an intelligible manner' and be ‘clearly distinguishable from other information'.
The EU online business-to-business sector primarily uses anonymous or pseudonymous consumer data, and even Germany's strict privacy framework allows for such processing. (http://www.iabeurope.eu/news/proposed-eu-data-protection-laws-will-hurt-particularly-european-online-businesses.aspx) There is deemed to be less protection available to consumers and the businesses can avail their information more readily at present. If online advertising is to support high-quality content creators there is a niche felt for the stricter filtering of the pseudonymous data.
The consent under the new Regulation would not be inferred from the silence or inactivity on the part of individuals and instead must be obtained through a ‘statement or clear affirmative action' before it can be said to have been delivered. These would mean that the organisations engaging in direct marketing activities within the EU would have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data.
This has been supported in a report by Jan-Philipp Albrecht, a rapporteur for the European Parliament's Civil Liberties, Justice and Home Affairs Committee on the proposed EU data protection reforms who said that consumers should not have to opt out from automatic settings in order to avoid businesses implying that they have given consent for their personal data to be processed.
The processing of pseudonymised information would be stopped and there would be development of standards such as do not track (DNT). The World Wide Web Consortium (W3C), which is responsible for ensuring that web technology is based on an agreed set of technical standards, is constructing a new DNT controls system for operation within web browser settings.
The amendments to the General Data Protection Regulation will mean that the organisations seeking to rely on individuals' consent to process their personal data would be required to ensure that consent was expressly obtained. (http://www.theregister.co.uk/2013/01/10/no_pre_ticking_eu)
This will be freely available and would not generally have to be consent obtained from ‘pre-ticked boxes' companies often use in consumer agreements. The consent should not provide a valid legal ground to preclude a genuine and free choice that is not subsequently refused or withdraw consent detrimental to the consumer.
The ability of the European Commission to interpret the rules under the reforms proposed would require it to consult with supervisory privacy body the European Data Protection Board over the introduction of ‘delegated acts'. The report has also recommended that data controllers or processors in business provide ‘financial indemnification' to individuals for any data breaches that occur from international data transfers to non-approved ‘third' countries.
There are intense concerns from businesses in the online media, research and advertising industry over proposed reforms to the European data protection laws, which they allege would result in excessive burdens for European online businesses. The president and chief executive of the Internet Advertising Bureau, Europe Alain Heureux, stated: ‘If the Commission's proposal is enacted as it stands, both European businesses and users alike would suffer: business would be driven to non-European platforms and users might have less choice as a result.' (http://www.out-law.com/en/articles/2012/december/pseudonymous-data-should-be-free-to-process-without-consent-says-advertising-industry-body-/)
The problem is that the majority of European companies are unlike the multi-nationals only business-to-business platforms and do not comprise the larger more resourceful business to consumer platforms. They have less opportunity to obtain a user's explicit consent and the companies that hold a dominant position in a particular market would face more stringency if these consent requirements are adopted. This is because under the Commission's plans consent should not be relied upon by firms if there was a ‘clear imbalance' of rights against the consumers.
The criticism is based on the premise that the data protection laws should not be drafted in a way that could stifle innovation. The online business-to-business sellers in the EU will struggle more than consumer-users organisations to obtain individuals' ‘explicit' consent to the processing of their personal data.
Further disadvantage was that under the Commission's draft Regulation, businesses would be required to notify any regulators of any data breach ‘without undue delay and, where feasible, within 24 hours' of having become aware of it'. However, the 2013 report has stated that it is ‘not always feasible' for companies to meet this deadline, and proposed extending the reporting requirement to within 72 hours. (http://www.out-law.com/en/articles/2013/january/consent-from-pre-ticked-boxes-should-generally-not-be-valid-under-new-eu-data-protection-regime-says-mep/)
This means that the individuals should only be notified by businesses in cases where the breach is ‘likely to adversely affect the protection of [their] personal data or privacy ... for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation'.
The business-led organisation The Industry Coalition for Data Protection (ICDP) has said that it continues to support the EU efforts to update privacy rules but the new draft report published by the MEP did not reconcile effective privacy safeguards with rules protecting the conduct of business which concerns the fundamental rights under the EU charter and provides the Rights to Privacy under Article 8.
The ICDP has called on the European Parliament by focusing on the Civil Liberties, Justice and Home Affairs Committee, to enact legislation that takes ‘into account the user trust while encouraging innovation and entrepreneurship in Europe' and this ‘requires a thorough examination of the proposal and should not be rushed'. (http://www.euractiv.com/infosociety/parliament-seeks-tighter-global-news-516943)
The new General Data Protection Regulation is a step in the right direction but it is currently far too imbalanced and protects the consumer. The business is not sufficiently safeguarded and could be held liable for breaching the privacy of the individuals or groups whose preferences the businesses has previously tracked. This requires a redraft and a commitment from the EU to reformulate the Regulation and promulgate a law that is not an impediment to the supply and demand of economics.
Zia Akhtar is a regular writer for the Jordans Business Portal and is a member of Grays Inn. He specialises in competition and contract law.
"The manual is a must for any employer that needs clear practical advice on managing health and...