[GSDI Legal Econ] Personal data protection review in Europe

Roger Longhorn ral at alum.mit.edu
Thu Jan 31 06:29:08 EST 2008 

The following item from the EDRI-gram newsletter highlights the debate 
currently under way in Europe regarding potential abuse of personal data 
for marketing purposes. While the article focuses primarily on the 
recent Google - Double Click deal, i.e. privacy issues versus 
competition law, with the steady growth of location-based advertising, 
enhanced by location-awareness of personal, hand-held, mobile devices, 
we could see ramifications for the location-based, "mobile advertising" 
sector at some future date. The main point is that, in future, "large 
Internet companies" could become able not only to monitor "online 
behaviour", but also actual location of online users, ala 'My 
Location'-type (GSM-based) or GPS technology. Even if the target 
customer/consumer "opts in" to such a service, who is to act as watchdog 
to see that the technology is not abused or that the information 
collected is not misused, outside the terms of any 'opt in' agreeement?

This issue of EDRI-gram also contains items on:

7. Key privacy concerns in Denmark 2007
8. Key privacy concerns in Czech Republic 2007
9. Key privacy concerns in Ireland 2007
10. Key privacy concerns in France 2007
11. Key privacy concerns in Romania 2007
12. Key privacy concerns in Netherlands 2007
13. Main data protection concerns with the EU policy developments in 2007

some of which reference fears over abuse of RFID technology. See, for 
example:

"As demonstrated publicly by EDRi-member Iuridicum Remedium, anybody 
with a standard RFID reader was able to obtain the personal data (name, 
date of birth, sex) from the card, from a distance, without the 
cardholder's consent." in the Czech Republic report, and:

"The RFID Transit card is another project that is problematic from the 
perspective of data protection. Very recently, the Dutch Data Protection 
Authority concluded that the current design of the system does not 
respect data protection legislation. The system would entail the lengthy 
storage of all travel movements in identifiable form. The system, which 
is being tested in a number of Dutch cities, has other serious flaws 
that make its future uncertain. Some critical parts of it have recently 
been hacked, creating a serious political issue." from the  Netherlands 
report.

Dutch RFID Transit Card Hacked (21.01.2008)
http://www.schneier.com/blog/archives/2008/01/dutch_rfid_tran.html

Potential abuse of RFID technology remains a cause for concern and 
consultation at the European Parliament following on from studies into 
potential abuse conducted both by the Parliament's own research 
directorate and the European Commission.

Regards

Roger Longhorn

===============

2. European Parliament hearing on Internet privacy issues
============================================================

During a hearing of the European Parliament (EP)'s Civil Liberties 
Committee, on 21 January 2008, serious data protection concerns were 
raised by the practice of large Internet companies that monitor the 
online behaviour of their users in order to provide online advertisers 
with the necessary information to better target their ads.

The main debate turned around the Google-Double Click deal that is now 
being examined by the European Commission and that was already approved 
in the US in December 2007 by the Federal Trade Commission.

Google criticised MEPs and rights advocates of trying "to take a privacy 
case and shoehorn it into a competition law review" but Sophie In 't 
Veld, replied to these accusations: "The reason you want to have the 
data is because it gives you a competitive advantage. It is business. I 
don't think they can be completely disconnected."

Representatives of the industry and consumer protection bodies addressed 
the EP Civil Liberties Committee claiming that the tracking down of 
online behaviour is threatening to personal privacy and that there is no 
guarantee these data are used only for advertisement targeting. MEP 
Stavros Lambrinidis of Greece expressed the worries related to the lack 
of a communitary legislation that ensures the personal data are used 
only for advertising purposes saying that "there is no EU legislation 
per se to
ensure that information targeting behaviour for marketing purposes will 
not be used for other activities that far exceed the initial purpose."

In his turn, EDPS Peter Hustinx said: "Community law on data protection 
does apply on the Internet, it applies to both online and offline 
realities (...) existing rules do apply and do provide safeguards".

Google's Global Privacy Counsel Peter Fleischer stated that the merger 
between Google and DoubleClick would not lead to the creation of a 
single database with consumer-related information, as "DoubleClick does 
not own its customers' data". He also added that the online ad company 
"can only use the data it processes from serving ads to provide 
aggregate reporting. The data is owned by the publishers or advertisers 
that DoubleClick works for (...) DoubleClick customers would be very 
displeased if one tried to undo their contractual relationships by 
sharing information between advertisers".

The merger case is now with DG Competition being examined for potential 
violations of antitrust rules in the online advertising intermediary 
market. The European Commission is to decide whether or not to authorise 
the merger on 2 April 2008.

One issue that was also strongly debated was that of the IP address 
being considered personal data or not. In the opinion of the EU group of 
data privacy regulators, the IP address should generally be considered 
as personal information.

Google's view has been expressed by Fleischer who stated: "There is no 
black or white answer: sometimes an IP address can be considered as 
personal data and sometimes not, it depends on the context, and which 
personal information it reveals." But Marc Rotenberg, the Executive 
Director of the Electronic Privacy Information Center contradicted this 
statement: I wish this was the case, but we are moving towards the IP6 
model, for which it will be even more the case that IP addresses will be 
personably identifiable".

Peter Scharr, Germany's data protection commissioner who leads the EU 
Article 29 Data Protection Working Group which is preparing a report on 
the compliance with EU data protection acts of the privacy policies of 
Internet search engines operated by Google, Yahoo, Microsoft and others, 
said that if someone could be identified by an IP address "then it has 
to be regarded as personal data."

Do Internet companies protect personal data well enough? (26.01.2008)
http://www.neurope.eu/articles/82144.php

Google-DoubleClick deal likely to win EU go-ahead (25.01.2008)
http://www.reuters.com/article/reutersEdge/idUSL2589361220080125

Internet privacy concerns cause very public row in Brussels (23.01.2008)
http://afp.google.com/article/ALeqM5hQ47Tl9N_w06bGdc5UBcXzg1lPRA

EU data regulator says Internet addresses are personal information
(21.01.2008)
http://www.siliconvalley.com/news/ci_8035260?nclick_check=1

Google seeks to allay privacy fears over DoubleClick merger (22.01.2008)
http://www.euractiv.com/en/infosociety/google-seeks-allay-privacy-fears-doubleclick-merger/article-169785 


EDRi-gram: EC announces a larger investigation of the Google-DoubleClick
deal (26.11.2007)
http://www.edri.org/edrigram/number5.22/in-depth-google

<ends>

<EDRI-gram biweekly newsletter about digital civil rights in Europe - 
Number 6.2, 30 January 2008>
- EDRI-gram subscription information
To subscribe by e-mail:

To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.

More information about the Legal-Econ mailing list