We are discussing in our video blogs the implementation of the cookie directive. Few weeks ago me and Giangiacomo Olivi published an article on cookies and behavioural advertising on the website of "Il Sole 24 Ore - Diritto 24" (http://www.diritto24.ilsole24ore.com/avvocatoAffari/mercatiImpresa/2012/04/behavioural-advertising-tre-paradossi-della-privacy-ed-una-proposta.html).

Now we have translated the article in English for the readers of our blog!

* * *

Behavioural Advertising: Three Paradoxes in Privacy and a Proposal

In the next few days the Italian Cabinet is required to issue a legislative decree which will implement Directive 2009/136/EC introducing, into the European legal system, new rules on how cookies and other equivalent IT tools are to be used.  Cookies are small data files stored in users' devices while they surf the internet. Cookies may be used for a number of purposes such as tracking users' choices and preferences (e.g. items added to shopping carts in online stores) or facilitating their ability to navigate the sites.  These types of cookies can be used without requiring any particular formality, however there are others - like the ones used by advertising companies to serve tailored advertisements (behavioural advertising) - which, according to the new EU legislation, can be used only if users have consented.

The Latin maxim states in claris non fit interpretatio (i.e., if the meaning of a provision is clear, there is no room for interpretation). The directive on cookies however is far from being clear because EU lawmakers have failed to take a real stand, perhaps preferring to rely on ambiguity to balance the different interests at stake. We should also consider that with regard to Italy, the confusion is made even greater due to an error in the translation of the text of the directive (according to the Italian translation, users must provide their consent "before" a cookie is placed, in other translations, such an adverb is missing), it is not difficult to understand the reasons behind the "war on religion" that is characterising the implementation of the directive.

Member States' Data Protection Authorities contend, on the one hand, that whenever the directive mentions that consent is to be provided by users, it means a prior express consent (opt-in).  On the other, online editors and advertisers deem that informing the users before placing a cookie is all that the directive requires and that the consent of such users is deemed obtained if they decide to continue on the website, notwithstanding the notice they have received or the setting of the browser that they are using to navigate, without prejudice to their right to oppose, at any time, to the placing of further cookies (right to opt-out).

In this article, we have decided to leave out the analysis of the technical-operational difficulties that the opt-in system, if adopted, would entail. We will instead focus on some paradoxes that have stemmed from an approach to online privacy protection that is hinged on users' consent.  Our thesis is that such rules which are strict and grounded on the freedom and the right to self-determination of the individual actually have adverse effects on the same rights they intend to safeguard.

First paradox - identification: EU legislation provides that the new rules are not applicable to cookies which provide a service that the user has requested. Many website operators, with the expected drop in advertising revenues, will therefore grant access to their websites only to prior-registered users and will contractually provide that any access to their content will be conditional on the acceptance of cookies and the delivery of behavioral advertising. Currently, advertising companies create approximate profiles through a probability method based on number codes (such as IP addresses) which do not make it possible to immediately identify the people matched to such codes.  Registering users is something that would probably lead to a full identification of the user and, consequently, to the possibility of creating profiles that are much more detailed and that rather than being based on probability would rely on objective information concerning real people.  Other operators will instead decide to change their business model completely and have their users pay for all that is currently offered for free , thereby replacing revenues which will be lost in advertising. Users might find themselves in the unpleasant situation of having swapped an offer of free services and an imperfect profile with an offer of the same services against a more detailed profile or the payment of a price.

Second paradox - adverse incentives: The introduction of an opt-in system is likely to compromise the very business model that has been the success of the internet.  It would favour operators that are established outside the EU and who are known to be less strict with the rules on privacy. It seems the price to be paid will be reduced protection.  If in fact, EU rules apply to non EU operators who use cookies, experience has demonstrated that the potential to take enforcement action against such operators is very rare. Moreover the latter are among those few who can create truly complete profiles and are, no doubt,  the only ones who can "keep a record" of the vast majority of global internet users. The regulatory asymmetry existing between EU and non EU countries, in favouring the operators that are located in such latter countries, would also lead to a significant shift of the European advertising industry which - and this point should be stressed - is crucial for keeping alive the network economy and the vast offer of services and content - predominantly free - that we are used to receiving. The result might be an increased migration of the personal data of European citizens to countries that do not offer an adequate privacy protection and, at the same time, serious damage to the e-economy which, in the current recession, is the only one showing an upward trend.

Third paradox - unwitting freedom:  Both the opt-in and opt-out system, leave the user free to choose whether or not, and to what extent, to consent to the placing in their devices of cookies, and to the consequent processing of their personal data. A closer look shows such freedom is a fake freedom.  EU legislation governs spyware (and other malicious software) and cookies (serving behavioural advertising or assessing sites' trading performance - the so-called analytics cookies) in exactly the same way.  Since it is unacceptable that tools that are so different in their function, purpose and potential danger for users are governed by the same rules, any protection system hinged on consent could therefore be very risky - there is no limit to what users may render legitimate by providing their consent. On top of that, the average user, does not normally read the privacy policies posted on websites (and, if he/she does, it is very unlikely that he/she understands in full what they mean) and there is a deep-rooted trend to passively accept anything  in order to obtain as quickly as possible the desired content.  It is therefore patently evident that leaving the power of setting the limit to what is socially acceptable to users, in the absence of an adequate level of awareness, can produce results that, in terms of privacy protection, are far from being desirable.

By analysing these paradoxes, a proposal for overcoming the impasse has developed.  If it is true that the opt-in system is ineffective and technically difficult to realise, the European lawmaker should assume responsibility. Acting together with all those concerned, they should establish whether or not, and to what extent, advertising cookies can be used in order to create the profiles of non-registered users.  They should do this by specifying the profiles' maximum retention periods; indicating the type of information that can be collected; prohibiting any processing of sensitive data or of any other data worthy of being safeguarded; imposing the adoption of specific security measures and, if necessary, of the anonymisation techniques that are already available on the market.  In other words, it is a question of sterilizing upstream, the risks to the data subjects' privacy, but also allowing, the advertising industry to survive and carry out its important function in support of online publishing and the e-economy. Once the law has established which is the maximum level permitted for profiling, the industry might also be required to grant an opt-out right for protecting any users who may still deem such processing an infringement of their privacy.  A solution of this type would mark the end of a privacy protection model which is bureaucratic and procedural and the start of a new and more modern technological approach whose aim is not only effectiveness but also simplification.


* * *

Want to know more on the above? Feel free to contact me, Marco Leone (marco.leone@dlapiper.com) or Giangiacomo Olivi (giangiacomo.olivi@dlapiper.com).

Posted by Marco Leone on Friday 18 May 2012

Post a Comment:
  • HTML Syntax: NOT allowed