IAB Europe Response to European Commission Consultation on the DP Framework

Transcription

1 Interactive Advertising Bureau Rue Bara Brussels Belgium IAB Europe Response to European Commission Consultation on the DP Framework The Interactive Advertising Bureau Europe * ( IAB ) welcomes the opportunity to respond to the European Commission DG JLS s consultation on the legal framework for the fundamental right to protection of personal data 1. IAB is the voice of the online advertising sector, representing over 5,000 companies that offer a diverse range of digital products and services to consumers and businesses across the EU. Their innovations deliver significant value to European consumers and contribute to improving the European competitiveness. Our companies have an important stake in the application of existing data protection laws to current business practices, as well as the potential development of standards or regulations in this area. The Data Protection Directive (1995/46/EC; DPD ) sets international standards in the field of protection of personal data and has become one starting point for data protection regulation globally while other countries or regions have followed a more risk-based regulatory approach. The free flow of data is acknowledged as a key touchstone for economic prosperity, integral to the development of innovative technologies and services. The DPD aims to protect individuals personal data while at the same time recognising the interests of businesses/commercial actors to process and transfer such data for legitimate purposes. It is worth noting, that the E-Privacy Directive (2002/58/EC; EPD ) is providing a framework that deals with data protection for information society services and with many of the technological issues. The recent review of the EPD updated this framework and improved it with a view towards new technologies and globalisation 2. While the current framework provides a good set of technology-neutral principles (which should be ensured in all instances), their divergent applications and at times too broad interpretations pose significant challenges to businesses and hamper Europe s potential to develop, innovate and market new technologies and services cost-effectively, all of which can be accomplished without undermining the shared objective of protecting personal data. IAB is concerned that provisions of the DPD, which were designed to ensure the adequate protection of personal data in processing operations or to prevent unlawful processing, have been implemented in some countries in an excessively burdensome manner failing to take adequate consideration of legitimate business practices and the practices of data storage, processing and basic transfers, including technological realities, such as data servers and back up processes. 1 Consultation published: 2 In this context it is worth noting that the revised EPD provides now a solid legal basis for the usage of browsers and similar applications as cookie-setting tools.

2 We support a participatory privacy and security dialogue with industry, civil society, regulators and other key stakeholders to develop and support appropriate market-driven interoperable privacy practices, trust levels and mechanisms, for example, establishing self regulatory standards that are flexible and responsive to technological developments and which compliment applicable law. IAB identifies the challenges in the area of data protection below and highlights the following points and recommendations in this debate: Ensure the technological-neutrality of the DPD. This internationally accepted principle guarantees that Europe provides a good framework for innovation in a globalised world and provides an incentive for European companies to invest in cutting edge technologies. Role of Article 29 Working Party - Mandatory Impact Assessments for Art. 29 WP. IAB would welcome an enhanced interaction and dialogue with the Art. 29 WP on key issues. IAB believes that mandatory impact assessments for the work of Art. 29 WP would contribute to a better understanding of business processes and technological developments. Address lack of coherence in the application of European data protection legislation and differences in interpretation of key data protection concepts (e.g. which data are personal data, and in which contexts, and which are not). These inconsistencies pose challenges to international and cross-border business activities. In addition to this, data protection principles have been applied and interpreted at the national level in ways that are unnecessarily restrictive and excessively burdensome for legitimate businesses processing personal data. Such restrictions place European-based businesses at a significant competitive disadvantage and underestimate the globalised nature of business markets and practices. Adequacy framework does not take sufficiently into account today s business reality: The current inconsistent framework for determining adequacy inadequately addresses today s technological processes which see simultaneous transfers and back-up of data through standard IT processes and systems. Improve understanding of ICT: Application and interpretation of data protection legislation requires a thorough understanding of technology and business processes; currently, application and interpretation of the law could be seen as too legalistic and contradictory. Enhanced understanding of technology and an open exchange with industry could help to better understand business processes. The Current DP Framework and Challenges for Business IAB believes that the current legislative framework provides a good basis to deal with the challenges that are posed by technological developments and globalisation. However the European Commission should address the challenges outlined in this response to enhance the implementation of the DPD. The DPD is written in a way that allows regulators and legislators to interpret consistently the rules with regard to new technologies, and to apply them accordingly. It is based on a 2

3 set of technology-neutral data protection principles in order to determine conditions / factors for lawful processing of personal data while maintaining a high level of protection. These data protection principles are widely accepted as still being valid today. However, the inconsistency in national application, interpretation and enforcement of these principles, e.g. what constitutes personal data, has created significant challenges for business as it has led to ambiguity, complexity and incoherence. Data Protection provisions have been implemented in some national laws in ways that have been disproportionate and unclear. Ensure Technology Neutrality The DPD is a framework directive that is not intended to contain technology-specific solutions. Technology is developing so fast that attempts to concentrate the DPD on today s technological developments would necessarily mean that the DPD would be out of date and redundant almost immediately. Technological neutrality of the DPD is supposed to be one of its major benefits. One consequence of technology neutrality is that regulation should not try and regulate technologies itself but rather its concrete use (the question of which data and how they are they processed and not which technology is used). However, in practice, the reality is that applications, which are based on the usage of the same type of data, but are using different technologies may be met with different data protection requirements in practice. Varying Definitions and Interpretations of DP Law Put Europe s Competitiveness at Risk The differing interpretations on what do and do not constitute personal data and in which contexts, raise significant compliance issues (and consequently costs) for companies operating in the Internal Market. Where website servers are outside the European Economic Area (EEA), or where forms of cloud computing are used during processing, those compliance issues become more critical. In this context, the Art. 29 Working Party ( Art. 29 WP ) in considering the use of cookies, asserts that a user s PC can be viewed as equipment in the sense of Article 4(1)c of Directive 95/46/EC 3 [as] it is located on the territory of a Member State [and that] the Working Party is therefore of the opinion that the national law of the Member State where this user s personal computer is located applies. This interpretation of equipment means that almost every website worldwide would need to comply not only with the DPD itself but also with all Member State implementations thereof depending on where a particular user s PC is based. Such interpretations match better the old, fixed-line business, which are increasingly challenged by an interconnected mobile world, where global services are instantly available on demand, wherever an individual may be. IAB sees the fragmented implementations into national law and broad interpretations of the DPD as challenges that could be addressed. However, IAB believes the main data protection principles meet the challenges identified and would like to emphasize and suggest the following points: 3 3

4 Limit diverging interpretations Reform Article 29 Working Party - Mandatory Impact Assessments for Art. 29 WP IAB recognizes there are challenges in trying to interpret how best the principles are applied to new technologies. Such challenges result in national implementation divergences which have a deterrent effect for attracting ICT investments. It is public knowledge that some companies have limited business operations and physical presence in the EU in order to avoid what is viewed as an unwelcoming commercial and overly complex regional DP framework. The divergence prevents the EU from leveraging the contributions of the ICT sector in its i2010 strategy and the new Digital Agenda. There is an urgent need to clarify, e.g. through European Commission Interpretative Communications, existing data protection concepts and definitions such as personal data, data controller, data processor and consent. These remain subject to significant deviations in interpretation by Member States and increasingly appear out of date in a globally interconnected world of digital citizens that is based on data passing electronically across international borders. Reform Article 29 Working Party While the Article 29 Working Party ( Art. 29 WP ) was intended to address this divergence, it has faced difficulties in bridging the 27 Member State s opinions. There is scope for the stakeholders together with the Commission, Article 29 WP and the national Data Protection Authorities ( DPAs ) to jointly work in this area and find pragmatic solutions. One of the challenges faced by both, business and consumers is the limited technological expertise of national DPAs. IAB would welcome an enhanced interaction and dialogue with the Art. 29 WP and the DPAs to provide expertise, directly and indirectly through its member companies. Such exchange of views and explanation of business models and technology will be beneficial to bridge the lack of business processes and technological know-how. IAB welcomes the recent indication that the Art. 29 WP is moving in this direction. Mandatory Impact Assessments In order to better understand and assess the impact and the consequences of its opinions, the Art. 29 WP should conduct mandatory Impact Assessments. Such changes could be easily implemented by the Art. 29 WP itself. Preserve the Concept of Consent and Personal Data Consent may be given in different ways (explicitly and implicitly). It is important to preserve different forms of consent as suited to very different processing scenarios. This should continue to allow for a flexible and appropriate mechanism by which individuals can provide their consent based on adequate information and notice. Requiring users to provide explicit prior consent for all processing operations is a paternalistic approach and fails to recognise technological and commercial realities. Clearly, sensitive data should be treated as a separate topic with additional safeguards. There have been discussions that all data should be subject to the same regime as personal data. IAB believes that the DPD should apply only to personal data. Companies process a multitude of data without any interest and/or possibility to know who individual users are (e.g. IP addresses or cookies). Extending the rules applicable to personal data to data which do not identify an individual could render the internet unworkable. 4

5 Unfortunately, the bipolarity of data vs. personal data has led some stakeholders to interpret data as having personal data quality in order to apply restrictions and limitations to businesses. We would like to refer to the issue of IP addresses that, in the view of the Art. 29 WP, should be treated as personal by all holders of IP addresses because in some contexts they (indeed) constitute personal data 4. Such views disregard business practices and reality. The concept of personal data should be defined following the so-called relative approach, where data are considered personal for someone (in this case for instance ISPs) who can link the data to identified individuals. Furthermore, IP addresses may be dynamically assigned changing with each log-on of the computer or access to the internet or one single gateway IP address may be assigned simultaneously to many thousands of customers, in the case of the use of anonymous pre-paid services. The challenges in determining whether IP addresses constitute personal data are also highlighted in the statements made in the recent UK consultation for an Online Personal Information Code of Practice launched by the UK Information Commissioner s Office, which is inconclusive as to whether IP related data are personal data, and advises that the Information Commissioner recognises the practical difficulties, sometimes insurmountable ones, in complying with all aspects of the [law] in respect of non-obvious personal identifiers. The point is that DPAs may risk becoming overly protective in the quest to protect what may, in certain limited contexts, be deemed as personal data, and thus create unnecessary and costly barriers to legitimate activities of organisations where the use of such data in other contexts poses no risk to the privacy of individuals and where such activities are crucial to developing and delivering information society services that are increasingly important to economic growth and the success of Europe s knowledge based society. IAB Supports a Balanced Breach Notification Regime IAB Europe is generally supportive of requirements to notify consumers of security breaches that could lead to harm. It is important to ensure that any such requirement is carefully considered to avoid over-notification. Such over-notification could result in consumers refraining from online transactions or not paying due attention to notifications, both outcomes that undermine the legislators intention and consumer confidence in a growing sector in these troubled and uncertain economic times. It is important to include a threshold showing of harm: security breach notification legislation must not require subscriber notice without regard to whether there is a risk of harm. A requirement to notify should take into account the nature of the data at issue (e.g. whether they are sensitive, could be used to commit identity theft or cause financial loss). A breach notification regime should further provide exception for data that are technologically protected or rendered unusable. Finally, a homogenous application across Europe needs to be ensured in order to avoid create costs due to different procedures and interpretations across Europe. 4 Art. 29 WP Opinion 4/2007 on the concept of personal data, p. 16f 5

6 Role for Increased Self-Regulation Codes of conduct and self-regulation more generally are well suited to meet emerging and new issues: self-regulatory commitments can be revised and applied quickly and effectively. The DPD provides for a framework for codes of conduct under Art. 27. While this instrument has played a role in the creation of codes of conducts, there needs to be a landscape which allows for further forms of self-regulation. IAB believes that there should be an increased role for self-regulation to assist in the application of core data privacy principles ensuring that there is effective commitment by various industry players. Self-regulatory measures are aimed to deliver industry commitments or, more formally, develop enforced codes of conduct, with the help of businesses and regulators, which ensure that both the letter and spirit of regulations are applied fairly and without competitive advantage across the board. Self-regulation is never entirely stand-alone. Clearly, such self-regulation can be effective only if current national divergences are first addressed. In terms of applicable law, IAB suggests to develop a simplified framework, which is intelligible to both individuals and businesses, and which affords real and meaningful protection and regulatory recourse. Transfer of personal data It has long been acknowledged that the current cross-border transfer of data adequacy regime is not performing as intended. Vastly different national approaches, inconsistent application and cumbersome red-tape impose significant legal implementation costs and significant operational delays on well-intentioned companies. One stop-shop Simplification Procedures If the European approach to safeguarding privacy principles is to be effectively and costefficiently applied across the EU, much greater attention needs to be paid to collaboration amongst DPAs. A one stop-shop approach needs to be put in place or enhanced for matters such as intra-company transfers of data and Binding Corporate Rules (BCRs) accreditation expanded to transfers to data processors. The European Commission should consider mutual recognition of decisions by national DPAs on the basis of the country of origin principle. Consideration could be given also to either introducing a simplified notification procedure that can apply across all Member States or replace the notification procedure with a requirement on organisations to provide adequate and compliant privacy notices under the accountability principle. At a time when companies need to closely account for their internal investment, regulators need to find innovative solutions that make achieving compliance a less costly experience. Privacy by Design - Privacy Enhancing Technologies ( PETs ) Privacy has become a competitive differentiator, with companies designing their products to incorporate privacy functionalities. The Commission could and should support 6

7 companies, especially SMEs, that invest in such privacy enhancing technologies. Indeed, the Framework Programmes 6 & 7 have contributed to the creation of successful schemes and tools that find market acceptance e.g. Europrise. IAB supports the voluntary development and deployment of PETs and voluntary certification schemes. However it would be counterproductive to make such measures mandatory and in the long run have a detrimental effect on innovation. Limit impact on B2B IAB notes that in some instances, countries have extended protection granted to individuals under the DPD to corporate entities. It is fundamental for a free economy to access potential business clients and be able to freely process their data such as business cards without facing the same restrictions applicable to the processing of individuals personal data. Concluding, IAB believes that it is time to consider a new approach to issues related to implementation of the Directive, which is flexible and responsive to technological developments and which takes into consideration the increasingly global nature of the usage of products and services. The approach has to consider first and foremost the harm or potential for harm that processing of personal data might pose. Greater harmonisation is needed in relation to the definitions, decisions and approvals and IAB suggests the introduction of the country of origin approach to advance the European Single Market. In terms of applicable law, it is vital that a simplified framework is developed, which is intelligible to both individuals and businesses, and which affords real and meaningful protection and regulatory recourse. IAB sees a much greater role for self-regulation, and cooperation between the stakeholders in order to find solutions to specific issues arising from new communication technologies. As outlined, IAB would recommend a participatory privacy and security dialogue between industry, the European Commission and other key stakeholders to enhance the dialogue on privacy and data protection. * * * * * The Interactive Advertising Bureau Europe (IAB Europe) ( is the voice of the online advertising sector through its 24 national IAB associations representing more than 5,000 company members, as well as corporate members including Adobe, Alcatel-Lucent, BBC.com, CNN, comscore Europe, Ernst & Young, Fox Interactive Media, Goldbach Media Group, Google, Hi-Media- AdLink, InSites Consulting, Koan, Microsoft Europe, Netlog, News Corporation, Nugg.ad, Nielsen Online, Orange Advertising Network, Publicitas Europe, Sonnenschein, Truvo, United Internet Media and zanox. Supported by every major media group, agency, portal, technology and service provider, IAB Europe coordinates activities across the region including public affairs, benchmarking, research, standards settings, and best practices. Contact: Should you have any questions or comments, please contact Kimon Zorbas, Vice President, vp@iabeurope.eu, phone: * IAB Europe is registered at the European Commission Register of Interest Representatives, ID-no: