1 Bender on Privacy and Data Protection App. 42.01 (2020)
1 Bender on Privacy and Data Protection § 42.08 (2020)
1 Bender on Privacy and Data Protection § 42.08[1] (2020)
Applicability of the EU Data Protection Directive. In 2008, the Article 29 Working Party
2 released an Opinion (WP148) regarding the use of search results. Among its conclusions were: retention periods must be accessible from the homepage, must be minimized and proportionate to purposes, and must not exceed six months unless strictly necessary; the lifetime of any cookies should be no longer than necessary, and flash cookies
3 should be installed only if their purpose is described and users are informed on how to access, edit, and delete their content; providers must give users clear and intelligible information about their identity and location and the data they collect, store or transmit, as well as the purpose of collection; consent is necessary for adding to user profiles data not provided by the users; consent is necessary for retention of individual search history; and users have a right to access and correct their data.
WP140 professes a main purpose of striking a balance between legitimate business needs of search engine providers, and requirements of the data protection laws. WP148 is summarized below.
Given that some of the most popular search engines are owned and operated by companies headquartered outside the EU, an issue of particular importance is whether the EU Data Protection Directive (the “Directive”) and the member state laws implementing it apply to the processing of personal data by those owner/operators and, if so, in what situations. The EU Data Protection Directive (the “Directive”) is discussed in
Ch. 31, “European Union Data Protection Law,” and is reproduced in § 31App.04.
The starting point is Directive Article 4, as amplified by Article 29 Working Party WP56.
4 Article 4 provides that national law applies where (a) processing is carried out “in the context of activities of an establishment of the controller on the territory of the member state,”
5 (b) the controller is not established in a member state, but national law applies by virtue of international law, or (c) the controller is not established in a member state, and processes data by means of equipment, automated or otherwise, situated in a member state (unless used only for transit through that member state).
6 Examples of the condition identified in (c) would be an involved data center in a member state, the use of personal computers, terminals, or servers there, or the deposit of cookies on a PC located in the EU.
7 Nor is it entirely clear from the language of WP56 and WP148 whether the user’s mere use of a PC in a member state to communicate personal data to an entity outside the EU suffices for application of the Directive, although the better view seems to be that it does not. Analyzing Article 4, WP148 concluded that the Directive applies to the processing of personal data by those search engines embraced within Article 4.
WP148 next addressed whether the e-Privacy Directive (Directive 2002/58/EC) and/or the Data Retention Directive (Directive 2006/24/EC) applies. In general, search engine services will not fall within the scope of the e-Privacy Directive, because it deals with “electronic communications services,” a term that expressly excludes services providing or exercising editorial control over content. Moreover, Art. 5(2) of the Data Retention Directive states that the retention requirements of that Directive do not apply to data revealing the content of communications.
8 So neither of these Directives applies to the content of searches.
One critical issue is whether the search history of an identifiable individual is personal data. The WP concluded in WP136
9 that it is.
10 In WP148, the WP applied to search engine operators the conclusion it reached with regard to ISPs in WP136: “unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data … .”
11 Thus, the WP concluded that the Directive applied to the activities of search engine operators meeting the requirements of Art. 4(a), (c) that process data for users they cannot show with “absolute certainty” are not identifiable.
Effect of the EU Data Protection Directive. With applicability issues out of the way, WP148 moved on to substantive issues. The WP claimed that search engine providers failed to present a comprehensive overview of the legitimate purposes for which they processed data. The WP saw three legitimate bases that might be used for the processing. One was consent, but the WP noted that consent could not be construed for anonymous users.
12 A second basis was necessity for a contract to which the data subject is party. While providers argue that use by a user fits this rubric, WP148 states (p. 17) that “such a general assumption does not meet the strict limitation of necessity as required by the Directive.” The final basis was necessity for a legitimate interest pursued by the controller.
Analyzing this third basis, WP148 listed the grounds given by providers for storing the data they store. With regard to service improvement, the WP stated that personal identification is unnecessary for this purpose. As to system security and fraud prevention, the WP stated that the stored data must be subject to a strict purpose limitation, so that data stored for security purposes should not be used to optimize service. And data stored for security and fraud prevention should not be stored for longer than necessary for such purposes. With regard to accounting requirements, the WP stated that this could not justify systematic logging of search data where the user did not click on a sponsored link. As for personalized advertising, the WP saw a basis only for the data of users who agreed to the purpose of the processing. And as to compliance with requests and demands from law enforcement and litigation, the WP distinguished such compliance from a decision to store the data.
WP148 identified issues that the WP believed must be resolved by the industry. One is that of retention periods set by national law. The WP stated that the provider must comply with both privacy standards and retention periods of the “specific Member State.”
13 It then asserted that it saw no basis for retention in excess of six months.
14 Another issue is further processing for different purposes. Here, the espoused solution is full and clear disclosure about further use. Yet another issue is posed by cookies. The WP’s view is that users must be informed fully and prominently about the use and effect of cookies, and that their lifetime should not be excessive. Anonymization is a further issue, and the WP opined that this is a substitute for deletion, but only where the process is complete and irreversible. Noting that some providers also provide services other than search services, the WP admonished that correlating personal data across these services can be done legitimately only with informed consent.
WP148 continues with a section on the obligation to inform data subjects, which it believes is fundamental. Controllers must provide their identity and that of their representative; the purposes of the processing; recipients (or categories of recipients); which replies are mandatory and the consequences of failing to respond; and the existence of a right to access and correct the data. This applies also to some cache data, once it no longer matches the content published on the Web. WP148 also notes that, as controllers, the providers within Article 4 of the Data Protection Directive are subject to that Directive. And, as content providers, they are not primarily responsible for the personal data they process (except for long-term cache and value-added data).
Conclusions. WP148 ends with a set of conclusions:
- Providers based outside the European Economic Area15 must inform users as to why the providers are subject to the Data Protection Directive.
- The Data Retention Directive does not apply to providers.
- Providers may process only for legitimate purposes and only relevant data that is not excessive for those purposes.
- Providers must delete or irreversibly anonymize data no longer necessary for these purposes.
- Retention periods must be accessible from the homepage, must be minimized and proportionate to purposes, and must not exceed six months unless strictly necessary.
- It is not necessary to collect from users data not pertinent to web searching.
- The lifetime of any cookies should be no longer than necessary, and flash cookies16 should be installed only if their purpose is described and users are informed on how to access, edit, and delete their content.
- Providers must give users clear and intelligible information about their identity and location and the data they collect, store or transmit, as well as the purpose of collection.
- Consent is necessary for adding to user profiles data not provided by the users.
- Consent is necessary for retention of individual search history.
- Providers should respect Website opt-outs from crawling and indexing.
- Providers should permit data subjects to access and edit cached personal data available for periods in excess of those attendant to the original publication.
- Value-added providers require consent, and must also comply otherwise with the Data Protection Directive.
- Users have a right to access and correct their data.
- Cross-correlation of data originating from different services may be performed only with consent.
1 Bender on Privacy and Data Protection § 42.08[2] (2020)
In December 2009, the EU changed its Directive on Privacy and Electronic Commerce (the “E-Privacy Directive”).
17 One matter dealt with in the E-Privacy Directive is the use of cookies. Since use of cookies is one manner of effecting OBA, this change is pertinent here. The earlier version of E-Privacy Directive Article 5(3) permitted placement of cookies so long as users received notice and an opportunity to opt out, whereas the amended language seems to require opt-in.
18 Nevertheless, there is debate on whether this interpretation of the amended language is accurate, given the burden this would impose on users, and given the large number of cookies sometimes used. Recital 66 to the E-Privacy Directive states that user consent may be achieved through an appropriate browser setting, although it is not clear that such a means would qualify under the Data Protection Directive’s requirement for “freely given, specific, and informed” consent. At any rate, several DPAs, including the UK DPA, have taken the position that this amendment does not change the opt-out requirement to an opt-in requirement.
1 Bender on Privacy and Data Protection § 42.08[3] (2020)
The European Union Article 29 Working Party (the “WP”) released an Opinion (WP171)
19 in December 2010 regarding the collection, use and retention of data used for behavioral advertising. The WP was concerned about the data protection implications of behavioral advertising, which involves as actors advertising network providers,
20 advertisers,
21 and publishers.
22 The WP believed that behavioral advertising should not “be carried out at the expense of individuals’ rights to privacy and data protection.” EU legislation required obtaining informed consent of data subjects for such advertising, and the WP saw a problem arising from the fact that it was doubtful that “average individuals were aware of, much less that they consented to, being monitored to receive tailored advertising.” The WP viewed notices provided in general terms and conditions, or even in privacy policies, as often being too obscure to constitute informed consent. Some efforts had been made at self-regulation, but the WP believed there was a “long way to go.” Accordingly, WP171 expressed the WP’s opinion on how to interpret the legal framework, and called on the industry to put forward technical and other means to comply with it. The WP proposed a discussion period after which it would take “necessary and appropriate measures.” And it set forth the following recommendations.
The WP saw the most pertinent provisions of EU law to be Article 5(3)
23 of the e-Privacy Directive, as amended,
24 and certain provisions of the “Data Protection Directive”
25 as to matters not specifically covered by the e-Privacy Directive. Article 5(3) speaks to “information” (rather than personal information) stored or retrieved from a terminal device, and therefore, generally covers cookies stored on a hard drive. OBA is based on the use of identifiers that in most cases will involve personal data. Ad network providers are bound to the extent they place cookies or retrieve information from them. Publishers have certain data controller responsibilities regarding the first phase of processing when they trigger the transfer of IP addresses to ad network providers, and may be controllers if they determine the purposes and essential means of processing.
With Regard to Network Providers: e-Privacy Article 5(3) obligates ad network providers to obtain prior informed consent. Browser settings would provide this only if their default settings were to reject all cookies. Ad network providers should work with browser developers toward this end. Cookie-based opt-out mechanisms do not provide a basis for informed consent because the vast majority of users realize neither that the processing is taking place nor how to opt out. Ad network providers should move away from opt-out and create opt-in mechanisms that require affirmative action indicating willingness to receive cookies and subsequent monitoring for behavioral advertising.
Pursuant to Recital 25 of the e-Privacy Directive,
26 user acceptance for a cookie could also entail acceptance for subsequent readings of it and therefore for monitoring. It would not be necessary to receive consent for each reading of the cookie. But to ensure that users remain aware of the monitoring, ad network providers should (i) limit the duration of the consent, (ii) offer an easy way to revoke it, and (iii) create a symbol that is visible in all web sites where monitoring takes place to remind users of the monitoring and help them control whether they wish it to continue.
Network providers should ensure compliance with the Data Protection Directive provisions that don’t overlap with e-Privacy Directive Article 5(3), viz., the purpose limitation principle and security obligations. Network providers should also enable users to access and obtain rectification, including for the interest categories in which they have been included, and should implement retention policies that ensure deletion of collected information after it is no longer necessary for the purpose of the processing.
With Regard to Both Network Providers and Publishers: Valid consent requires highly visible detailed information. Information must be provided in accordance with Article 10 of the Data Protection Directive,
27 to identify who is responsible for serving the cookie, how it will be used to create a profile, what type of information will be collected for the profile, that the profile will be used for targeted advertising, and that the cookie will enable the user’s identification across multiple websites. Information should be provided directly on the screen, interactively, through layered notices and should be easily accessible and highly visible. Examples of this are icons placed on the publisher’s website around ads, with links to additional information.
The Opinion refrains from suggesting any particular technological solution on how to comply with the legal obligations. Instead, it invites industry to undertake a dialog with the WP toward the purpose of putting forward technical and other means to comply promptly with the framework described in the Opinion.
Thus, the WP has come down in favor of opt-in, putting it at odds with the Federal Trade Commission, the UK Office of Fair Trading, and the UK DPA (the Information Commissioner’s Office, which is itself a member of the Article 29 Working Party).
1 Bender on Privacy and Data Protection § 42.08[4] (2020)
In April 2009, the EU Consumer Affairs Commissioner took the position that targeted improper advertising violates basic consumer rights.
28 She stated that, with the advent of targeted advertising, the World Wide Web was morphing into the World Wild West. She believed that targeted advertising is part of the price for access to free Internet content, but that as a practical matter, the principle of informed consent is not respected because in order to access content, users must agree to terms and conditions so complex they may not understand them. In particular, she noted that opt-outs are often difficult for consumers to implement and many sets of terms and conditions permit sharing the data with partners.
The French Data Protection Authority (the “CNIL”) published a report on online targeted advertising that discussed threats to privacy and potential remedies.
29 The CNIL categorized online targeted advertising as comprising three types: personalized advertising (resulting from the observation of an individual’s online behavior); personalized advertising (related to an individual’s characteristics), and contextual advertising (related to the content of the web pages viewed by the individual). The report noted two methods by which ad companies acquire consumer information: by using cookies and other devices to observe the user’s online forays; and by collecting this information through “registration” or some similar procedure.
The report identified three major threats to privacy: the accelerating volume of personal (and especially of sensitive) data maintained electronically, with the concomitant increased amount of injury that would result from hacking; the intense interest by advertisers in acquiring the profiles that result from targeted advertising; and the paucity of information given to data subjects about the process (and particularly how they can effectively avoid it). As a solution to these problems, the CNIL suggested several remedial procedures: adopting a broad definition of “personal data” that encompassed the IP address; that users be well informed about how to control monitoring of their Internet use, including information regarding cookies and how to delete them;
30 and that marketing organizations adopt codes of conduct that embody an opt-in choice.
Although the EU itself has taken an interest in diminishing retention times, there appears to be little consistency among the various EU member states on the maximum retention period for terms used in Internet searches. Of the 27 member states that existed before the accession of Croatia in January 2013, some eight require destruction of such data within six months; 14 require destruction within 2 months; one in 18 months; and four in 24 months. A related issue is whether such data must be stored in the country in which collected. A group of high-tech companies, including Google and Microsoft, were pushing for uniformity across the EU for cloud computing services. This is a matter that may be taken up by the European Commission as part of its “Digital Agenda.” And these companies are also suggesting that the United States and the EU come to agreement on common standards regarding cloud computing. Some of these companies have installations in the EU or are presently building facilities there. Cloud computing is already generating significant revenue, and it is anticipated that it will generate substantially larger revenues in the near future.
In 2009, the Article 29 Working Party asked Microsoft, Google and Yahoo! to dispose of online query data after six months. In January 2010, Microsoft announced that it would dispose of IP addresses collected on users of its Bing search engine after six months, but would retain cookies and other session identifiers for 18 months. Although this was apparently done to appease the Working Party, which had complained that a longer retention period was unreasonable, the change will affect users worldwide. At that time, Microsoft had a reported 2% of all searches conducted in Europe. Google has stated that after nine months it anonymizes its data. Google’s global privacy counsel stated: “Data from our search queries represents a crucial arm in our battle to protect the security of our services against hacks and fraud … . It also represents a critical element allowing us to help users by innovating and improving the quality of our searches.” For its part, Yahoo! stated that, except on request of the police, it would delete IP addresses after 90 days (it had already been deleting part of the IP address), and render anonymous the log of a user’s activities.
In Autumn 2009, the UK Office of Fair Trading announced it would commence an investigation into whether behavioral advertising was unfair to consumers. A few days later, a UK group calling itself the All Party Parliamentary Communications Group (“apComms”), comprising Members of Parliament and Lords of different parties, stated that the Internet advertising industry’s self-regulation was inadequate, and that a system based on informed explicit consent was necessary.
31 Further, apComms declared that the government should enact an “effective and easy-to-understand” privacy law in the next Parliament. The group had particular concerns about the manner in which the personal details of children were being gathered by advertising systems.
In July 2011, the European Data Protection Supervisor asked the European Commission to require adherence to the amended Art. 5(3) of the EU e-Commerce Directive, which now requires a high degree of user consent for storing cookies. Also in 2011 the European Advertising Standards Alliance adopted recommendations for best practices for use in OBA. One recommendation involved use of an icon that, when clicked, would permit users to exercise online choices. The organization stated that the recommendations were supported by advertisers, ad networks, ad agencies, self-regulatory organizations, and media.
In November 2012, several dozen German advertising associations established the “German Data Protection Council of Online Advertising.”
32 The purpose of the group is to coordinate and enforce self-regulation in Germany with regard to OBA. This group is connected to the European Interactive Digital Advertising Alliance, which shares a similar pan-European goal. The German group seeks to increase transparency by using codes of conduct and a tool for user preference. An icon, which members must display on their ads, permits users to obtain information about data that is collected. The tool enables users to determine and signal which advertisers may drop cookies on their hard drives.
The data protection commissioners of the world hold an annual conference, the 35th of which took place in September 2013 in Warsaw, Poland. At that conference the commissioners, many of whom are from the EU, adopted (with two abstentions) a resolution directed to OBA.
33 That resolution called on all stakeholders to do the following where relevant and appropriate:
- observe the principle of purpose limitation;
- provide notice and control over the use of tracking elements;
- refrain from using invisible tracking elements other than for security/fraud detection or network management;
- refrain from deriving a set of information elements (“fingerprint”) to identify uniquely and track users for purposes other than security/fraud prevention or network management;
- ensure adequate transparency about all types of web tracking practices to enable informed consumer choices;
- offer easy-to-use tools that give users appropriate control over collection and use of their personal data;
- avoid tracking children, and tracking on websites aimed at children, absent verifiable parental consent;
- observe privacy-by-design, and conduct a privacy impact assessment when beginning a new project;
- use techniques that reduce privacy impact, such as anonymisation/pseudonymisation; and
- promote technical standards for better user control (e.g., an effective Do-Not-Track standard).
Footnotes — § 42.08:
2 The Article 29 Working Party is a group comprising the heads of the data protection authority (
i.e., the independent governmental agency responsible for implementing and enforcing data protection law) in each of the Member States of the European Union, plus the EU Data Protection Supervisor. It has no official status, but is respected in the EU as having expertise in the data protection field.
3 A flash cookie is a data file (up to 100K bytes, as compared to a maximum of 4K for regular cookies) deposited on browser by the Adobe Flash application. A flash cookie can be used for same purposes as normal cookies, and is more difficult for the user to find and delete.
4 WP56, “Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites” (2002).
5 WP148 explains that this means “that the establishment should also play a relevant role in the particular processing operations.” p. 10.
6 According to WP148, in situation (a) the member state’s data protection laws apply to all personal data (not just that of data subjects on the territory of or of a nationality of the member state).
7 In WP148 the WP seems (note 14) to adopt conditions for determining whether the use of cookies is sufficient for applicability, whereas previous WP statements seemed to imply (if not expressly state) that the mere use of cookies sufficed.
8 The retention requirement in the Retention Directive was subsequently held by the Court of Justice of the EU (the EU’s highest court) to conflict with the right to privacy guaranteed by the EU charter. This matter is discussed in
§ 31.03[3][c] supra.
9 WP136, Opinion 4/2007 on the concept of personal data, adopted on 20th June 2007.
10 Acknowledging that IP addresses are not directly identifiable by search engines, the WP notes that identification can nevertheless be achieved by a third party, and that this is sufficient to qualify the data as identifiable and therefore personal data.
11 WP136 also stated that cookies containing a unique user ID were personal data. Further, WP148 stated that a search engine provider that processes user data including either IP addresses or persistent cookies containing a unique identifier is a “controller.” p. 9. Search engine operators are not the principal controllers as to the content-related processing of personal data—the principal controllers of that are the information providers. However, search engine operators who perform value-added operations linked to characteristics or types of personal data are the primary controllers of
that content. Moreover, caching for a period greater than required to address temporary inaccessibility to the website is an independent republication. WP148, pp. 13–15.
12 If the data is truly anonymous, it is not personal data, and not covered by the Data Protection Directive. The WP seems to be saying that if it is identified by a unique identifier other than a name it is identifiable and therefore covered by the Directive but is not subject to data subject consent.
13 This leaves it uncertain as to what effect (if any) the WP would assign to federal or state law imposing a minimum retention period.
14 According to WP148, typical retention periods exceeded one year. Questions posed by CNET News elicited the following responses. Ask.com retains search data for a period of hours, links it with no user information, and engages in no behavioral targeting. AOL retains the data for 13 months, links it with no user information, engages in behavioral targeting, and permits opt-out of BT. Google retains the data for 18 months, links it with no user data, and engages in no BT. Microsoft retains the data for 18 months, links it with user data, engages in BT and permits no opt-out (except on third-party site). Yahoo! retains the data for 13 months, links it with user data, engages in BT and permits no opt-out. “Europeans Warn Search Engines: Delete User Data Sooner,” CNET News.com (7 Apr. 2008).
15 The EEA comprises the Member States of the EU, plus Iceland, Liechtenstein, and Norway.
16 A flash cookie is a data file (up to 100K bytes, as compared to a maximum of 4K for regular cookies) deposited on browser by the Adobe Flash application. A flash cookie can be used for same purposes as normal cookies, and is more difficult for the user to find and delete.
17 Directive 2002/58/EC, as amended by Directive 2009/136/EC.
18 The pertinent provision is Article 5(3), which before amendment read: “Member States shall ensure that the use of electronic communications networks to store information or gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned
is provided with clear and comprehensive information in accordance with Directive 95/46/EC [the EU Data Protection Directive], inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.” (emphasis added) After amendment, the underlined, italicized portion read: “… has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”
19 WP171,
Opinion 22010 on online behavioral advertising (22 June 2010).
20 Advertising network providers connect publishers with advertisers.
21 Advertisers are the entities that desire to promote a product or service to a specific audience.
22 Publishers own the websites, and seek revenues by selling space to display ads on their websites.
23 “Member States shall ensure that the storing of information, or the gaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
24 Directive 2002/58/EC, as amended by Directive 2009/136/EC.
25 Directive 95/46/EC. The e-Privacy Directive controls to the extent it applies, and the Data Protection Directive controls where the e-Privacy Directive has no application.
26 “(25) … . Where … cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies … so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie … stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user’s terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie … , if it is used for a legitimate purpose.”
27 Article 10 requires providing the data subject with information about identity of the data controller, purposes of the processing, recipients or categories thereof, whether replies to questions are obligatory and possible consequences of failure to respond, and existence of a right to access and rectify.
30 It was also suggested that tracking cookies be distinguished from other cookies to make it easier to control the former.
32 “German Advertisers Launch Self-Regulation Initiative for Online Behavioral Advertising,” Hunton and Williams Privacy Blog (27 Nov. 2012).
33 Resolution on Web Tracking and Privacy, 35th International Conference of Data Protection and Privacy Commissioners, Warsaw. 23–26 Sept. 2013.