If you were expecting some concrete guidelines from any of the myriad of European government privacy agencies, such as the ICO, on a) how not to be taken to court for contravening the new EU directive and b) how not to incur a massive fine after some privacy nut accused you of being TOO “intruisive” with those horrid cookies then I’m afraid you are going to be sorely disappointed. That’s how I felt after leaving Evidon’s conference on privacy this week. It wasn’t that it was a bad conference. I would say it was one of the best privacy events I’ve been to. Good speakers. Engaging content. But the truth is nobody has a clue what is going on – still. I asked a panel point blank what I should do as a small publishers, running 3rd party cookies, to comply with the directive.
The answer was as vague as the directive itself: appear to be doing something and you should be alright. Right. And that is? Updated T’s & C’s? Opt-in? Maybe a pop-up warning of imminent cookie “intrusion”? Implied consent? Explicit consent? All strategies are plausible, says the ICO. The bottom line is just look like you are doing something. It’s all sensible advice but this comment by David Evans of the Information Commissioner’s Office (ICO) in NMA this week only confirmed my current suspicion of mass legislator and industry body confusion around the current EU legislation:
“Companies need to start showing they are moving in the right direction as the directive has been around since May. As a regulator, we can point to lots of people doing different things, but do something is the message.”
Eh, what direction? What we need at this juncture is some proper guidlines from the ICO – not throwaway comments in the trade press. And we as an industry require these before the amnesty runs out in April of next year.
If you thought things were bad now, you need to look away now…
There’s been a lot of chest-thumping from the new EU justice minister, Viviane Reding, about how she was going to go further than the recent updates to Article 29. How far she might go was not known but a leaked document on the data privacy directive suggests she wants to go well beyond. Legislators are now talking about opt-in consent would be “obligatory” and the “right to be forgotten”. How the EU will try to make this work without killing the digital media industry and the internet completely is beyond the comprehension of ordinary mortals like me and you. Here’s a flavour of some of the points outlined in the draft directive document (note points 5, 6 and 7):
- As the regulation would be top-down from Brussels, the home of the European legislative bodies, it will provide near-complete harmonization of all future data protection laws.
- The regulation again would force companies with operations in multiple European member states subject to the jurisdiction of one state’s legal system, including its data protection laws. The designated headquarters of their European office determines this.
- Data processors, such as Microsoft and Google, who merely store and manage data through its services, will be under many of the same obligations as data controllers, such as businesses and universities that own data.
- Both data controllers and data processors will be made to sign an agreement allocating equal responsibility for data between them. Should an agreement not be made, both parties would be jointly responsible for all processing, and any data loss or privacy breaches.
- Companies outside Europe — such as the United States — will continue to be subject to European law, if they have a European-based office, or European customers.
- Opt-in consent will be made obligatory. This relates mostly to data processing for marketing, but this will require explicit consent to the data owner before companies can perform such actions.
- The “right to be forgotten” will be sanctioned by Brussels. Though this has come up against criticism from the UK’s data protection authority, measures will be put in place to allow European citizens’ to have their data deleted by private companies.
- If a company suffers a data loss or breach, both the data protection authority and the individuals must be informed within 24 hours of discovering the breach.
- For public sector companies, or any company with more than 250 employees, internal data protection officers would be mandatory.
- The Article 29 Working Party will be renamed to the “European Data Protection Board”, which would be the executive body of all member states’ data protection authorities.
- The Commission will be granted the power to issue interpreting provisions of the regulation, allowing member states to delegate high-level cases directly to the European powerhouse.
Pan-Euro bodies come together to push self-regulatory agenda
In the face of all this heavy-handed legislation you wonder whether self-regulation will actually work. But the various European industry and self-regulatory bodies are coming together to launch the European Digital Advertising Alliance (EDAA). This new initiative gives users transparency and control over behavioural advertising. All BT powered ads will have the “adchoices” icon. Will this be enough to satisfy lawmakers? Time will tell but Nick Stringer and the IAB should be commended for trying to tackle the issue head-on. You can read more about the EDAA on the IAB website.ExchangeWire