In the political battle over the European Data Protection Regulation, a vibrant front is emerging around the issue of profiling – the automated montoring of users Internet browsing habits. What’s at stake is whether or not profiling should come under the auspices of the regulator and what level of regulatory control is appropriate. One argument concerns whether or not data that has been processed under a “pseudonym” is addressed by the regulations. On this point, the European Data Protection Supervisor has weighed in.
To understand this argument, we need to know that there are different types of data that may be held by organisations that run websites or have web-based businesses. Most people will be aware that if they have registered with a website or service, they will have supplied data, for example, their real name, address, email, and maybe even their age. That data is all covered by the current data protection regulations, and it isn’t what the political fight is all about.
Profiling concerns the monitoring of users as they browse the Internet. It involves the automated tracking of their behaviour, looking at where they they go, what they view.
Profiling is done by tracking the web pages that people call up and where they click. Profiles may be built directly, linking to the user’s name, or indirectly by linking to a piece of identifying code. Profiling can also be done without tying a name or other directly identifiable information to a profile,, so only the clicks themselves are registered, tied to a unique identifier such as a cookie.
It may be used to build up a picture of individuals surreptitiously, without their knowledge. Not just the pages visited, but what is in your wish lists or favorites or watchlists, what ‘like’ buttons you’ve clicked, where you go when you leave a website. This data may be used by governments and commercial organisations to evaluate individuals, for example, to determine elibility for an insurance application. One of the most important uses of profiling is advertising, where it is perceived as a new ‘gold mine’.
The organisations for whom there is most at stake are those who run online advertising, and those to make their profits out it, such as Google and FaceBook, and advertising agencies.
However, from a privacy perspective, this data can reveal quite a lot about you as an individual. You might not mind them knowing your that you shop at H&M, but you might be more wary of someone finding out through automated tracking, your faith, your sexuality, and your secrets and even those of your nearest and dearest. Suppose you are searching online because your daughter is thinking about an abortion and your husband has a drink problem, for example. These are things that are not illegal, but you might not want to tell a stranger.
On this basis, there is a strong case for mandating the data protection regulators to oversee it. But the corporate interests who carry out profiling want the regulator out of the picture. Hence, profiling is at the centre of this political fight.
Profiling is the subject of quite a number of the 3000+ amendments tabled to the European Data Protection Regulation. The political battle is playing out in the texts, which couch the issues in legal language.
One of the arguments concerns so-called ‘pseudonymous’ profiling. To most people, this will be a fairly new concept. Pseudonymous means that the data is linked to an identifier, like a little piece of code, that does not itself contain a name, but might enable the linking to it.
Central to this argument is the definition of pseudonymous data. In particular, it is disputed whether it should be classified as ‘personal’ data. If pseudonymous data are regarded as personal data, then the Regulation fully applies. Some argue that if pseudonymous data is regarded as personal data, pseudonymous data should be subject to a much lighter regime.
The European Data Protection Supervisor entered the fray last week with a statement that pseudonymous data is personal data and does come under the scope of regulation. The EDPS prefers the definition as expressed in the following amendment:
"pseudonymised data’ means any personal data that has been altered so that it cannot be attributed to a data subject without the use of additional data which is
subject to separate and distinct technical and organisational controls to ensure such non-attribution."
The EDPS also likes this alternative definition of pseudonymous data:
"pseudonymous data’ means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort."
What’s interesting is that the first definition came from the American Chamber of Commerce (also known as Am Cham) and the second one is a combination drawn from Am Cham and EuroISPA.
These amendments have been widely criticised for being cut and pasted (copypasted) from industry lobbyists. It should be noted that Am Cham wanted the above text to be combined with additional wording that would have taken pseudonymous data out of the scope of the Regulation‘. From the NGO viewpoint, that would have been an undesirable outcome. That additional text does not seem to be in the Albrecht report following the committee votes, but nevertheless the EDPS support for the amendments comes as a surprise.
However, a different amendment has also been voted, which does suggest that pseudonymous data is not personal data. This double negative makes it difficult to follow. However, amendment would seem to comply with the demands of the German advertising industry, and goes against principles advocated by the NGOs:
"personal data shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data, for example pseudonymised or anonymised data."
This one small example illustrates how technically complex the politics of data protection has become. Even the experts are far from clear about the political positioning of the various corporate lobbies. What can be said with certainty is that there is no political consensus yet as to how profiling should be handled, and if it should be regulated. The Data Protection Regulation is the vehicle for faciliating that argument. Prepare for a roller-coaster ride!
For more on analysing amendments in the European Parliament, see my book The Copyright Enforcement Enigma: Internet politics and the Telecoms Package
This is an original article from Iptegrity.com and reflects research that I have carried out. I wish to acknowledge the help of Frederik Zuiderveen Borgesius PhD Candidate, Institute for Information Law, University of Amsterdam.
If you refer to it or to its content, please cite my name as the author, and provide a link back to iptegrity.com. Media and Academics – please cite as Monica Horten, EU data privacy – profiling the battle front , 3 April 2013, in www.iptegrity.com . Commercial users - please contact me.