IMPLICATIONS OF THE PROPOSED EC DATA PROTECTION REFORMS FOR IAB MEMBERS
The proposed data protection reforms as currently drafted in seeking to update existing data protection law, will have a significant impact upon digital advertising, as well as the broader Irish digital economy. They will result in the introduction of a more stringent data protection regime across all EU markets, stricter conditions and heavier fines for breaches. In particular, the IAB believes that:
1. The scope of personal data (as well as the definition of “data subject‟) is too broad. The Regulation makes no distinction between personal information that you might share with your electricity supplier (ie your name, your address, your bank details), and data that might be unique to a device but that does not directly identify an individual – such as the collection of a history of web surfing linked to a ‘cookie’ for advertising purposes, which does not reveal an individual’s real-world identity. The result is a proposal that brings far more data into the ‘regulatory net’.
2. The requirement to obtain explicit consent for processing personal data overlooks a contextual and consumer-friendly approach. Securing the explicit consent of users for a much broader set of personal data (as noted above) is very difficult to implement in a digital environment. As well as placing additional burdens on businesses, this approach would also disrupt the online experience for users, who could face constant, intrusive ‘tick box’ consent screens and pop-ups. The IAB is concerned that consent-fatigue would actually lead to lower standards of consumer protection than more sophisticated forms of transparency. Explicit consent should be limited to genuinely at-risk situations.
3. The Regulation potentially (and unhelpfully) includes some forms of behavioural advertising in its provisions on “profiling”. This requires clarification since it appears that the intention of this section of the text is actually intended to prevent negative discrimination based on profiling (such as discrimination on the basis of health status or inferred political views) rather than far less-impactful forms of content and advertising personalisation.
WHAT IS THE TIMELINE FOR THE REGULATION
The EU’s legislative process stipulates that both the European Parliament (MEPs) and the Council of Ministers (each EU country is represented in the council) must individually scrutinise the proposal before agreeing on a joint text.
The European Parliament was the first of the two bodies to formalise its negotiating position when it adopted its changes (embed this link into changes http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0212 ) to the EC’s proposals at First Reading in March 2014. This negotiating position was achieved following much debate between the different political groups in the parliament.
The Members States in the Council have held their discussions on the reforms on the basis of “nothing is agreed until everything is agreed”, while reviewing the proposals chapter by chapter (11 chapters in total). A common agreement on rules governing transfer of data outside the EU was reached at the council’s June meeting as well as clarifying language on the territorial scope of the Regulation (embed this link http://www.gr2014.eu/news/press-releases/greek-presidency-reaches-agreement-data-protection-insolvency-luxembourg).
Following the recent European elections a number of key elements of the proposals remain under review. Significantly the reforms still have to be agreed in their entirety in three-way “behind closed doors” negotiations between the Council, the Parliament and the European Commission. These “trilogue” meetings can last many months. All signs currently point to an agreement in 2015 at the earliest followed by a two-year implementation period in each Member State.
REMAINING STICKING POINTS IN THE REVIEW
Italy is now the chair of the Council and has indicated that it will be highlighting the issues in respect of the choice of the instrument of data protection reform, ie, whether the instrument is a Regulation, per the EU’s original proposal, and so strictly legally binding in all EU Member States or a Directive which sets out legal goals that each Member State is free to implement in the way it sees fit.
The potential introduction of the concept of “pseudonymous data” (a sub-set of personal data that does not directly identify an individual) continues to be discussed in the Council. IAB has championed the introduction of “pseudonymous data” as its inclusion would facilitate a balanced and pragmatic future data protection framework for Europe. IAB is of the view that the introduction can provide business with a firm legal (and therefore commercial) basis to process the data used in advertising.
WHAT CAN YOUR COMPANY DO IN THE MEANTIME?
Ensure that you remain informed in respect of the progress being made re the Data Protection Reforms IAB Ireland’s policy council together with our colleagues engaged in policy in IAB Europe and in IAB UK will continue to provide briefings at timely intervals to assist our members. We would encourage you to engage with colleagues to highlight the signification changes the reforms could mean to your business.
Furthermore IAB Ireland is part of IAB Europe’s Digital Innovation Showcase Europe (DISE) Programme which we will be highlighting from September 2014. The goal of DISE is to demonstrate the European innovation potential of our sector to policy makers and to the media through the promotion of innovative SMEs. This policy outreach consists of various lobbying actions and material aimed at addressing the concerning policy challenges our industry faces going forward. Your support for DISE will assist our advocacy on behalf of the Irish digital advertising industry.
For further information contact Suzanne McElligott, ceo IAB Ireland at Suzanne@iabireland.ie