IAB Europe Response to European Commission Consultation on the DP Framework

The Interactive Advertising Bureau Europe(i)  (‘IAB’) welcomes the opportunity to respond to the European Commission DG JUST’s consultation on the legal framework for the fundamental right to protection of personal data(1). 

IAB is the voice of the online advertising sector, representing over 5,000 companies that offer a diverse range of digital products and services to consumers and businesses across the EU. Their innovations deliver significant value to European consumers and contribute to improving European competitiveness. Our companies have an important stake in the application of existing data protection laws to current business practices, as well as the potential development of standards or regulations in this area.

The Data Protection Directive (‘Directive’ or ‘DPD’) aims to protect individuals’ personal data while at the same time recognising the interests of businesses/commercial actors to process and transfer such data for legitimate purposes. Online advertising is of particular importance as it funds many services users use daily, including sole source funding for free sites and an important source of revenue for subscription and other forms of pay models. Last year, IAB commissioned a study, which showed that the value of ad-funded services to European consumers was assessed to EUR 69 bn (2) . The study further demonstrated that there is not an average consumer but rather different segments, which underlines that overly strict policies aiming at addressing ‘user’s concerns’ can address the concerns of a particular segment but will fall short of meeting the needs of all segments. Importantly, online advertising has been one of the main drivers of innovation in the internet: most major services are (co-) funded by advertising, e.g. search, location based services and news portals.

Our response complements IAB Europe’s earlier response to the first consultation and focuses on some key points of particular importance to IAB members.

> Ensuring appropriate protection for individuals
IAB Europe supports the Commission’s objective to protect the fundamental rights of natural persons and in particular their right to protection of personal data and harmonise the scope of application of the Directive. We regret however, that some Member States have extended this protection to cover business entities and while all stakeholders would agree that individuals deserve protection, an extension to businesses has a negative impact on business and commerce. IAB has been highly supportive of the Commission’s goal to achieve harmonisation across the EEA in the area of DP. The fragmented market has not only a deterrent effect on attracting investments into the EU but is a major obstacle for European companies in expanding their activities to other EU markets, thus serving as a barrier to the single market. Harmonisation of DP law is crucial, not only to ensure greater legal certainty for users and data controllers but also to help businesses to engage in other EU markets, attract inward investments and be able to deal with increased globalisation of services. In that respect, IAB suggests that only a single EU Member State’s law applies to EU-based data controllers that process data in multiple EU countries, it could be the one of the data controller’s main establishment.

> Increasing transparency for data subjects
IAB fully supports this objective and encourages its members to use simple language in privacy notices and use the instrument of layered notices (a simple, brief notice in layman language and the legally required longer and comprehensive notice for further and more detailed information). However, it should be noted that the long and detailed notices are necessary to ensure legal compliance with the strict DP framework. Instead of regulating new and mandatory simplified notices, the Commission should encourage companies to use layered notices. Voluntary EU standard forms could contribute positively and IAB would suggest that the Commission works jointly with industry in drafting such notices. While we believe that such notices can be helpful in guiding companies in developing their own notices, they should not be binding as the diversity of practices across businesses cannot be reflected in standardized forms. Associations could play an integral part in encouraging their members to use such standard forms in the development of their notices.

> Enhancing control over one's own data (data portability and right to be forgotten)
Data portability is already addressed by Art. 12 DPD, which introduced the right for data subjects to access to their personal data and any information on the processing thereof. This is complemented by the right to request rectification, blocking or erasure of personal data. This regime is supported by redress mechanisms that give individuals the right to request that a DPA assesses any refusal for erasure of personal data, as well as the possibility to pursue any such refusals via the courts.
IAB does not see the need for further legislation and believes that this framework could be strengthened by the adoption of the principle of “accountability” by data controllers, DPAs and the judiciary.
IAB believes that its member companies have significantly improved their processes as technology has advanced to the extent that the Commission’s objectives of data access, data portability and deletion of previously uploaded data and content have already been achieved by many services and many businesses going beyond the legal requirement of Art. 12. Should the Commission consider additional measures, it is important that any such measures are well tailored to address key issues that allow users to import / export emails, contact databases, documents and pictures. However, IAB believes that this question is more linked to discussions around interoperability rather than data protection (and fall outside the scope of this review). If the Commission were to introduce additional rules on data portability, it would cautious to limit those rules to data handled / created by users.
On the right to be forgotten (which, as the Commission rightly pointed out, already exists under the current framework), it is important to identify the primary concern of the Commission. Human history and knowledge are based on recording data and preserving them for future generations. This aspect is important to be maintained and public records should be kept for next generations.
Data created, uploaded and stored by a user on a particular place (e.g. user generated content, pictures uploaded by the user on his profile) should be subject to that user’s control (including his right to take down such content, i.e. delete or share with others). However, it would be technically impossible to enforce deletion, where control is not warranted (e.g. that pictures being shared and stored by other users). IAB member services offer possibilities to limit access to user’s content and to delete it. An obligation for the data hosts to ‘wipe the internet’ would be undesirable if not impossible to implement. Any clarification by the Commission should be limited to narrow down the addresses and scope of that clarification.
As noted above, the Directive already provides for access and the ability to correct or delete data, a right to be forgotten would therefore be redundant.

> Awareness raising
IAB conducted research across 16 European countries, asking over 32,000 citizens about their concerns and online habits (MCDC, by Insites Consulting). The picture is clear: European citizens know about the potential threats online and act upon them, are often aware of potential risks and take them into account (3).
IAB believes that this responsible consumer attitude should be supported by continuous education and welcomes measures focusing on education. Research should also be undertaken to contribute in identifying areas on which awareness-raising should be focused. IAB believes that the time has come to step up cooperation and support activities carried out jointly by DPAs, consumer associations and industry. Commission actions should also seek to establish such actions.

> Ensuring appropriate protection for individuals in all circumstances: definition of personal data
The application of Directive 95/46/EC depends too strongly on whether or not the data processed about individuals can be defined as “personal”. The concept has been widely interpreted and applied among Member States and relies too heavily on whether or not a person can reasonably be identified from the data. It has led to endless debates about whether this or that piece of data is “personal”.
Since the trigger for the application of the Directive rules is uniquely based on whether data is personal or not, we could end up with obligations for certain categories of data that were never intended to identify an individual or make him/her identifiable. Those obligations are ill suited to protect the personal data of data subjects, among other things, because the individual is not identified.  The “one size fits all” in terms of rights and obligations applicable to all information is no longer a tenable situation and undermines the Commission’s and the Directive’s objective for effective and efficient rules. We believe a new approach is warranted, with less focus on the concept of personal data and “identifiability” and more on a pragmatic approach recognising that the privacy interests of individuals and risks associated with the processing of their information are contextual and dynamic.  An alternative approach should also consider the harm caused by inappropriate collection and processing of personal data or define parameters clarifying that data are not personal if certain safeguards are applied by the Controllers. Those could include security of data storage, confidentiality, use of anonymisation, limitation of physical access, voluntary commitments to exclude linking of data from different sources etc. We would welcome a constructive discussion on this issue to avoid a situation where all data like e.g. IP addresses or other device identifiers are qualified like personal data.

> Informed and free consent
IAB believes that the clarification of ‘consent’ (i.e. not explicit consent) as informed consent can be met in creative ways, adapted to the interactive nature of the internet. In particular on Online Behavioural Advertising (4), IAB supports the need to require informed consent.
We recognise that consent for advertising methods, such as online behavioural advertising, would require proper notification in a manner appropriate to this medium. IAB would propose a mechanism for which notice about consent is made more prominent by linking the notice to adverts, which makes use of collecting data for online behavioural advertising purposes.
This would allow consumers to always have access to such notifications where most relevant (i.e. when such adverts are displayed on a website) and enable the consumer to exercise his choice to ‘switch off’ such adverts, is he so chooses.
IAB and the broader advertising ecosystem are working on a self-regulatory regime which is based on implementing such an informed consent mechanism.

> The role of Internet intermediaries in the modern internet
As intermediaries enabling access to data/information, sharing and hosting third party content, the question of liability for harm to individuals on the basis of privacy and data protection violations becomes imperative.
At the time of the entry into force of the current 95/46 Directive, the role of online intermediaries was not subject to consideration, among other things because Web 2.0 services did not exist. The Directive was and is anchored on 3 main actors (controller, processor and data subject). The E-Commerce Directive (2000/31/EC) adopted in 2000, on the other hand, recognised the potential of online intermediaries and defined rules that limited their liability versus infringements by third parties. Unfortunately, the scope of the eCommerce Directive excluded the DPD.
In general, we believe that while intermediaries should be held responsible for their own collection and use of personal data of individuals, the intermediary’s responsibility needs to be limited when it comes to data protection issues related to third party use of online services. Intermediaries’ responsibility or direct liability for privacy violations committed by third parties would have a harmful effect on the free flow of information and innovation of online services and the development of the data protection related professions (under risk of imprisonment).
IAB believes that a clarification in the DP framework is warranted. Recent activities at Member State level have shown that Intermediaries need a reassurance about their liability limitation also for matters related to privacy and data protection.

> Mandatory personal data breach notification
IAB supports a general breach notification regime with the conditions outlined in our previous response.

> Reducing the administrative burden – mandatory Data Protection Officer  – Privacy Impact Assessments
IAB members include many SMEs. It would be disproportionate to force SMEs to have a mandatory obligation to engage a Data Protection Officer (DPO) or conduct formal privacy impact assessments (5). We would support an obligation for a mandatory DPO only for larger corporations that are better placed to support such positions within their organisations, and for which the impact of increased operational expenses would be limited.  Likewise, mandating specific forms of privacy impact assessments will increase costs and impact businesses negatively, without increasing data protection or removing administrative burden. 

> Applicable law
The Communication could be interpreted to say that the Commission considers abandoning the current “country of origin” principle as it related to data protection. Any changes to this principle would lead to severe negative consequences for companies operating efficiently cross-border.
IAB believes the current principle of country of origin, i.e. the country where the Data Controller is established, as applicable national law has been fundamental in supporting the internal market objective of the Directive. It sets the conditions for businesses to be established in one Member State and service Union-wide, without facing an unnecessary compliance burden of duplicated requirements – with eventually no improvement in protections afforded to data subjects.
Greater and more formal collaboration between DPAs, reflecting the spirit of the internal market, will go a long way to support and extend the sense of recourse citizens can achieve in enforcing their rights. We also note that the globalisation of communications and commerce via the Internet could subject companies to multiple and sometimes divergent legal obligations.  In this regard, the Directive should maintain its focus on adequate protections but through streamlined and simplified procedures for transborder data flows rather than proceeding with extraterritorial reach.  Self-regulation (including the self-regulation framework for OBA) is important in developing global practices and is a better means of ensuring global consistency.

> Privacy by Design / Privacy Enhancing Technologies (‘PETs’)
IAB supports the application of privacy by design in internal processes, starting with educating developers about privacy. We are very encouraged seeing increased competition of e.g. browser manufactures in the market. Mandatory standards or measures would likely decrease this competitive element and ‘lock down’ innovation to a standard, which might increase privacy when it is adopted but might prevent more innovative solutions that would not be covered by that standard.

> Encouraging self-regulatory initiatives and exploring EU certification scheme
IAB is very encouraged that the Commission has identified the reform of the current code-of-conduct regime as a priority. We believe that self-regulation plays an important role in ensuring a regulatory regime fit for purpose.

> Clarify institutional roles and responsibilities of the Article 29 Working Party
IAB welcomes the considerable efforts of the Article 29 Working Party in clarifying and harmonising the interpretation and applications of EU data protection rules. However, we believe that the Art. 29 WP should be more transparent and accountable for its opinions and decisions. Furthermore, we call for a participatory dialogue in order to ensure that the views of key stakeholders are taken into account by the Art. 29 WP.

IAB Europe is looking forward to a fruitful discussion with the European Commission and other institutions to work on the modernisation of the Data Protection Directive.

1 http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm
2 IAB Europe and McKinsey&Company, Consumers driving the digital uptake, Sept. 2010, www.iabeurope.eu/research/consumers-driving-the-digital-uptake.aspx
3 Cf: www.iabeurope.eu/media/27285/mc-dc-2009-iab-unite-report.pdf
4 ‘Online Behavioural Advertising’ means the collection of data from a particular computer or device regarding Web viewing behaviours over time and across multiple Web domains for the purpose of using such data to predict Web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such Web viewing behaviours.
5 It should be noted  that privacy impact assessments are carried out internally already. Formalising those, would force companies effectively outsourcing those assessments to specialised law firms, increasing costs. Also, external lawyers often tend to be risk averse in order to limit potential liability, which would result in companies becoming less innovative.  

*    *    *    *    *    *

The Interactive Advertising Bureau Europe (IAB Europe) (www.iabeurope.eu) is the voice of the online advertising sector through its 26 national IAB associations representing more than 5,000 company members, as well as corporate members including Adconion, Adobe, ADTECH, Alcatel-Lucent, Aol, AudienceScience, BBC.com, CNN, comScore Europe, CPX Interactive, Criteo, eBay, Ernst & Young, Expedia Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, Hi-media, InSites Consulting, Koan, Linked-in, Microsoft Europe, MTV, Netlog, News Corporation, Nugg.ad, Nielsen Online, Orange Advertising Network, Prisa, Publicitas Europe, Sanoma Digital, Selligent, Smartclip, Specific Media, Tradedoubler, Truvo, United Internet Media, ValueClick, White&Case, Yahoo and Zanox. Supported by every major media group, agency, portal, technology and service provider, IAB Europe coordinates activities across the region including public affairs, benchmarking, research, standards settings, and best practices.

Contact: Should you have any questions or comments, please contact Kimon Zorbas, Vice President, vp@iabeurope.eu, phone: +32 494 34 91 68.

i IAB Europe is registered at the European Commission Register of Interest Representatives,
ID-no: 2339015958-17