How EU data protection law could interfere with targeted ads

The successor to the 20-year-old European data protection directive has inched closer to becoming law, having been approved by the Council of Ministers, which represents each of the 28 EU member states. This has led to howls of anguish from some parts of the computing industry, not just the usual suspects based in the US such as IBM and Amazon, but also European firms such as German software company SAP.

Data protection law governs who can gather and retain personal data, the circumstances under which it is allowed, and what they can do with it. The move to an increasingly digital economy makes this vital to get right: too little protection erodes trust and leaves businesses and individuals vulnerable, while overbearing rules make it difficult for organisations to work together. The new General Data Protection Regulation (GDPR) aims to encompass the technological changes since its predecessor was enacted, such as the rise of social media and cloud computing.

The regulation is a heavily revised version of the draft passed by the European Parliament in March 2014, with largely pro-business changes such as decreased fines for companies breaking the rules and wider exemptions for the sorts of data and uses covered by the regulations.

Before a final version is reached there will be further negotiations between the European Commission, the parliament and the Council of Ministers. Nevertheless businesses are howling now, because this is essentially their last chance to do so.

Unlike a directive, which member states enshrine into their national law through passing their own legislation, a regulation is European law that applies directly to member states. In principle then, a regulation provides harmonised rules for businesses working across the European Union. In this respect it does seem that the industry has a legitimate complaint.

Competing views

The European Parliament’s original draft envisaged that, for a company registered with member state, that country’s data protection authority would act as a “one-stop shop” for data protection matters, whereas currently a firm may have to negotiate with the authorities of each country in which they operate.

Facebook, for example, is being sued in Belgium despite being regulated in Ireland. But this has been significantly diluted in the Council of Ministers’ draft – and it’s not clear whether this will relieve firms of the need to deal with every national regulator. Certainly it seems that a failure to introduce this change destroys most of the practical benefit of having a regulation rather than a directive.

The industry’s other complaint is less straightforward. Under the current system cloud services companies such as Amazon are classified as “data processors” since they do not collect the data themselves. That means they are not held liable for using the data illegally unless they breach the contract with the company whose data they process. The industry argues that this is simple, and gives citizens a single point of contact in the event of a breach of data protection. The new regulations make processors also liable – something IBM argues “risks blurring these lines of responsibility”.

Free, ad-supported online services could suffer.apps by Twin Design/shutterstock.com

Consent

If the world of data protection consisted of large banks processing clearly identifiable personal data, this would be a reasonable argument. But these days, we hand over snippets of personal data all the time – search terms, email addresses, browsing histories – to a huge number of organisations of varying technical and legal competence. Very often these offload that data to cloud computing companies for processing – firms of, one hopes, greater competence (despite the fact that both AOL and Netflix have blundered in the past).

This handing over is currently done implicitly and is generally on a “take it or leave it” basis: if I want to buy a railway ticket online I have to consent to the terms. Parliament required “explicit consent” for data processing, whereas the draft approved by EU members has reduced this to “unambiguous consent”. This may mean that using the website counts as consent, but the wording in the council’s draft includes “any clear affirmative action […] signifying […] agreement”.

In a privacy-conscious world it should be possible to consent separately to the use of my data for the purpose of buying a ticket, to the use by the railway company for targeted advertising, and for the use by the data processing firm the railway has hired for targeted advertising. But this separation seems to have been significantly weakened.

Benefits without liability

Technologically, processing firms are in a very powerful position when it comes to aggregating people’s data. In searching the Amazon terms and conditions, I have been unable to find any guarantee that they will not re-process any data I supply. We already know that companies such as Facebook and Google make their money from targeted advertising made accurate through processing their users' data.

In a very perceptive article in the UCLA Law Review in 2009, Paul Ohm proposed that these data processors and potential aggregators are where we should regulate more stringently. In a similar vein, a UK survey in 2014 found 20% were concerned about the privacy implications of government surveillance, while 60% were worried about the sharing of personal information by businesses. And recently, David Anderson’s report into government surveillance reiterates the point that “commercial use of consumer data can have serious impacts on the personal lives of individuals”. Such concerns cannot be brushed aside, so simply howling “we shouldn’t be regulated” isn’t enough.

James Davenport is a vice-president of BCS, the Chartered Institute for IT, and sits on its Security Community of Expertise. This paper reflects his personal views only.