· performance programme) „consent rule to protect the confidentiality of terminal equipment...
TRANSCRIPT
6.4.2019.
1
IMPLICATIONS OF THE NEW EU DATA
PROTECTION FRAMEWORK ON THE ONLINE MEDIA INDUSTRY
Nina Gumzej
Zagreb Law Faculty
May 2017
General Data Protection Regulation - GDPR
Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Entered into force: May 25th, 2016
Applicable in MS as of: May 25th, 2018
6.4.2019.
2
Proposal for an ePrivacy Regulation
• repealing ePrivacy Directive 2002/58/EC
• proposed application in MS: same as the adopted GDPR (May 25, 2018)
• enforcement: national data protection authorities
• remedies, l iability, sanctions
Online behavioral advertising (OBA)
• Tracking user’s behavior over different websites, profiling, tailored advertising
• Advertisers – promoting services / products
• Advertising networks providers - connecting publishers with advertisers
• Publishers - website owners that sell space to display advertisements on their site (revenue)
• Contracts
Some concerns of the media industry
• Funding based on interest-based advertising
• Obtaining prior consent – s trict requirements for OBA, other processing grounds (GDPR)?
• Annoying cookie banners –concerns remain i f publisher collects prior consents
• Access to tracked information – ad network chain (more value)
• Consequences: change of business model e.g. no access to free services, subscriptions?
6.4.2019.
3
Rationale behind regulation at EU level
storing information, or gaining access to info already stored
in terminal equipment of a subscriber or user
● general rule on secrecy of communications: prohibited listening, tapping, storing, interception and any
monitoring ● intrusion into private life
● terminal equipment and info - private sphere protection against viruses, spyware… but also “cookies” - in focus hidden esp. OBA
Prior informed consent
s toring of information, or gaining of access to information already s tored, in terminal equipment of a subscriber or user is only allowed if subscriber or user gave consent, having been provided with clear and comprehensive information*, in accordance with General Data Protection Directive 95/46/EC, inter alia, about the purposes of the processing**
* consent – Directive 95/46/EC - freely given specific informed
indication of wishes…*
** cookie purpose, person/entity processing relevant data…
Exceptions
Technical s torage or access A. for sole purpose of carrying out the transmission
of a communication over electronic comm. network (e.g. load balancing session cookies)
B. s trictly necessary for provider of information
society service explicitly requested by subscriber or user to provide service (e.g. online shopping)
6.4.2019.
4
Evaluation of ePrivacy Directive
• European Commission - REFIT (Regulatory Fitness and Performance Programme)
„consent rule to protect th e confid ent ial ity of termin al equip ment failed to reach its objec tives as end-us ers f ace requ ests to acc ept
tracking c ookies withou t und erstan ding th eir meaning and , in some cases, are even exposed to coo kies b eing set without th eir consen t.
Th e cons ent rule is over-inc lusive, as it also covers non-p rivacy intrusive p ract ices , and under-inclusive, as i t do es not clearly cover
some trackin g techniq ues ( e.g. d evic e f ingerp rintin g) which may not entail acc ess/storage in the devic e. Fin ally, i ts imp lementation
can be costly for businesses”
Proposed ePrivacy Regulation
• Technology neutral rules: cookies and similar tracking technologies (e.g. hidden identifiers, device fingerprinting)
• Terminal equipment: computer, smart phone, tablet
• Exception for 1st party web audience measuring cookies (no consent required) – counting no. of visitors to site
Proposed Article 8 ePrivacy Regulation
Protection of information stored in and related to end-users’ terminal equipment
Use of proc essing and storage cap abili ties of terminal equip ment
and collection of information fro m end-us ers’ termin al equip men t, including about its software and h ard ware, oth er than b y end-us er
concerned shall be prohibited, except where:
(a) nec essary for sole purpos e of c arryin g out trans mission of electronic communication over el. Comm. network; or
(b) consent of end-user; or
(c) necessary to provide information society service requested by
end-user; or
d) necessary for web audience measuring if carried out by
information society service provider requested by end-user
6.4.2019.
5
Stricter consent requirements
• Article 9(1) of ePrivacy Proposal → GDPR consent requirements
freely given, specific, informed,
unambiguous
active consent / expressed by clear affirmative action
Consent may be expressed by using appropriate technical settings of a software application
enabling access to the Internet?
Article 9(2) of the Proposal
• Web browsers are in a privileged position to play active role to help the end-user to control the flow of information to and from terminal equipment
• May be used as gatekeeper - helping end-users to prevent information from their terminal equipment from being accessed or stored
Browser consent: apply GDPR privacy by design and default?
Article 10 Information and options for privacy settings to be provided
• 1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the termin al equipment of an end-user or processing information already stored on that equipment.
• 2. Upon installation, the software shall inform the end-user about the privacy settings options and , to continue with the installat ion, require the end-user to consent to a setting.
• 3. In the case of software which has already b een installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.
6.4.2019.
6
• (Recital 23 ) The principles of data protection by design and by default were codif ied under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to config ure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.
Reaction by EU DP bodies
• European Data Protection Supervisor, Article 29 Data Protection Working Party
• Software: include DNT / reject as default setting
• Article 10 of the Proposal consi dered i nconsistent with Article 2 5 of t he
GDPR on ‘Data protection by design and by default’.
• Amend Proposal: impose duty on har dware a nd software provi ders t o implement defa ult setting s that pr otect e nd user s’ devi ces against a ny
unauthorised access to or storage of information on their device
(European Data Protection Supervisor)
• Microsoft started enabling “Do Not Track” as default setting with launch of I Explorer 10.
6.4.2019.
7
• „While our implementation of DNT two years ago in Internet Explorer 10 (IE 10) was welcomed by many, others voiced concerns, especially given that discussions were underway at the time to establish an industrywid e standard for user tracking preferences.
• Since then, the World Wide Web Consortium (W3C) has continued to refine language to address how users express a preference regarding tracking. Th e latest draft of the standard reads: Key to that notion of expression is that the signal sent MUST reflect the user’s preference, not the choice of some vendor, institution, site, or network-imposed mechanism outside the user’s control; this applies equally to both the general preference and exceptions. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed. (Emphasis added.)
• Put simply, we are updating our approach to DNT to eliminate any misunderstanding about wheth er our chosen implementation will comply with the W3C standard. Without this change, websites that receive a DNT signal fro m the new browsers could argue that it doesn’t reflect the users’ preference, and therefore, choose not to honor it.”
Obliging all parties involved?
• Add a rule obliging adherence to accepted technical and policy compliance standards by all parties concerned, including operators of websites (EDPS proposal)
Impact assessment
• „Centralising consent does not deprive website operators from the possibility to obtain consent by means of individual requests to end-users and thus maintain their current business model.„
• „For users with "reject third party cookies" or „DNT" settings in browsers: who can seek consent? E.g. 1) software such as internet browsers; 2) the third party tracker; 3) the individual websites (i.e. information society service requested by the user)”
6.4.2019.
8
Adblocking
• technology employed to prevent display or download of ads
• most common form: browser extensions
Tracking walls / adblock walls
• Refusing access to service unless consenting to 3rd party advertising
• Adblock walls: detecting when an ad blocker user accesses the website and prevents them from viewing content until : a) ad blocker is turned off; b) offers payment e.g. subscription
6.4.2019.
9
Tracking walls and the Proposal?
• Recital clarifying that identifying functionality i .e. checking if there is adblocker (DNT/reject cookies) would not constitute access itself, e.g. no requirement of prior consent for that check
• Recital 21: „Information society providers that engage in
configuration checking to provide the service in compliance with the end-user's settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilities”
Andrus Ansip, VP E. Commission, 2.2.2017.
6.4.2019.
10
Reactions by EU privacy bodies
(EDPS)
Consent must be freely given: ‘tracking walls’ must come down
Consent not freely given where provision of a service is made dependent on one’s consent and such processing is not necessary for performance of that service
Tracking walls oblige user to consent to use of 3rd-party tracking cookies, which are unnecessary for performance of service
It is crucial that users be able to use a service without being tracked - especially by third pa rties and in situations where user depends on, and has no real alternative to, using the service
Reactions by EU privacy bodies
Proposed revisions:
• No one shall be denied access to any information society services (remunerated or not) on grounds that he or she has not given his or her consent that is not necessary for the provision of those services
• Add a prohibition on excluding users who have ad-blocking or other applications and add-ons installed to protect their information and terminal equipment
• Add a recital that processing of data to provide targeted ads is not considered as necessary for performance of service’
Proposed administrative fines
Article 23 General conditions for imposing administrative fines
• up to EUR 10 mil / 2 % of total worldwide annual turnover of preceding financial year, whichever is higher (undertaking):
(1) obligations of any legal or natural person who process electronic communications data (Article 8);
(2) duty of provider of software enabling electronic communications (Article 10)
• Non-compliance with order by supervisory authority:
up to EUR 20 mil / 4 % of total worldwide annual turnover of preceding financial year, whichever is higher (undertaking)
6.4.2019.
11
Next steps
COUNCIL OF THE EU
Brussels, 19 May 2017 (OR. en) 9324/17
• delegations consider the proposed date of application of 25 May 2018 to be unrealistic
• A number of delegations would welcome a more thorough analysis of the impact of these provisions on specific market players, in particular on online advertising companies and/or on business models using third-party cookies
• Further work will also be needed concerning the protection of information stored in, or emitted by, end-users' terminal equipment (Article 8)
• A number of delegations requested clarifications with regard to the exceptions in relation to both cookies and device tracking and some of them suggested additional exceptions to the list. It is crucial to find a balanced solution to address the issue of 'consent fatigue', especially in cases with l imited/no risk to privacy.
6.4.2019.
12
IMPLICATIONS OF THE NEW EU DATA PROTECTION
FRAMEWORK ON THE ONLINE MEDIA INDUSTRY
Nina Gumzej
Zagreb Law Faculty
May 2017
Thank you!