The European Commission has published its proposals for what it calls a comprehensive reform of the EU's 1995 data protection rules. Although the stated motivation is to “boost Europe's digital economy,” ISBA and the World Federation of Advertisers (WFA) have serious concerns about the possible restrictive impact on advertising.
ISBA believes that, if adopted, this development would have a hugely negative impact on the European online advertising landscape, impacting all members by hindering long-term innovation.
The UK Government also appears to have misgivings. Justice Secretary, Kenneth Clarke, said that the EU must guard against regulations that are so obsessively concerned with data protection that they fail to recognise the harm that can result from a failure to share information. The Ministry of Justice (MoJ), has announced an evidence gathering exercise on the proposals.
Members are encouraged to respond directly to the Ministry of Justice by their deadline of 6 March, but also to copy responses to David Ellison here at ISBA by 2 March so that our own official submission reflects the views of our membership.
ISBA would welcome responses under the following headings. Wherever possible please submit quantifiable costs and benefits and real-life examples of the potential impact of the proposals.
- Practical, day-to-day examples of the proposals’ possible effects and monetised cost and benefit figures.
- The extent to which the proposals build trust in the online environment, whether they can contribute to economic growth and whether they affect the rights of individuals to the protection of their personal data.
- Comments on how the draft provisions would affect data controllers and data subjects, including monetised costs and benefits.
ISBA’s concerns
ISBA believes that, if adopted, this development would have a hugely negative impact on the European online advertising landscape, impacting all members by hindering long-term innovation.
The proposals state that consent should be much more explicit, e.g. silent or absence of action (opt-out) no longer qualifies. You would need to ask users’ permission every time you collect data, e.g. when placing a cookie, even on your own sites. This risks consent fatigue, leading users’ to automatically reject the collection of any information.
While consistent law across Europe is generally useful for UK businesses, ISBA is concerned that the significantly stricter data protection laws in other European member states will lead to a far stricter data protection regime in the UK and that this will be detrimental to UK industry. In their current form, the provisions would also threaten the advertising-funded business model.
The draft Regulation contains some worrying provisions, for example:
Personal data: The definition is extended to “any information relating to a data subject”, explicitly applying to digital forms of data, including an anonymous identifier such as a cookie, a full name or an IP address.
A reinforced ‘right to be forgotten’: able to delete data if there are no legitimate reasons for retaining it.
Increased burdens for those processing personal data: companies must notify serious data breaches to individuals as soon as possible (as a rule, within 24 hours).
Businesses will be required to have a data protection officer if they are “large” or where the “core activities of the controller consist of processing operations which require regular monitoring."
People will be able to refer cases where rules on data protection have been violated to the data protection authority in their country, even when their data is processed outside the EU.
Independent national data protection authorities will be strengthened to better enforce the EU rules, being empowered to fine companies that violate EU data protection rules (2% of global annual turnover).
A child is defined as anyone under 18. “Verifiable” parental consent is required collecting data from children under 13.
To provide an idea of the impact of current data protection legislation, the Government’s January 2011 Post Implementation Review of the Data Protection Act 1998 and Equality Impact Assessment Review can be found here.
For details of the proposals (including the text of both the Regulation and the Directive) see here.