A crucial moment for communications privacy

Giovanni Buttarelli

It is seven years ago now that the 32nd International Conference of Data Protection and Privacy Commissioners met in Jerusalem and adopted its resolution on Privacy by Design. The impact of technology on the fundamental rights to privacy and data protection continues to be a subject of interest and is also being discussed at the 39th edition of the conference in Hong Kong this week.

With its resolution of 2010, the data protection and privacy community strengthened its call for more attention to the rights of the individuals in the development of technological solutions. It expressed the clear principle that we cannot allow the rights of individuals to be disregarded in this process, nor can we allow new technologies to continue to be designed so to collect as much personal data as possible with so little transparency and control by the users.

Technology must serve humankind.

Where economic forces fail to deliver a sustainable and generally beneficial solution, the rules of the game must be adjusted so that technological development serves society and humankind, and so that all actors operate under the same conditions. Legislation defines the framework for the interests of those lacking economic power to contain potentially harmful business practices. It is a common approach in our societies which are based on the rule of law.

For privacy friendly technologies, the European Union took a first step last year: data protection by design will become a legal obligation once the GDPR starts to apply in May 2018. Those who process personal data of individuals will have to take data protection into account “both at the time of the determination of the means for processing and at the time of the processing itself”, as Article 25 of the GDPR puts it. Data protection principles and safeguards must guide the process from the moment technology and organisational practices are designed and planned.

Right now, the EU legislator has the opportunity to modernise the “rules of the road” for privacy and electronic communications. The current review of the ePrivacy legislation will modernise existing principles, clarify the technological requirements and ensure effective enforcement. It is time to stop users being deprived, often unwittingly, of control over their communications and data: time to stop the forcing of consent through “tracking walls”, to stop the promotion of default settings, to stop the use of tracking technologies that escape detection.

The Commission’s proposal for the new ePrivacy Regulation is a huge step in the right direction, even though it still requires some improvements as suggested by the EDPS and by the Article 29 Working Party. I urge the European Parliament and the Council to now finalise the new legislation and create incentives for a sustainable baseline for respecting privacy and data protection. We call on the EU legislator to stop the cycle of ever-increasing data collection and the ever-increasing concentration of pools of personal data in the hands of ever fewer more powerful giant tech firms. In doing so, the EU will open opportunities for new business models and for more privacy friendly technologies and business ecosystems. Tracking and advertising are not the same. Advertising flourished before it was connected to ever closer tracking of user behaviour. Moreover, tracking is increasingly being used beyond commercial advertising, as we see in today’s urgent concerns about micro-targeted political campaigns.

The limiting factor for effective user control is not the technology. Where the interests of businesses are at stake, we observe tremendous efforts and incredible achievements in the development of technologies. In the split second it takes to display a web page on the screen of the user’s device, the spaces available for advertisements are offered in an auction and provided to the advertiser who makes the best offer. This real-time-bidding process operates without human intervention, the bidding, the management of the auction, the related billing and payment processes are all completed by automated tools connected to each other via the Internet. These automated tools decide on the basis of detailed profiles about the user whose device screen is being sold. The profiles are based on data collected by tracking the user’s actions on the web through many sites, increasingly following users across devices: smartphone, tablet, desktop.

The fully automated system ensures that the interests of the economic actors are protected. After the auction of the user’s screen space, it distributes the advertisements revenue between the parties involved and it uses more and more sophisticated tools to protect against attempts of fraud, e.g. through “clickbots” which pretend to display web pages and ads to users to collect the revenue without any human ever seeing the paid advertisements.

It is remarkable that publishers and other web site providers who produce the content of interest to users have only a small role in this ecosystem. They include a piece of code in their web site which hands control of that part of their page over to the advertising industry, with the different roles of brokers, agencies, aggregators etc. taking an ever-increasing share of the advertising budgets from the brands who pay for publicity.

The ingenuity, creativity and engineering excellence demonstrated by the targeted advertising ecosystem are impressive. They demonstrate how it is possible to overcome obstacles and extend the possibilities of technologies far beyond what their original inventors had in mind, and taking a direction that they never intended. On the 28th anniversary of the World Wide Web in March this year, its inventor Sir Tim Berners-Lee stated that “We have lost control of our personal data.”

We cannot accept that technological limits are given as a reason not to provide users with effective tools for transparency and control to maintain their privacy when they use the Internet and electronic communications services. Every second billions of transactions prove that it is possible to create systems and tools to manage complex relationships, ensure that the interests of the interested parties are respected, and ensure that all participants can trust the system. Alas, these benefits seem at present only available to the parties with purely financial interests in the system. They are not available to all of us - the individuals whose personal data provide the “oil” fuelling the entire “ecosystem”. Our interests and fundamental rights, our privacy and protection of personal data are of no concern to the designers of the system.

The current review of the ePrivacy rules is an opportunity to good to be missed. In line with the fresh air that the GPDR blows into the processing of personal data inside organisations and corporations, the ePrivacy review allows us to create a new field for competitive and privacy friendly services on the Internet and the World Wide Web to give back control to individuals. There are still plenty of creative entrepreneurs that can enter with new ideas and business models. Further concentration of the market towards very few market players in the coming years could close the windows of opportunity which we now have and set the barriers for market entry too high for any new entrants.

The EDPS will continue to provide its advice to the legislator to help them find the best solution. At the same time, we also press ahead with our support for the technological development in privacy engineering. For instance, in November our network IPEN will host with other partners a workshop to take stock of the state of the art and the need to advance technology research which we organise. Watch this space for further details.