Implementing the e-privacy directive: the story so far
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
Joint DCMS/ICO stakeholder event on e-privacy
Thank you for coming today.
This is an opportunity for us to discuss the implementation of the revised e-privacy directive as we approach its first anniversary.
There are two key principles that are worth bearing in mind before we discuss the detail.
First, the e-privacy directive is law, so it is important that people understand that they have to comply with it.
Second, I have always said that we want to apply common sense when it comes to compliance.
The people in this room create jobs, sustain innovation and contribute to growth. The UK is one of the most advanced internet economies in the world, and UK consumers are eager adopters of internet services.
So we want you to be able to run your businesses effectively and to be able to offer consumers a great service.
So while these two principles are not necessarily in conflict, we do have to strike a balance.
There has been genuine concern that the revised e-privacy directive could cause real problems for the online industry
Implementation of the e-privacy has been a challenging piece of work and we are extremely grateful for industry’s willingness to engage.
The number of people who have turned up today shows that despite the difficulties with the new legislation businesses are still willing to address their responsibilities and want to find a way forward.
2. What, why and how?
So what is the e-privacy directive? I’m sure the vast majority of people in this room know all about it, but it is still worth looking at the principles that lie behind the directive.
The new requirements call for you to seek the user’s consent if you are accessing information or placing information on a user’s machine. Obviously this is problematic because it catches all kinds of online technologies, including most notably -cookies.
The reason for the new requirement is simple. The directive quite rightly addresses the concerns of users about how their data is used. It should be used in a transparent, secure and non-intrusive fashion.
So our implementation seeks to keep that intent in mind. This is about a user’s right to privacy and their right to have control over their data. Our focus is on ensuring increased access, information and control for users.
In practical terms this means that users should be given more information about how their data is used and why; should find it easier to access that information; and should find it easier to exert control over how their data is used.
However, as I said earlier, a balance needs to be struck.
In seeking the user’s informed consent we should not unduly hamper their experience with, for example, endless pop up boxes.
Nor should we force users to make decisions which they do not understand the consequences of and arguably do not care about anyway.
But we must respect users’ right to be aware of what data is being collected on them and give them the opportunity to exert control over that should they wish to.
It is important that we continue to send a strong message that we are serious about privacy online.
The UK was one of the very few member states to implement the full electronic communications framework on time last year.
Many Member States are still lagging behind even now.
We worked extremely hard to implement the directive on time.
In consultation with the ICO my department also released an open letter to clarify elements of our implementation and to specifically state that consent did not mean prior consent.
Of course, as with anything it is best practice to ask first but in the online world, sometimes that is just not practicable. This is precisely why the word prior was removed from the drafting of the directive during negotiations.
We wanted to give the industry as much certainty as possible, as soon as possible.
I also believe that the one year lead in period ICO has given industry has been extremely helpful in giving industry the breathing space needed.
Christopher Graham will follow me so I don’t want to talk too much about the ICO’s approach.
But it is worth noting that the ICO are one of the only Data Protection Authorities in Europe to have given industry guidance and advice on how to comply with the directive.
And they have done so twice!
This guidance is deliberately not prescriptive. Some have complained that it is too vague.
But I can imagine the complaints if the ICO had tried a “one size fits all” approach.
You engage with consumers in many different ways. It’s therefore right that you keep the principles of the e-privacy directive in mind and look at practical and bespoke ways in which to implement its requirements.
Neither the Government nor the ICO can know your website and your users better than you do. So you are best placed to think of solutions appropriate for your own website and your own users.
I believe that our approach is sensible, pragmatic, and flexible enough to allow business to have an innovative approach when complying with the new laws.
3. Advertising and Privacy
Of course you can’t talk about e-privacy without talking about advertising.
The UK has the second largest online advertising market in the world.
It is important that we don’t place undue burdens on an industry that flourishes in the UK.
Innovations in on-line advertising actually help on-line users.
But they also raise inevitable questions about privacy.
There’s a very careful balance we need to achieve between protecting a user’s privacy online and encouraging continued innovation in advertising, allowing it to continue to be the foundation for so many online business models.
But I do not believe there is any reason that innovative advertising and privacy need to be mutually exclusive. Indeed, privacy concerns should be part of your business model and customer proposition.
The Internet is based on trust. People give companies their data because they trust those companies not to abuse or misuse that data.
It is essential for your business that people do not lose that trust in the future.
Behaviourally targeted, or preference based, advertising is an incredible innovation that can be of huge benefit to both business and to the consumer. But it needs to be done right.
Users should not feel stalked around the web by companies wishing to sell them something. Users should be able to understand why they are seeing the ads they are seeing, who is responsible for that ad, and be able to exert a level of control over the extent to which ads are tailored to their preferences.
4. Online Behavioural Advertising (OBA) Framework
The key, it seems to me, is to find solutions that engage users.
The Internet Advertising Bureau’s Online Behavioural Advertising (OBA) Framework is a really good example of that.
It offers users further information about the ads they are seeing without doing so in an obtrusive or disruptive way. And it is a fantastic example of the willingness of industry to work together to find solutions which suit both business and users.
The OBA framework is an essential element of a series of measures being taken across industry, which we believe will give users more control over their privacy online.
The approach we are taking makes some real demands of you. It means you need to spend time educating consumers; reminding users that they are in control of their data; and making it easier for users to exercise that control if they want to.
We have spoken many times about the need for increased information for users, easier access to that information and simple, easy to use controls. All three are essential, not only to comply with the new requirements but also to ensure users can trust that their data is not being misused.
5. Beyond Advertising
Of course this isn’t just about advertising.
What you need to know is whether or not you are breaching the law even when you only do the basics, such as keeping track of what pages are being visited on your site or ensuring your site continues to be set up in the way a user requests.
The ICO’s guidance is very useful on this point. It sets out very clearly which cookies they consider to fall in the strictly necessary category. Of course we all wish that category could be extended to include things like analytics but that isn’t what the law says.
But we need to understand that consent is not black and white. Both the ICO and I have said on several occasions that there is a sliding scale of intrusiveness which should inform the level of effort you go to. Obviously something like analytics or feature based cookies are pretty low on that scale and I know that the ICO will take that into account.
Of course that doesn’t mean that you don’t need to go to any effort at all but something which tracks how many users visit a page is hardly the priority here.
But there is no getting away from the fact that there is no simple answer. Ultimately, you need to take responsibility. Think about the cookies you use; think about the way you access and use data; think about how you can better inform your users of what you are doing and why; and think about how you can give them the tools to exert control over that if they so wish.
6. An ecology of solutions
Our implementation also specifically mentions browsers.
Browsers are the way the majority of users access the internet, so they are the natural place for users to exercise control over their privacy settings.
Browsers have increasingly focussed on providing settings which guard a user’s privacy.
They include features such as the ability to see and delete all the data that websites have stored on your browser; to create lists to prevent certain websites tracking you; and even to have completely private browsing.
These features are already live and browsers will continue to place a premium on giving users the ability to control their privacy online.
One of the major strands of the browser-based privacy work has been Do Not Track: the ability for a user to easily send a clear message to a website that they do not wish to be tracked via their browser.
The European Commissioner Neelie Kroes has called for a Do Not Track standard to be agreed by June 2012.
I’m pleased to say that talks lead by W3C (the World Wide Web Consortium) are progressing well.
One of our panels will discuss this work in more depth later. All I will say is that it is another example of the willingness of industry to engage in privacy issues.
It will be important to continue to show that willingness once a standard is rolled out. Otherwise we risk losing the trust that the online world is so dependent on.
I do want to stress that despite all this impressive progress, browsers are not a silver bullet which will solve all of the problems posed by this law. Even with an agreed Do Not Track standard and all the privacy tools you could possibly imagine browsers alone are not enough to meet the requirements of the directive.
They are only one part of the equation and they do not absolve you from your responsibility to inform you users of what you want to do with their data. The UK implementation is reliant on everyone doing their bit, and coming together to form an ecology of solutions.
I believe e-privacy in this country should be seen as a success story.
The internet contributes more to our economy than any other in the G20.
So we should take a lead on this issue.
We should be seen as an example of effective implementation.
Business should turn a burden into an opportunity, and use the directive as a chance to show their customers that they are safe when they engage with them on-line. That’s worth a lot.
The story should be about Industry taking the initiative, and being proactive about user’s privacy online.
May 26th will not be the end of the e-privacy debate, far from it. But if we continue to show the willingness to engage that has been evident during this implementation and take these issues as our priority, we will be in a far stronger position.