Europäischer Datenschutzbeauftragter Hustinx: “Do not track or right on track? – The privacy implications of online behavioural advertising”

Der europäische Datenschutzbeauftragte Peter Hustinx hat kürzlich einen Vortrag zum Thema “Do not track or right on track? – The privacy implications of online behavioural advertising” gehalten und diesen im Internet veröffentlicht. Herr Hustinx gibt darin einen guten Überblick über die zu erwartenden Entwicklungen im Bereich Online-Marketing und Datenschutz.

Die aus meiner Sicht wichtigsten Passagen des englischsprachigen Vortrages lauten:

“(…) At a general level, there also seems to be a growing consensus that a better balance can be found on the basis of three key principles: i.e. transparency, fairness and user control. (…)

As to Article 5(3) of the e-Privacy Directive, it is important to know that the storing of information and the accessing of information stored in the user’s terminal´ are considered as an intrusion in the private sphere of the user. This is expressly stated in recital 24 of the 2002 version of the Directive and recital 65 of the revised version. (…)

The new text of Article 5(3) requires consent of the user concerned, which must be given before the storing or accessing of information. The e-Privacy Directive also makes it clear that this consent should fulfil the requirements of Article 2(h) of the Data Protection Directive, i.e. it should be a “freely given, specific and informed indication of his wishes” by which the user signifies his agreement to information being stored or accessed on his terminal. (…)

The information given should be “clear and comprehensive”. This means that it should be clear, precise and easily understandable, and should cover all relevant substance. It follows immediately from the text that the information should be given before the user’s consent. This information should also be readily available to the user without great efforts: the user must be provided with the relevant information.

The text does not specify who should provide this information. However, it is obvious that the first candidate to do so is the ad network provider who stores or accesses information on the computer terminal. This does not prevent that the website operator or publisher is often also in a good – or perhaps even better – position to provide the required information.

The frequency of the information is not mentioned. The text certainly does not require that the information is given each time a cookie is stored or accessed on a terminal. Indeed, it allows a practical approach under which both information and consent are provided at certain intervals and for certain categories of activities. (…)

This leads to a few other issues, such as the role of browser settings. Recital 66 of the revised e-Privacy Directive is often referred to in this context. However, what it says is that “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.” As most current browsers accept cookies by default and most current users lack the skills to change browser settings, this recital refers to a scenario that is presently too often not realistic. However, this could of course change in the future.

Another question that is sometimes raised is whether the new text of Article 5(3) is based on “opt-in” or “opt-out”. Although some would rather avoid the term “opt-in” or “prior opt-in”, it is not so difficult to see that this is exactly what the present text requires. The assumption that this “opt-in” should be exercised each time a cookie is stored or accessed, has led to a kind of tunnel vision on the subject. Indeed, a solution should be user friendly and effective.

Although the revised Directive should have been implemented into national law by 25 May 2011, only a small minority of Member States have actually managed to do so. Those that have implemented Article 5(3) have mostly followed the analysis presented here. (…)

In a speech delivered in September 2010, the Commission’s Vice-President Neelie Kroes, responsible for the EU Digital Agenda, has encouraged the advertising community to develop a self-regulatory framework in compliance with the e-Privacy Directive. (…)

The Data Protection Directive applies where such processing is taking place in the context of the activities of an establishment of the controller in the European Union, or uses means that are located in the EU. It is likely that the latter criterion will be replaced by targeting persons in the EU or providing a service on the European market. (…)

Let me finally mention a few other perspectives in the context of the current review of the EU legal framework for data protection. The impact of the Lisbon Treaty is likely to lead to a more comprehensive approach across all EU policy areas. There is also a strong emphasis on greater effectiveness in the light of technological change and globalisation, and reduction of unhelpful diversity and complexity in the EU. (…)

In the US, there are also interesting developments that are different, but seem to go in a similar direction. More global privacy will require more compatibility and interoperability of our legal approaches, especially for the online environment. Today’s subject may turn out to be an interesting test case for our determination and creativity to provide privacy online. (…)”

Autor:
Rechtsanwalt Dr. Sebastian Kraska, externer Datenschutzbeauftragter

Telefon: 089-1891 7360
E-Mail-Kontaktformular
E-Mail: email@iitr.de

Information bei neuen Entwicklungen im Datenschutz

Tragen Sie sich einfach in unseren Newsletter ein und wir informieren Sie über aktuelle Entwicklungen im Datenschutzrecht.