Wednesday, January 09, 2013
Yesterday saw the official release of a list of amendments to
the proposed new data protection regulation from the EU.
The amendments attempt to take on board the
many and varied criticisms and change suggestions that have been
put forward in the last year by all and sundry. Naturally the
result is a huge compromise attempting to please as many interests
as possible. Or perhaps more realistically, avoid
antagonising as many interests as possible.
The changes are both significant and varied, and of course will
be subject to a further round of scrutiny, debate and
lobbying. I don't intend to comment on all the changes in the
document, but there are some key amendments that will be of
interest to our regular readers.
One key aspect of the legislation is the definition of 'personal
data', as this is central to determining its scope of
One of the most important changes here has been to make clear
that identifiers, such as cookies, that are used to build up
behavioural profiles for advertising purposes, are explicitly
included in the definition. It applies even where no actual
personally identifiable information is held, but simply if as a
result of a profile, an individual can be singled out and given a
different experience to others (i.e. seeing a targeted advert).
The effect of this will mean that online advertisers will need
to seek consent in order to set cookies that build up these
profiles. Clearly something the industry has a strong objection
Additionally, it is made clear that in order for consent to be
freely given (and therefore be seen as legitimate), users cannot be
automatically assumed to be opted-in unless they object. This
means that pre-ticked boxes, or other mechanisms that require an
opt-out action, will not be sufficient.
This would bring the new law into direct conflict with the
current self-regulation program for Online Behavioural Advertising
being adopted across Europe.
The amendments do however include a provision for allowing
consent to be signalled by 'automated means' under certain
conditions. This is setting the stage for the acceptibility
of the Do Not Track standard
currently being debated.
However, there is a tension here, because the
DNT standard assumes that tracking is legitimate
unless the user has actively opted out. So if they have not
expressed a preference either way, then tracking is
According to my reading of the regulation, users would have to
actively state they are happy to be tracked,
before any profiling could take place, which I think means there
would need to be a box in the browser settings where someone could
tick 'Please track me'. A feature not currently found in most
It is not all bad news for marketing however. The
amendments make clear that if someone provides personal data to an
organisation, which is legally obtained, then that data can be used
for marketing purposes by that organisation, as long as it retains
control over the data, and does not share it with another
company. This can be done without further explicit consent as
part of the organisations 'legitimate interests'
The effect of this could lead to a change in the balance of the
relationship between publishers (site owners) and the advertising
companies they sell space to. Currently advertisers know more
about a site's visitors that the publisher - because they have
built up profiles through cookies. Under the new regime,
publishers will be able to more easily obtain user data, and
advertisers will need to rely on that data to deliver targeted
content, rather than collect it themselves.
For those who want to reas the full set of amendments, the
document can be found here.