Nick Stringer is Director of Regulatory Affairs at IAB UK. Here he addresses the European Commission’s draft data protection proposals: what you need to know -- and do.

In a rapidly evolving sector, such as digital marketing, there will always be challenges from legislators as they seek to ensure consumer safeguards keep pace with technological innovation. Collectively, it is our job to inform them that this needs to be balanced without throttling innovation and the commercial models that underpin the internet. Self-regulation – where privacy-enhancing approaches are built into product cycles – has a very important role to play, as it can move faster with markets than a statutory approach.

The approach by Brussels

However, a year ago in January 2012, the European Commission proposed changes to the way personal data is protected and regulated across EU markets. The proposals were driven by a need to update the law in light of technological changes since 1995 (when the current law was framed in Europe – the 1998 Data Protection Act in the UK) as well as to streamline the rules to make it easier and more efficient – particularly in a digital world - for businesses operating across territories, hopefully saving millions of pounds in administrative burdens. Above all, the proposals were aimed at providing European citizens with a strong level of data protection and accountability, fostering a new climate of trust in the services we all use.

This all seems sensible: data usage and exchange is far more widespread in a digital age. Data now underpins the internet, business models and the majority of services that we depend on and enjoy, including the delivery of public services. New business models and new innovations mean better, more efficient and more tailored services, contributing to a successful and world-leading digital economy. Consumers stand to benefit with high-quality and customised content, services and applications at little or no cost, as well as improved value and choice. IAB research illustrates that, whilst consumers understand the need for an ad-funded internet, they also want greater transparency and control over data and how it is used. The approach underpins the EU-wide self-regulation for targeted advertising, with strong political support across Europe, including the European Commission and the UK Government.

However, the proposed changes by the European Commission risk chilling the evolution of existing and new business models by significantly restricting the use of data and denying, for example, small businesses and retailers the revenue that they require to support, drive and develop their activities. Privacy advocates seek to make the debate all about US multinational businesses, but this threatens to overlook the real issues of concern: the areas of innovation and entrepreneurialism – the bedrock of the digital economy.

Why this approach?

Rather than focusing on strengthening existing data protection law, the European Commission seeks to regulate out all risk by extending its scope to capture all data sets. For example: in the proposed scope of ‘personal data’. In the draft proposals, ‘personal data’ is extended to cover almost every piece of data that could be collected and used in a digital environment – whether it actually identifies you as a person, or is just aggregated data to help improve or tailor content or services. The proposals make no distinction between the two and therefore create significant legal uncertainty. In addition to this, the draft proposals require users to provide explicit consent for the processing of this data. This will require users to go through numerous hoops to reach the service or content that they wish to access (leading to ‘click-fatigue’) and reduce the business incentive to build in security or privacy measures to reduce the likelihood of identification. It will also undermine all the work the UK Government (and other national governments across Europe) has done to ensure a pragmatic transposition of the revised ePrivacy Directive (‘implied consent’). The Netherlands, which recently agreed to change its strict prior-consent approach for cookies and other technologies because of the onus on both consumers (they found ‘cookie walls’ irritating) and businesses, is surely a lesson to all legislators of how not to do it.

There’s a third way…

The IAB recognises the need to update the law to take into account the widespread use, and exchange, of data. However, this needs to be done in a proportionate and balanced way, avoiding a ‘black and white’ approach to data that will throttle businesses without actually affording users strong safeguards.

We are therefore proposing a different approach: a new category of data, or a sub-set of personal data, known as ‘pseudonymous data’. This is when information is collected, altered or otherwise processed that, in itself, cannot be attributed to an individual without the use of additional data. For example: much of data that is collected and used in online advertising. The technologies used do not identify an individual, but are unique to a device. Including this in the new data protection reforms (it already exists in German law) offers a legal basis for processing this type of data and moves towards regulating it in a more practical way, without restrictive and unnecessary obligations that are required for true personal data.

More importantly, it gives consumers the confidence that there is a process whereby only the data actually needed and required is stored, as well as safeguarded. Complemented by the self-regulatory advertising approach of providing consumers with greater transparency and control, it achieves the balance that is needed in the reforms.

The IAB is briefing legislators and policy-makers on this concept, and why it is important to the digital economy. Across Europe, and working with national governments, ad partners and other stakeholders, as well as our elected representatives (eg MEPs), the IAB has proposed amendments to include the concept of pseudonymous data to achieve a balanced approach. This is not a ‘watering down’ of the proposals, as has been suggested by some, but a way to deliver strong consumer safeguards without undermining the ad-funded internet. As Irish MEP, Sean Kelly, comments, “Being pro-business is being pro-consumer: the two are not mutually exclusive”.

Next steps

The data protection reforms are currently being discussed and debated within the various institutions of the European Union. The next few months will be critical, and if you operate in other EU markets, then you should ensure that you are supporting the efforts there. It is a very real threat to the ad-funded internet and our sector – your business – depends on us getting it right.

If you would like to know more or get in touch contact the IAB at nick@iabuk.net.