Last week, the Government published its ideas as to how it would implement the changes to EU Directive 2002/58/EC. In relation to spammers and behavioural advertising it has decided to keep the low privacy standards that were acceptable to the previous New Labour government.
The changes discussed in the consultation (see references) are modifications to Directive 2002/58/EC introduced by the need to implement Directive 2009/136/EC. These new provisions have to be brought into UK law by 25th May next year (and this accounts for the consultation process launched by the Government last week).
One of the changes that you won’t find explained in the consultation document is the complete re-wording of Article 13 of Directive 2002/58/EC – a key Article which regulates all forms of electronic marketing including spam. The consultation ignores this complete redrafting and fails to discuss options that consequently arise.
For example, I think Article 13 allows Member States to introduce consent/opt-out requirements for ALL forms of electronic marketing including behavioural marketing. However, the drafting of Article 13 also allows a continuation of a minimum privacy protection policy with respect to the use of electronic marketing by organisations. The Government could have chosen to debate options that included the former; instead it has chosen to keep quiet give its support to the latter.
The argument for Article 13 providing further controls to protect browsing on the internet can be seen if you read the text carefully. For example, “electronic mail” is a defined term in the Directive to mean “any text, voice, sound or image message sent over a public communications network” directed to a "recipient". So when the term is NOT used in some of the marketing provisions (as in Article 13(3) of the Directive), one can make the inference that the provision is intended to apply to other forms of marketing that is conveyed NOT by “electronic mail”. The assumption being that if the text of the Directive wanted to limit the provision in Article 13(3) to “electronic mail” it would have been in the text.
Also note the use of the word "recipient". This refers to anybody (e.g. a "user" of the system) who receives a marketing message and includes a subscriber (who is likely to be identifiable because they pay the bills). Note also that "users" are more likely to be anonymous (as they just use the subscriber's system). Keep this distinction in mind for a moment - it is important!
Throughout Article 13 there is a conspicuous absence of the use of “personal data” although obviously personal data are subject to the e-marketing rules (e.g. an email address is often personal data – firstname.lastname@example.org). So where the term “personal data” is NOT used (as in Article 13), then provisions are clearly intended to apply in circumstances where other “data” (i.e. beyond the narrow confines of personal data) are processed for a marketing purpose. As behavioural marketing involves such “not personal data” (according to Google and other behavioural marketers – see references), the Article clearly allows for Member States to legislate for control over marketing that does not use personal data.
By contrast, the consultation states that the effect of the revised Article 13 is limited to “personal data”. This is because the consultation document requires that any “data” used to convey “electronic mail” has to relate to an “individual subscriber” and because of this, the data have to be “personal data”. Note also (as mentioned above) that in the Directive "electronic mail" is defined in term of a "recipient"; a recipient includes the subscriber and any user of the subscribers system. The consultation document in effect equates "recipient" with "subscriber" - which is not what the Directive says!
The consultation, for some reason, overlooks the consequences of this distinction. It explains that the “provisions on the use of personal data for marketing certain services” (in Article 13) only require “minor modification”. Note that if the information were “data” then the changes would not be minor as they include that marketing which does not identify an individual (e.g. to users who might be targeted by behavioural marketers).
In other words, the consultation fails to explain the impact of Article 13 properly and to identify a range of options that could be debated as part of the consultation.
By the way, I should add that the statement in the consultation document (quoted above) is in line for the “Economical with the truth award - 2010”. This is a highly valued prize to be awarded by Amberhawk at the end of the year for the most misleading privacy statement that has a vestige of truth.
Finally the text of Article 13 uses the term “direct marketing” which is not defined. So if one assumes a definition of “direct marketing” similar to that in Section 11 of the Data Protection Act (“direct marketing” means “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”), then one can see that behavioural marketing can be captured. For example, if a marketing message depends on an user's browsing habits, then any user who exhibits a required browsing behaviour, receives a particular advert directed to them.
Last Spring (May 4th) I stated that the changes to Directive 2002/58/EC “will be an early test of the privacy credentials of the next Government in the UK”. I think they have failed that test.
What is more disturbing is the way in which the Government has failed the test. It has failed by deciding not to debate with the public the various pros and cons of the range of privacy options that could be available. Of course one can argue that an enhanced privacy protective option might be judged to harm economic activity but that position should form part of the informed debate.
My conclusion on the consultation: incomplete bordering on the misleading.
References: The Government Consultation is on http://www.bis.gov.uk/assets/biscore/business-sectors/docs/i/10-1132-implementing-revised-electronic-communications-framework-consultation.pdf.
Compare the Consultation with my analysis (“Privacy and electronic communications: comments on the modifications to Directive 2002/58/EC introduced by Directive 2009/136/EC”, downloadable from http://www.amberhawk.com/policydoc.asp.
Also relevant are arguments that show that an IP address can be transformed unambiguously into personal data; see “Reclaiming Privacy on the Internet – 2009” (also on http://www.amberhawk.com/policydoc.asp).
Marketing: We also have a course on Privacy Impact Assessments on 21st Oct in London and our data protection update sessions with our colleagues at Pinsent Masons in October. We have a Data Protection courses commencing in Manchester late September and London in November. Our next FOI course is in Leeds (commencing 19th October). Details on www.amberhawk.com