EU Data Protection Law and Targeted Advertising
Total Page:16
File Type:pdf, Size:1020Kb
Damian Clifford EU Data Protection Law and Targeted Advertising Consent and the Cookie Monster - Tracking the crumbs of on- line user behaviour by Damian Clifford, Researcher ICRI/CIR KU Leuven* Abstract: This article provides a holistic legal a condition for the placing and accessing of cookies. analysis of the use of cookies in Online Behavioural Alternatives to this approach are explored, and the Advertising. The current EU legislative framework implementation of solutions based on the application is outlined in detail, and the legal obligations are of the Privacy by Design and Privacy by Default examined. Consent and the debates surrounding concepts are presented. This discussion involves an its implementation form a large portion of the analysis of the use of code and, therefore, product analysis. The article outlines the current difficulties architecture to ensure adequate protections. associated with the reliance on this requirement as Keywords: Data Protection, Targeted Advertising, E-Privacy Directive, Consent, EU Data Protection Framework © 2014 Damian Clifford Everybody may disseminate this article by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing Licence (DPPL). A copy of the license text may be obtained at http://nbn-resolving. de/urn:nbn:de:0009-dppl-v3-en8. This article may also be used under the Creative Commons Attribution-Share Alike 3.0 Unported License, available at h t t p : // creativecommons.org/licenses/by-sa/3.0/. Recommended citation: Damian Clifford, EU Data Protection Law and Targeted Advertising: Consent and the Cookie Monster - Tracking the crumbs of online user behaviour 5 (2014) JIPITEC 194, para 1. A. Introduction 2 The aim of this analysis is to examine the use of cookies in the tracking of users for the purposes of 1 The commercialisation of the internet has been targeted advertising. Certain restrictions regarding rapid. Ubiquitous technological development and the scope of this article should be acknowledged internet availability have propelled profits and the from the outset. First, it will be restricted to value of information. Online Behavioural Advertising an examination of the use of cookies in OBA in (OBA) through the tracking of users has allowed for order to track and profile users. Accordingly, an the development of user-targeted campaigns. The examination of the emerging use of technologies debates surrounding the legitimacy of this behaviour and techniques such as Browser Fingerprinting, have been contentious. Traditional legal principles Deep Packet Inspection and History Sniffing does have struggled to come to terms with the rapid not come within the scope of this article. Further, the proliferation of internet technologies. The rigidity of article will not explore the legal issues around the the legal framework contrasts strongly with the fluid use of analytics systems which correlate various data and ever-changing IT sector. In essence, tracking sources (including the cookie data) and, hence, the and the resulting profiling have become a key part Big Data elements of this topic. Although, in reality, of the business model of many Web 2.0 services, but user profiles in OBA contain data from various the legality of this behaviour is still unclear.1 sources in addition to cookies, this does not mitigate 3 194 2014 EU Data Protection Law and Targeted Advertising the fact that the tracking and processing of cookie supplements to the current EU Data Protection data constitutes profiling in itself. The text will also edifice. Reference will be made to the current EU not outline the additional considerations necessary Data Protection framework in the form of the Data for a holistic interpretation of the use of tracking Protection Directive and the E-Privacy Directive technologies on mobile devices. Finally, during the (as amended). Specific attention will also be assessment of the consent issue, the article will focus given to the Data Protection reform package and, on the general issues and concerns rather than the more specifically, the proposed Data Protection particular debates specific to children (or others Regulation. who potentially lack capacity to consent). These are issues which merit further analysis in themselves, and to examine them here would not do justice to B. The scope of the EU Data the complex legal issues present. Nevertheless, at times references to these matters and the further Protection Framework - obligations will be made. Behavioural Advertising 3 Having narrowed the scope, it is now worth outlining 6 Data Protection is a distinctively European the focus of the research. The Article 29 Working innovation that has been received outside the Party has noted that most advertising technologies EU with varying degrees of success.9 The current use some type of client side processing of users’ framework owes its origins to developments, such as browsers or terminal equipment to track their 2 the 1980 OECD Guidelines on the Protection of Privacy activity. This processing refers to the accessing and and Transborder Flows of Personal Data, the 1981 use of information stored on users’ computers. In Council of Europe Convention on data protection, behavioural advertising, companies use software to and the 1990 UN guidelines.10 The adoption of such track user behaviour and to build personal profiles. provisions is hardly surprising given the historical They do not refer to users by name but, instead, use context in which the European supranational a single alphanumerical code that is placed on the cooperation originated.11 However, there are two users’ computers. These codes are utilised to help other factors which have proven decisive. First, select the advertisements people see in addition to 3 the ubiquitous development of technology and the the variety of products that are offered to them. supranational challenges that this involves.Second, These are known as ‘cookies,’ and they can provide the need to facilitate the free movement of personal a detailed profile based on user behaviour, which can data within the Community and to resolve conflicts be easily exploited for marketing purposes. arising from differing national regimes.12 Although there have been clear technological advances which 4 Cookies placed on users’ machines by the publisher have precipitated legal development, the core of (website operator) are known as first-party the EU framework has remained constant and the cookies and these, ‘are commonly used to store essence of the data protection edifice has remained information, e.g., user preferences, such as a login 13 4 straightforward. This section of the analysis will name.’ These ‘functional cookies’ are generally introduce the key instruments and examine their exempt from the legal obligations under the Data scope in relation to OBA. Protection framework unless they are also used for tracking or profiling purposes.5 However, there are also what are known as third-party cookies. These cookies originate from sources that may be I. Data Protection as a unconnected with the first-party cookie website Primary Source (e.g. an ad network) and are often used as a tracking 6 mechanism for advertising purposes. In the world 7 Data protection is a complex issue that has of AdExchanges, such as Google’s AdX, this issue traditionally been associated with the concept is complicated further given the complex array of of privacy within the context of personal data 7 players. More importantly, reference to the term processing. However, as observed by Borghi et al.: ‘cookie’ in this text comprises of all variations, including the more controversial ‘flash’ cookies (also ‘at least under EU law, privacy and data protection are distinct, referred to as Locally Shared Objects). Although this yet complementary, fundamental legal rights. They derive their form of cookie has serious technical advantages over normative force from values that—although at times coincidental and interacting in a variety of ways—may be conceptualized the standard HTTP cookies (and has raised issues independently.’14 regarding ‘respawning’), they are both placed and accessed on the terminal equipment of users 8 This position has allowed data protection to and are fundamentally subject to the same legal 8 automatically trump other interests and gives it requirements. a status that cannot be traded-off for economic benefits.15 The identification of data protection as a 5 The article will analyse the applicable legal key personal right of the citizens of the Union was framework, the legal requirements imposed by confirmed through the adoption of the Lisbon Treaty. this framework, the difficulties surrounding the Article 39 TEU and Article 16 TFEU provide specific definition of consent, and the alternatives and provisions relating to data protection. Article 16, in 3 195 2014 Damian Clifford particular, promotes the data protection provision a.) Does the data used in OBA fall into to a ‘provision of general application’ under Title the classification of personal data? II, alongside other EU fundamental principles, and also imposes an obligation on the legislator to 11 According to Article 2(a): establish a clear and unequivocal legal framework 16 for data protection. In addition, the Lisbon Treaty ‘“personal data” shall mean any information relating to an also formally recognised the binding legal status of identified or identifiable natural person (“data subject”); an the Charter of Fundamental Rights of the European identifiable person is one who can be identified, directly or Union and provided specific provisions relating to indirectly, in particular by reference to an identification number the legal significance of the European Convention of or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’. Human Rights (ECHR). Article 8 of the Charter (the right to Data Protection) and Article 8 of the ECHR 12 In order to assess whether a particular person is (the right to private life) are of clear importance in identifiable, all methods likely and reasonable this regard.17 should be taken into consideration.25 13 The Directive further distinguishes between sensitive II.