Skip to main content
SpringerLink
Log in

On-line Behavioral Tracking: What May Change After the Legal Reform on Personal Data Protection

  • Chapter
  • First Online:
Reforming European Data Protection Law

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 20))

Abstract

On-line tracking has gained over the last years a new dimension: it has become an intrinsic part of our Internet-driven society. It touches all levels and types of industries. Consequently, more and more individuals become the target of this trend as routinely users of the internet. On-line tracking techniques are subject to the European personal data protection rules currently in force, insofar as they process information that identifies or may potentially identify a natural person. Nevertheless, the unprecedented threats that such techniques entail to privacy must have been a core motive opening the way towards the revision of the privacy regulations applicable today. New requirements and concepts strengthening the rights of data subjects and the obligations of data controllers or processors are set forth in the current draft of the new Regulation (currently under discussion within the EU institutions). This envisaged legal reform may however prove to be insufficient unless, at the same time, effective measures are adopted to help both on-line users, especially those of young age, and the companies implementing on-line tracking tools in order to change their approach to privacy.

The opinions expressed in this article reflect the personal views of the authors and do not engage in any way whatsoever the company with whom they are working.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Matthew S. Kirsch, Do-Not-Track: Revising the EU’s Data Protection Framework to Require Meaningful Consent for Behavioral Advertising, (XVIII RICH. J.L. TECH. 2) available at http://jolt.richmond.edu/v18i1/article2.pdf.

  2. 2.

    M. Hildebrandt, Profiling: from data to knowledge (DuD: Datenschutz und Datensicherheit 30, 2006 9), 548-549;

    P. Eckersley, What does the “Track” in Do Not Track Mean? (Electronic Frontier Foundation, 19 February 2011) available at https://www.eff.org/deeplinks/2011/02/what-does-track-do-not-track-mean, 548-549.

  3. 3.

    Advertising can be defined as the activity that consists of attracting potential customers to purchase or use a specific product by using media or other means. Clearly, advertising includes a lucrative purpose. On the contrary, tracking is more general and does not necessarily include a lucrative element.

  4. 4.

    See in this regard the results of two research projects funded through successive Framework Programs of the European Commission, namely the PRIME and PrimeLife projects (www.primelife.ercim.eu). Both projects had as objectives to show how privacy technologies can enable citizens to execute their legal rights to control personal information in on-line transactions. The main objective of these projects was to bring sustainable privacy and identity management to future networks and services. It is noteworthy that well-known software vendors were members of the research consortium having conducted this project. Some more information about the PETs and their added-value for business, see: Privacy-enhancing technologies for the Internet. Ian Goldberg, David Wagner, Eric Brewer.

    http://www.cs.berkeley.edu/~daw/papers/privacy-compcon97-www/privacy-html.html; Study on the economic benefits of privacy-enhancing technologies (PETs), Final Report to The European Commission DG Justice, Freedom and Security, Prepared by London Economics, July 2010 at http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf (the article contains relevant examples of PETs and a business survey regarding the use of PETs; Privacy Enhancing Technology. Privacy Enhancing Technology. Guidelines and Testing Methodology, W3C/QA Position Paper, Tara M. Swaminatha at http://www.w3.org/2001/01/qa-ws/pp/tara-swaminatha-cigital.html. The article gives an introduction on the fact that the market has seen an increasing flood of privacy enhancing products.

  5. 5.

    The European Commission seems to accept the definition of PETs as provided in the EC-funded PISA project, being “a coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system”, see Communication from the Commission to the European Parliament and the Council on promoting data protection by privacy-enhancing technologies. COM(2007) 228 final. According to the same Communication, examples of PETs include encryption tools preventing tracking of the data transferred; cookie-cutters blocking cookies placed on user’s PC; the platform for Privacy Preferences (P3P) allowing users to analyse privacy policies and compare them to their preferences.

  6. 6.

    ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 6.

  7. 7.

    ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 3.

  8. 8.

    The e-Privacy Directive states that the obligation of confidentiality of the communications “shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user” (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136, art. 5 point 3).

  9. 9.

    ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 6.

  10. 10.

    P. Eckersley, How unique is your web browser? (Privacy Enhancing Technologies, Springer Berlin Heidelberg, 2010) in Consumer Privacy Law 2: Data Collection, Profiling and Targeting (July 16, 2009, Law And The Internet, L. Edwards & C. Waelde, eds., Hart Publishing, 2009) available at https://panopticlick.eff.org/browser-uniqueness.pdf.

  11. 11.

    P. Eckersley, How unique is your web browser? (Privacy Enhancing Technologies, Springer Berlin Heidelberg, 2010) in Consumer Privacy Law 2: Data Collection, Profiling and Targeting (July 16, 2009, Law And The Internet, L. Edwards & C. Waelde, eds., Hart Publishing, 2009) available at https://panopticlick.eff.org/browser-uniqueness.pdf.

  12. 12.

    ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 7.

  13. 13.

    S. Schoen, New cookies technologies: Harder to see and remove, widely used to track you (2009) available at https://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wide.

  14. 14.

    Clause Castellucia, Behavioral tracking on the Internet, a technical perspective, in European Data Protection: In Good Health? (Springer Netherlands, 2012), 29.

  15. 15.

    Soltani, Ashkan, et al., Flash Cookies and Privacy (AAAI Spring Symposium: Intelligent Information Privacy Management, 2010).

  16. 16.

    Niklas Schmücker Web Tracking (Department of Telecommunication Systems, SNET2 Seminar, Paper-Summer, 2011).

  17. 17.

    Samy Kamkar, Evercookie – never forget (October 2011), available at: http://samy.pl/evercookie.

  18. 18.

    Claude Castellucia, Behavioral tracking on the Internet, a technical perspective, in R.Leenes, European Data Protection in good health?, 25.

  19. 19.

    A. Blumberg, and P. Eckersley, On locational privacy, and how to avoid losing it forever, available at http://www.eff.org/wp/locational-privacy, 1.

  20. 20.

    http://facebook.com/.

  21. 21.

    http://twitter.com/.

  22. 22.

    http://www.pinterest.com/.

  23. 23.

    http://www.linkedin.com/.

  24. 24.

    A. Roosendaal, We Are All connected to Facebook…by Facebook! in European Data Protection: In Good Health? (Springer Netherlands, 2012).

  25. 25.

    “In 2011, Europe’s online advertising market grew 14.5 % year-on-year to a market value of €20.9bn in 2011. By comparison the overall European advertising market - excluding online - grew at just 0.8 % in the same time period”: See IAB, ADEX 2011, Online Advertising in Europe (6 th edition): Key Findings, available online at http://www.iabeurope.eu/files/6613/6852/1900/2012_interact_presentation_final_delivered.pdf.

  26. 26.

    Electronic Privacy Information Center, Privacy and Consumer Profiling, “The Product is you”, available at http://www.epic.org/privacy/profiling .

  27. 27.

    Along these lines, note the “@N” incident on Twitter: http://arstechnica.com/security/2014/02/twitter-restores-50000-n-username-to-its-owner/.

  28. 28.

    To note that the “on-line” tracking market is quite sophisticated and other market actors besides the categories cited here (vendors of on-line tracking tools and the companies involved in on-line tracking) may also be subject to data protection rules.

  29. 29.

    Supra, footnote 8.

  30. 30.

    Article 6 of Directive 95/46/EC.

  31. 31.

    Article 6(1)(b) of Directive 95/46/EC.

  32. 32.

    Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, 00909/10/EN WP 171, p. 20.

  33. 33.

    Article 10 of Directive 95/46/EC.

  34. 34.

    Article 5(3) of Directive 2002/58/EC.

  35. 35.

    Matthew S. Kirsch, Do-Not-Track: Revising the EU’s Data Protection Framework to Require Meaningful Consent for Behavioral Advertising, (XVIII RICH. J.L. TECH. 2) available at http://jolt.richmond.edu/v18i1/article2.pdf, 12-18.

  36. 36.

    Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, 00909/10/EN WP 171, 12-17.

  37. 37.

    Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, 00909/10/EN WP 171, p. 15.

  38. 38.

    E. Kosta, Peeking into the cookie jar: the European Approach towards the regulation of cookies, (International Journal of Law and Information Technology, vol. 21, No 4, 2013), 392.

  39. 39.

    Such as clear and specific notice to user and consent.

  40. 40.

    Proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012)0011 – C7 0025/2012 -2012/0011 (COD). To be noted: this version of the draft act may not be the most recent one at the time this article will be published.

  41. 41.

    Supra reference 41, art. 3 “Territorial Scope”, §2, (b).

  42. 42.

    Supra reference 41, Recital 21.

  43. 43.

    Supra reference 41, art. 4 “Definitions”, §3a.

  44. 44.

    Supra ref. 41, Recital 24.

  45. 45.

    Supra ref. 41, Recital 25.

  46. 46.

    The fact that browser settings are not yet sophisticated enough to secure by themselves a user’s affirmative action has been stressed in many recommendations of Member States’ privacy oversight bodies, such as the Information Commissioner’s Office in the UK (ICO). In a recent guideline provided on the use of cookies of ICO, it is mentioned that “For consent to be clearly signified by the browser settings it would need to be clear that subscribers had been prompted to consider their current browser settings and, had either indicated in some way they were happy with the default, or have made the decision to change the settings”, Information Commissioner’s Office, Guidance on the rules on use of cookies and similar technologies (May 2012, v. 3, p. 15). In the same vein, the Regulation states that “the use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes (or, we infer, browser settings – our addition -) does not express free consent (Supra ref. 41, Recital 33).

  47. 47.

    It is noteworthy that the Regulation seems to introduce a new right of the data subject, being the right to object to profiling (Supra ref. 41, art. 10a “General principles for data subject rights”, §2.

  48. 48.

    Supra ref. 41, Recital 7 “Conditions for Consent”, §1.

  49. 49.

    Supra ref. 41, Recital 29.

  50. 50.

    Yet, in our interpretation, the Regulation covers indirectly the adoption of other internal regulations and policies, except from the data protection policies, if these would be relevant to the protection of personal information too (e.g., documentation relevant to the security of information, data classification, confidential information and so on).

  51. 51.

    Supra ref. 41, Recital 46 reads: “…This (the principle of transparency – our addition) is particularly relevant where in situations, such as online advertising, the proliferation of actors and the technological complexity of practice makes it difficult for the data subject to know and understand if personal data relating to them are being collected, y whom and for what purposes”.

  52. 52.

    It appears that the current draft of the Regulation requests the adoption of specific graphical forms showing whether personal data are collected, stored, shared with other parties and so on, that would be made easily visible and clearly legible on a website. Supra ref. 41, article 13a and Annex 1.

  53. 53.

    Supra ref. 41, art. 14, new letter (ga).

  54. 54.

    Supra ref. 41, art. 20, §1.

  55. 55.

    Supra ref. 41, art. 17, §1.

  56. 56.

    Supra ref. 41, art. 17, §2.

  57. 57.

    Supra ref. 41, art. 17, §4.

  58. 58.

    Cavoukian A., Privacy by Design in Law, Policy and Practice, A White Paper for Regulators, Decision-makers and Policy-makers, (August 2011, Information and Privacy Commissioner, Ontario, Canada) available at http://www.ipc.on.ca/images/Resources/PbDBook-From-Rhetoric-to-Reality.pdf, 13.

  59. 59.

    ENISA, Privacy considerations of online behavioural tracking, October 2012, available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 18.

Bibliography

Academic Sources

Business Sources

Regulator Sources

Download references

Author information

Authors and Affiliations

  1. Department of Security and Privacy, Deloitte Bedrijfsrevisoren/Réviseurs d’Entreprises, Diegem, Belgium

    Georgia Skouma & Laura Léonard

Authors
  1. Georgia Skouma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Laura Léonard
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Georgia Skouma .

Editor information

Editors and Affiliations

  1. Law, Science, Technology & Society (LSTS), Faculty of Law and Criminology at the Vrije Universiteit Brussel, Brussels, Belgium

    Serge Gutwirth

  2. Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  3. Law, Science, Technology & Society (LSTS), Faculty of Law and Criminology at the Vrije Universiteit Brussel, Brussels, Belgium

    Paul de Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer Science+Business Media Dordrecht

About this chapter

Cite this chapter

Skouma, G., Léonard, L. (2015). On-line Behavioral Tracking: What May Change After the Legal Reform on Personal Data Protection. In: Gutwirth, S., Leenes, R., de Hert, P. (eds) Reforming European Data Protection Law. Law, Governance and Technology Series(), vol 20. Springer, Dordrecht. https://doi.org/10.1007/978-94-017-9385-8_2

Download citation

Publish with us

Policies and ethics

Search

Navigation