Abstract
On-line tracking has gained over the last years a new dimension: it has become an intrinsic part of our Internet-driven society. It touches all levels and types of industries. Consequently, more and more individuals become the target of this trend as routinely users of the internet. On-line tracking techniques are subject to the European personal data protection rules currently in force, insofar as they process information that identifies or may potentially identify a natural person. Nevertheless, the unprecedented threats that such techniques entail to privacy must have been a core motive opening the way towards the revision of the privacy regulations applicable today. New requirements and concepts strengthening the rights of data subjects and the obligations of data controllers or processors are set forth in the current draft of the new Regulation (currently under discussion within the EU institutions). This envisaged legal reform may however prove to be insufficient unless, at the same time, effective measures are adopted to help both on-line users, especially those of young age, and the companies implementing on-line tracking tools in order to change their approach to privacy.
The opinions expressed in this article reflect the personal views of the authors and do not engage in any way whatsoever the company with whom they are working.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Matthew S. Kirsch, Do-Not-Track: Revising the EU’s Data Protection Framework to Require Meaningful Consent for Behavioral Advertising, (XVIII RICH. J.L. TECH. 2) available at http://jolt.richmond.edu/v18i1/article2.pdf.
- 2.
M. Hildebrandt, Profiling: from data to knowledge (DuD: Datenschutz und Datensicherheit 30, 2006 9), 548-549;
P. Eckersley, What does the “Track” in Do Not Track Mean? (Electronic Frontier Foundation, 19 February 2011) available at https://www.eff.org/deeplinks/2011/02/what-does-track-do-not-track-mean, 548-549.
- 3.
Advertising can be defined as the activity that consists of attracting potential customers to purchase or use a specific product by using media or other means. Clearly, advertising includes a lucrative purpose. On the contrary, tracking is more general and does not necessarily include a lucrative element.
- 4.
See in this regard the results of two research projects funded through successive Framework Programs of the European Commission, namely the PRIME and PrimeLife projects (www.primelife.ercim.eu). Both projects had as objectives to show how privacy technologies can enable citizens to execute their legal rights to control personal information in on-line transactions. The main objective of these projects was to bring sustainable privacy and identity management to future networks and services. It is noteworthy that well-known software vendors were members of the research consortium having conducted this project. Some more information about the PETs and their added-value for business, see: Privacy-enhancing technologies for the Internet. Ian Goldberg, David Wagner, Eric Brewer.
http://www.cs.berkeley.edu/~daw/papers/privacy-compcon97-www/privacy-html.html; Study on the economic benefits of privacy-enhancing technologies (PETs), Final Report to The European Commission DG Justice, Freedom and Security, Prepared by London Economics, July 2010 at http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf (the article contains relevant examples of PETs and a business survey regarding the use of PETs; Privacy Enhancing Technology. Privacy Enhancing Technology. Guidelines and Testing Methodology, W3C/QA Position Paper, Tara M. Swaminatha at http://www.w3.org/2001/01/qa-ws/pp/tara-swaminatha-cigital.html. The article gives an introduction on the fact that the market has seen an increasing flood of privacy enhancing products.
- 5.
The European Commission seems to accept the definition of PETs as provided in the EC-funded PISA project, being “a coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system”, see Communication from the Commission to the European Parliament and the Council on promoting data protection by privacy-enhancing technologies. COM(2007) 228 final. According to the same Communication, examples of PETs include encryption tools preventing tracking of the data transferred; cookie-cutters blocking cookies placed on user’s PC; the platform for Privacy Preferences (P3P) allowing users to analyse privacy policies and compare them to their preferences.
- 6.
ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 6.
- 7.
ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 3.
- 8.
The e-Privacy Directive states that the obligation of confidentiality of the communications “shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user” (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136, art. 5 point 3).
- 9.
ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 6.
- 10.
P. Eckersley, How unique is your web browser? (Privacy Enhancing Technologies, Springer Berlin Heidelberg, 2010) in Consumer Privacy Law 2: Data Collection, Profiling and Targeting (July 16, 2009, Law And The Internet, L. Edwards & C. Waelde, eds., Hart Publishing, 2009) available at https://panopticlick.eff.org/browser-uniqueness.pdf.
- 11.
P. Eckersley, How unique is your web browser? (Privacy Enhancing Technologies, Springer Berlin Heidelberg, 2010) in Consumer Privacy Law 2: Data Collection, Profiling and Targeting (July 16, 2009, Law And The Internet, L. Edwards & C. Waelde, eds., Hart Publishing, 2009) available at https://panopticlick.eff.org/browser-uniqueness.pdf.
- 12.
ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 7.
- 13.
S. Schoen, New cookies technologies: Harder to see and remove, widely used to track you (2009) available at https://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wide.
- 14.
Clause Castellucia, Behavioral tracking on the Internet, a technical perspective, in European Data Protection: In Good Health? (Springer Netherlands, 2012), 29.
- 15.
Soltani, Ashkan, et al., Flash Cookies and Privacy (AAAI Spring Symposium: Intelligent Information Privacy Management, 2010).
- 16.
Niklas Schmücker Web Tracking (Department of Telecommunication Systems, SNET2 Seminar, Paper-Summer, 2011).
- 17.
Samy Kamkar, Evercookie – never forget (October 2011), available at: http://samy.pl/evercookie.
- 18.
Claude Castellucia, Behavioral tracking on the Internet, a technical perspective, in R.Leenes, European Data Protection in good health?, 25.
- 19.
A. Blumberg, and P. Eckersley, On locational privacy, and how to avoid losing it forever, available at http://www.eff.org/wp/locational-privacy, 1.
- 20.
- 21.
- 22.
- 23.
- 24.
A. Roosendaal, We Are All connected to Facebook…by Facebook! in European Data Protection: In Good Health? (Springer Netherlands, 2012).
- 25.
“In 2011, Europe’s online advertising market grew 14.5 % year-on-year to a market value of €20.9bn in 2011. By comparison the overall European advertising market - excluding online - grew at just 0.8 % in the same time period”: See IAB, ADEX 2011, Online Advertising in Europe (6 th edition): Key Findings, available online at http://www.iabeurope.eu/files/6613/6852/1900/2012_interact_presentation_final_delivered.pdf.
- 26.
Electronic Privacy Information Center, Privacy and Consumer Profiling, “The Product is you”, available at http://www.epic.org/privacy/profiling .
- 27.
Along these lines, note the “@N” incident on Twitter: http://arstechnica.com/security/2014/02/twitter-restores-50000-n-username-to-its-owner/.
- 28.
To note that the “on-line” tracking market is quite sophisticated and other market actors besides the categories cited here (vendors of on-line tracking tools and the companies involved in on-line tracking) may also be subject to data protection rules.
- 29.
Supra, footnote 8.
- 30.
Article 6 of Directive 95/46/EC.
- 31.
Article 6(1)(b) of Directive 95/46/EC.
- 32.
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, 00909/10/EN WP 171, p. 20.
- 33.
Article 10 of Directive 95/46/EC.
- 34.
Article 5(3) of Directive 2002/58/EC.
- 35.
Matthew S. Kirsch, Do-Not-Track: Revising the EU’s Data Protection Framework to Require Meaningful Consent for Behavioral Advertising, (XVIII RICH. J.L. TECH. 2) available at http://jolt.richmond.edu/v18i1/article2.pdf, 12-18.
- 36.
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, 00909/10/EN WP 171, 12-17.
- 37.
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, 00909/10/EN WP 171, p. 15.
- 38.
E. Kosta, Peeking into the cookie jar: the European Approach towards the regulation of cookies, (International Journal of Law and Information Technology, vol. 21, No 4, 2013), 392.
- 39.
Such as clear and specific notice to user and consent.
- 40.
Proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012)0011 – C7 0025/2012 -2012/0011 (COD). To be noted: this version of the draft act may not be the most recent one at the time this article will be published.
- 41.
Supra reference 41, art. 3 “Territorial Scope”, §2, (b).
- 42.
Supra reference 41, Recital 21.
- 43.
Supra reference 41, art. 4 “Definitions”, §3a.
- 44.
Supra ref. 41, Recital 24.
- 45.
Supra ref. 41, Recital 25.
- 46.
The fact that browser settings are not yet sophisticated enough to secure by themselves a user’s affirmative action has been stressed in many recommendations of Member States’ privacy oversight bodies, such as the Information Commissioner’s Office in the UK (ICO). In a recent guideline provided on the use of cookies of ICO, it is mentioned that “For consent to be clearly signified by the browser settings it would need to be clear that subscribers had been prompted to consider their current browser settings and, had either indicated in some way they were happy with the default, or have made the decision to change the settings”, Information Commissioner’s Office, Guidance on the rules on use of cookies and similar technologies (May 2012, v. 3, p. 15). In the same vein, the Regulation states that “the use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes (or, we infer, browser settings – our addition -) does not express free consent (Supra ref. 41, Recital 33).
- 47.
It is noteworthy that the Regulation seems to introduce a new right of the data subject, being the right to object to profiling (Supra ref. 41, art. 10a “General principles for data subject rights”, §2.
- 48.
Supra ref. 41, Recital 7 “Conditions for Consent”, §1.
- 49.
Supra ref. 41, Recital 29.
- 50.
Yet, in our interpretation, the Regulation covers indirectly the adoption of other internal regulations and policies, except from the data protection policies, if these would be relevant to the protection of personal information too (e.g., documentation relevant to the security of information, data classification, confidential information and so on).
- 51.
Supra ref. 41, Recital 46 reads: “…This (the principle of transparency – our addition) is particularly relevant where in situations, such as online advertising, the proliferation of actors and the technological complexity of practice makes it difficult for the data subject to know and understand if personal data relating to them are being collected, y whom and for what purposes”.
- 52.
It appears that the current draft of the Regulation requests the adoption of specific graphical forms showing whether personal data are collected, stored, shared with other parties and so on, that would be made easily visible and clearly legible on a website. Supra ref. 41, article 13a and Annex 1.
- 53.
Supra ref. 41, art. 14, new letter (ga).
- 54.
Supra ref. 41, art. 20, §1.
- 55.
Supra ref. 41, art. 17, §1.
- 56.
Supra ref. 41, art. 17, §2.
- 57.
Supra ref. 41, art. 17, §4.
- 58.
Cavoukian A., Privacy by Design in Law, Policy and Practice, A White Paper for Regulators, Decision-makers and Policy-makers, (August 2011, Information and Privacy Commissioner, Ontario, Canada) available at http://www.ipc.on.ca/images/Resources/PbDBook-From-Rhetoric-to-Reality.pdf, 13.
- 59.
ENISA, Privacy considerations of online behavioural tracking, October 2012, available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking, 18.
Bibliography
Academic Sources
Blumberg A. and Eckersley P. On locational privacy, and how to avoid losing it forever. Available at http://www.eff.org/wp/locational-privacy.
Cavoukian A. Privacy by Design in Law, Policy and Practice, A White Paper for Regulators, Decision-makers and Policy-makers. August 2011. Information and Privacy Commissioner, Ontario, Canada. Available at http://www.ipc.on.ca/images/Resources/PbDBook-From-Rhetoric-to-Reality.pdf.
Castellucia C. Behavioral tracking on the Internet, a technical perspective. In European Data Protection: In Good Health? Springer Netherlands, 2012.
Eckersley P. What does the “Track” in Do Not Track Mean? 19 February 2011. Electronic Frontier Foundation. Available at https://www.eff.org/deeplinks/2011/02/what-does-track-do-not-track-mean.
Eckersley P. How unique is your web browser? 2010. Privacy Enhancing Technologies, Springer Berlin Heidelberg. In Consumer Privacy Law 2: Data Collection, Profiling and Targeting. July 16, 2009. Law And The Internet. L. Edwards & C. Waelde, eds., Hart Publishing. Available at https://panopticlick.eff.org/browser-uniqueness.pdf.
Goldberg I., Wagner D., Brewer E. Privacy-enhancing Technologies for the Internet. 1997. Proceedings of IEEE COMPCON ‘97. Available at http://www.cs.berkeley.edu/~daw/papers/privacy-compcon97.ps.
Hildebrandt M. Profiling: from data to knowledge. 2006. DuD: Datenschutz und Datensicherheit 30.
Kirsch Matthew S. Do-Not-Track: Revising the EU’s Data Protection Framework to Require Meaningful Consent for Behavioral Advertising. XVIII RICH. J.L. TECH. 2. Available at http://jolt.richmond.edu/v18i1/article2.pdf.
Kamkar S. Evercookie – never forget. October 2011. Available at: http://samy.pl/evercookie.
Kosta E. Peeking into the cookie jar: the European Approach towards the regulation of cookies. 2013. International Journal of Law and Information Technology, vol. 21, No 4.
Roosendaal A. We Are All connected to Facebook…by Facebook! in Gutwirth S., Leenes R., de Hert P., Poullet Y. (Eds.). European Data Protection: In Good Health? 2012. Springer Netherlands.
Schmücker N. Web Tracking. 2011. Department of Telecommunication Systems, SNET2 Seminar, Paper-Summer.
Schoen S. New cookies technologies: Harder to see and remove, widely used to track you. 2009. Available at https://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wide.
Soltani A. et al. Cookies and Privacy. 2010. AAAI Spring Symposium: Intelligent Information Privacy Management.
Swaminatha T. M. Privacy Enhancing Technology. Privacy Enhancing Technology. Guidelines and Testing Methodology, W3C/QA Position Paper. Available at http://www.w3.org/2001/01/qa-ws/pp/tara-swaminatha-cigital.html.
Business Sources
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, 00909/10/EN WP 171.
Electronic Privacy Information Center. Privacy and Consumer Profiling, “The Product is you”. Available at http://www.epic.org/privacy/profiling .
ENISA, Privacy considerations of online behavioural tracking, (October 2012) available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking.
Geuss M. Twitter restores $50,000 @N username to its owner. A simple social engineering attack list Naoki Hiroshima a very valuable handle. 26 February 2014. Available at http://arstechnica.com/security/2014/02/twitter-restores-50000-n-username-to-its-owner/.
IAB, ADEX 2011, Online Advertising in Europe (6 th edition): Key Findings, available at http://www.iabeurope.eu/files/6613/6852/1900/2012_interact_presentation_final_delivered.pdf.
Regulator Sources
Communication from the Commission to the European Parliament and the Council on promoting data protection by privacy-enhancing technologies. COM(2007) 228 final. Available at http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52007DC0228&from=EN.
Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions. A comprehensive approach on personal data protection in the European Union. COM/2010/0609 final. Available at http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52010DC0609&from=EN.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). OJ L 201, (31.07.2002).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive). OJ L 281, (23.11.1995).
Draft report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012)0011 – C7-0025/2012 – 2012/0011(COD). Available at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.
Information Commissioner’s Office. Guidance on the rules on use of cookies and similar technologies. May 2012. Available at http://ico.org.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.pdf.
Proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012)0011 – C7 0025/2012 -2012/0011 (COD). Available at http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.
Study on the economic benefits of privacy-enhancing technologies (PETs), Final Report to The European Commission DG Justice, Freedom and Security, Prepared by London Economics, July 2010. Available at http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Skouma, G., Léonard, L. (2015). On-line Behavioral Tracking: What May Change After the Legal Reform on Personal Data Protection. In: Gutwirth, S., Leenes, R., de Hert, P. (eds) Reforming European Data Protection Law. Law, Governance and Technology Series(), vol 20. Springer, Dordrecht. https://doi.org/10.1007/978-94-017-9385-8_2
Download citation
DOI: https://doi.org/10.1007/978-94-017-9385-8_2
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-017-9384-1
Online ISBN: 978-94-017-9385-8
eBook Packages: Humanities, Social Sciences and LawLaw and Criminology (R0)