18.01.2017

3 Questions About the Impacts of the ePrivacy Regulation to Prof. Dr. Christoph Bauer

The advertising industry has sharply criticized the proposal of the European Commission for the ePrivacy Regulation which is meant to improve online data protection. What do you think about the legislative proposal?

Christoph Bauer: The proposed text for the ePrivacy Regulation is a specification of the General Data Protection Regulation (GDPR), but which goes in a different direction than expected from the GDPR. So far, legislation pursued the objective to enable existing business models of the industry further on. This has changed significantly, as an opt-in by the user is required for third party cookies and other tracking technologies, what has not been the case before. Furthermore, the implementation period will not be two years, but the ePrivacy Regulation shall come into force together with the GDPR in May 2018. As it is so far only a proposal, the implementation period will probably be very short. In total, the procedure oft the Commission is very unusual and thus astonished the impacted industry. Some people as IAB Germany vice president Thomas Duhr are afraid that the internet as we know it today will not exist any more.
 
The measures impacting the cookies is part of a longer list of legislative proposals for the improvement of data protection in electronic communication. The European Commission presented it as a possibility to simplify the settings of acceptance or denial of cookies that access data on the user's computer or that track the user's online behavior. Which consequences could this text have if it will be accepted unmodified?
 
CB: From the user's point of view, the big amount of tracking methods would be reduced, because an opt-in would be necessary in the future. Until now, this tracking has been allowed in most countries. Insofar, the business models of the numerous third party tracking providers would be at risk. Furthermore, companies that already have got the user's opt-in (e.g. Google, Facebook) would not be impacted by this regulation, which means that their business model would not be endangered and they would probably take over their competitors' businesses. The reason is that big platforms as Facebook and Google often use first party cookies, but generally have got the user's opt-in for third party cookies, which is part of their large and detailed terms of use that users often accept without proper reading.
If the regulation comes into force unmodified, big shifts are to be expected in the online advertising and technology business, because this regulation actually favors the big players as Facebook and Google that already have got an opt-in. But the consequences for all other players of the online marketing industry would be devastating. That cannot be the interest of the Commission.

The European Commission wants to "guarantee the privacy of online behavior and of the users' devices" and to transfer the control to the user. In your opinion, how can that fundamental principle and the need to finance content with advertising be brought together? In other words, what amendments could be proposed for this law?
  
CB: It could be an idea to permit anonymous tracking, as neither the GDPR affects anonymous data. Thus, if someone tracks a user without knowing his personal data as name, address, email address, ip address etc, tracking by cookies and other trackers might be allowed. Because the person behind anonymous data cannot be identified by the one who gets the anonymous data.
Besides, there are tracking methods that do not leave traces on the users' devices (as cookie text files in browsers do), but that track the device anyway. Insofar it can happen that third party cookies will be forbidden, but that other technologies will take their place, that actually have got the same effects but are not forbidden. Given that, the legislator would have missed the target.

Do you have questions or recommendations for us?

We are glad to receive your comments.