Yesterday saw the official release of a list of amendments to the proposed new data protection regulation from the EU. 

The amendments attempt to take on board the many and varied criticisms and change suggestions that have been put forward in the last year by all and sundry.  Naturally the result is a huge compromise attempting to please as many interests as possible.  Or perhaps more realistically, avoid antagonising as many interests as possible.

The changes are both significant and varied, and of course will be subject to a further round of scrutiny, debate and lobbying.  I don't intend to comment on all the changes in the document, but there are some key amendments that will be of interest to our regular readers.

One key aspect of the legislation is the definition of 'personal data', as this is central to determining its scope of influence.

One of the most important changes here has been to make clear that identifiers, such as cookies, that are used to build up behavioural profiles for advertising purposes, are explicitly included in the definition.  It applies even where no actual personally identifiable information is held, but simply if as a result of a profile, an individual can be singled out and given a different experience to others (i.e. seeing a targeted advert).

The effect of this will mean that online advertisers will need to seek consent in order to set cookies that build up these profiles. Clearly something the industry has a strong objection to.

Additionally, it is made clear that in order for consent to be freely given (and therefore be seen as legitimate), users cannot be automatically assumed to be opted-in unless they object.  This means that pre-ticked boxes, or other mechanisms that require an opt-out action, will not be sufficient.  

This would bring the new law into direct conflict with the current self-regulation program for Online Behavioural Advertising being adopted across Europe.

The amendments do however include a provision for allowing consent to be signalled by 'automated means' under certain conditions.  This is setting the stage for the acceptibility of the Do Not Track standard currently being debated.

However, there is a tension here, because the DNT standard assumes that tracking is legitimate unless the user has actively opted out.  So if they have not expressed a preference either way, then tracking is allowed. 

According to my reading of the regulation, users would have to actively state they are happy to be tracked, before any profiling could take place, which I think means there would need to be a box in the browser settings where someone could tick 'Please track me'. A feature not currently found in most browsers.

It is not all bad news for marketing however.  The amendments make clear that if someone provides personal data to an organisation, which is legally obtained, then that data can be used for marketing purposes by that organisation, as long as it retains control over the data, and does not share it with another company.  This can be done without further explicit consent as part of the organisations 'legitimate interests'

The effect of this could lead to a change in the balance of the relationship between publishers (site owners) and the advertising companies they sell space to.  Currently advertisers know more about a site's visitors that the publisher - because they have built up profiles through cookies.  Under the new regime, publishers will be able to more easily obtain user data, and advertisers will need to rely on that data to deliver targeted content, rather than collect it themselves.

For those who want to reas the full set of amendments, the document can be found here.