This article is also available in:
Deutsch: Artikel 29 Datenschutzgruppe zu Cookies in der neuen ePrivacy-Richtlin...
The Article 29 Data Protection Working Party (WP) representing the European data protection authorities published on 24 June an opinion clarifying the application of the data protection rules in online behavioural advertising, with a focus on the new text of the ePrivacy Directive.
Article 29 Working Party believes that while online behavioural advertising may be beneficial for businesses and users alike, it still raises personal data protection and privacy issues. The opinion states that the advertising providers using tracking cookies are bound, through the revised ePrivacy Directive, to obtain the informed consent of their users before the installation of tracking devices such as cookies. According to the Directive, storing and accessing information on users' computers is lawful only "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information about the purposes of the processing". The only except is in the case a cookie is absolutely necessary for the provision of a certain service required explicitly by a user.
In its Opinion, the Working Party asks for simple and effective mechanisms by means of which users can give their consent for online behavioural advertising but also simple and effective mechanisms by means of which they can withdraw their consent. Presently, allowing cookies is a default setting with three out of the four major used browsers and Article 29 WP believes that the users not changing a default setting does not necessarily means consent. The users should be clearly informed, in an understandable manner, on the purposes of tracking and given the choice of having their behaviour browsed or not.
"Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies," says the opinion.
However, the Working Party considered the consent may be given to an advertising network and not to every single website. "....the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie." Article 29 WP also said that this consent should expire after a year, and that each advertising network should request consent again after that period. It also said that the consent could be withdrawn at any time.
The Internet Advertising Bureau Europe, the European Publishers Council and other advertising and publishers' trade bodies reacted to this opinion by issuing a statement saying: "The industry believes this is a gross misinterpretation of the intention of the Directive and a misrepresentation of the type of data typically collected and processed for the purposes of serving interest-based advertising to consumers on our websites."
The Article 29 WG's opinion is based on the opinion presented on 23 June 2010 during EP Privacy Platform Meeting by Belgian Data Protection Supervisor Mr. Debeuckelaere which focused on "Transparency, Information, Consent". During the meeting, aspects of behavioural advertising were discussed by more than 100 representatives from industry, privacy activists, EU institutions, governments and European data protection supervisors.
The representatives of Privacy International and the Electronic Frontier Foundation argued that the user control tools do not allow for the complete erasure of profiles, and some data collection, for example by flash cookies, remains invisible and outside the control of the user.
During the meeting, Mrs Sophia In 't Veld, rapporteur for competition issues in the Economic Affairs committee, suggested that besides consent and transparency, a key word should be "choice". "Often internet users are more or less obliged to give their consent, as there is no alternative. Users must have a real choice, otherwise it is just token consent", said In 't Veld who also pointed out the necessity of having a single set of data protection rules that would apply to the private as well as the public sectors. "We must regulate the use of personal data for commercial purposes, but the same standards of data protection should apply to the use of those same data by public authorities for law enforcement purposes. We often do not realise how government agencies are using data collected by companies for commercial purposes. But different rules apply to the private and public sectors. That must be corrected".
Article 29 Data Protection Working Party Opt-out is not sufficient
(24.06.2010)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_26_06_10_en....
Opt-out is not sufficient - European Data Protection Authorities clarify EU
rules on online behavioural Advertising (22.06.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en...
Cookie consent can't be implied from browser settings, say privacy watchdogs
(25.06.2010)
http://www.out-law.com//default.aspx?page=11176
Transparency, Choice and Consent key words for cookies (24.06.2010)
http://www.d66.nl/europa/nieuws/20100624/transparency_choice_and_conse...