of the ASSOCIATION FOR INTERNET PROGRESS (SPIR)
concerning the proposed Regulation on Privacy and Electronic Communications (ePrivacy)
(8 February 2017)
In general, SPIR supports the aim of the proposed Regulation, i.e. ensuring the privacy of internet users. However, the tools used to achieve this aim must be proportionate, taking into consideration the interests of all the stakeholders. From the viewpoint of providers of information society services, we therefore appreciate the apparent advancement that took place between the leaked draft ePrivacy Regulation in the end of 2016, and of its final version of 10 January 2017.
Nevertheless, we still believe that the biggest issue of the ePrivacy Regulation Proposal (hereinafter the “Regulation” or the “Proposal”) lies in the fact that it fails to strike a balance between the interests of the industry and the data subjects, and many restrictions were considerably extended beyond the scope of the GDPR. The expansion of the scope of the Proposal is also highly problematic. Apart from electronic communication services, the Proposal applies also to other types of services, such as retrieval and presentation of information on the internet. The Proposal does not attempt to establish a balance and fair relationship between the industry and data subjects, which would, on the one hand, ensure a high standard of data protection, and, on the other hand, allow the commercial sector to keep the business models that developed in recent years, particularly on the internet.
Moreover, in some aspects, the Proposal does not allow the possibility to consider the legitimate interests of both parties, i.e. the commercial sector and the data subjects, where the interests of one party would prevail over those of the other only in individual(!) cases. Naturally, such considerations are out of question in relation to certain basic rights, such as the protection of confidentiality of correspondence, where clear rules must be adopted e.g. for access to e-mails; nevertheless, they are completely relevant for some other provisions, such as Article 8 (see our proposed wording of Article 8 that better reflects the current state of affairs).
Furthermore, we are concerned about the fact that the definitive wording of the Regulation will only be known just before the reform of personal data protection enters into force, while the providers are already obliged to set up their systems to comply with the GDPR at the present time, which is very costly. If the stricter rules stipulated by the Regulation require further re-adjustment of such systems, the European industry will have to bear additional costs and the investments made to date will lose their value.
We believe that the Regulation imposes unreasonable restrictions on the providers (including unproportionate sanctions) without creating any considerable benefits for the users. It can be expected that the implementation of the proposed provisions will be associated with greater burden for the users (the amount of information banners and the necessity to set up various applications and browsers etc. are demonstrably bothersome and time-consuming for the users). Simultaneously, any disruption of business models may jeopardise the growth of smaller European providers, or even destroy them, which would subsequently lead to a loss of jobs that are increasingly moving from the “offline world” to the internet (see further chapters).
Actual impact on the industry
In our opinion, the Proposal fails to reflect even its actual implications.
Typical example can be the probable complete suppression of the possibility to segment users for the purposes of increasing the efficiency of advertising display without the users’ consent (see also our concerns over the interpretation of Art. 8 (1)(c) of the Regulation). We believe that in everyday life, users will not take advantage of the possibilities provided by Article 10 to globally express their consent to profiling/segmentation. Therefore, this option will remain available only to those who acquire the users’ express consent, which will in fact be feasible only for providers who register their users. Only the providers of large (usually non-European) social networks or e-mail services have sufficient amounts of such users, allowing them to achieve efficient segmentation/profiling. At the same time, such providers are able to conduct more detailed profiling (admittedly subject to the users’ consent) thanks to the fact that they usually have available the first names and surnames of the data subjects, information on their activities within the services and their connections to other persons and they have the possibility to track user behaviour across various devices (PC, mobile phone etc.). Such profiling is much more detailed and invasive than basic segmentation that would be carried out by regular providers of internet servers (in principle, such providers only have available anonymous data from cookies, which are moreover connected to a single device or browser rather than to a specific individual). In reality, the users will grant their consent to a handful of non-European providers whose user base and the possibility to conduct profiling will allow them to offer more effective advertising than others and generate larger profits from it. This will in fact favour such large providers over e.g. smaller media that will thus lack the funds to finance their services (that are usually offered to end users free of charge, and the providers of such services rely exclusively on the revenues from advertising). Thus it could result in forcing smaller providers to stop selling advertising independently and employ on their websites the advertising systems of such foreign providers (who will have more efficient advertising and higher revenues thanks to profiling), which would in return strengthen their dominant position and control over smaller providers. We therefore believe that the Regulation should not globally ban segmentation of users for the purposes of more efficient advertising display, using the opt-in system; rather, considering the legitimate interests of both the parties, it should allow a less invasive approach, permitting the opt-out system. In this regard, the general provisions of Art. 6 (1)(f) and Article 21 of the GDRP could remain in use.
Another example of the Regulation’s failure to strike a balance between the stakeholders’ interests can be found in the unclear impact of Art. 8 (1) on the possibility to test the end-users’ terminal equipment for purposes other than those expressly permitted, e.g. for using the so-called ad blockers (special software that blocks advertising). The entire concept and legal assessment of ad blockers and the defence against them is rather complicated; nevertheless, we believe that the possibility of such testing and implementation of “anti-ad-blockers” (and thus the corresponding changes on the websites so as to display advertising) should be allowed if the interests of both parties are considered within the meaning of Art. 6 (1)(e) of the GDPR (including e.g. the possibility to ban circumvention of ad blockers in case of invasive advertisements, which would however remain up to the assessment by the regulatory bodies in each individual case), and should not be banned generally. Once again, the interpretation of the provision and exceptions pursuant to Art. 8 (1)(c) of the Regulation will be of importance.
Incidentally, we would like to add that allowing segmentation or “anti-ad-blockers” in cases when the providers would be obliged to offer an alternative paid model (e.g. without targeted advertising/without any advertising for a monthly subscription fee) is not a solution either. Tests carried out by our members show that users are not interested in such paid models, and that significantly fewer than 1‰ would subscribe.
Article 8 (1)(d) of the Regulation contains a similar practical problem, when it probably only allows measuring by the information society service provider itself. However, measuring of web traffic represents the basic means of communication between website providers and advertisers; based on the data obtained, the advertisers select the sites where their advertisements are to be displayed. It is virtually impossible for the individual providers (except perhaps for the most prominent ones who would yet again obtain an advantage over the others) to carry out such measuring; rather, it must be carried out uniformly for the entire market, which usually authorises an organisation including both the providers and the advertising industry to do so. Confining to only one specific information society service provider therefore also destroys the tried and tested model of such measuring and can jeopardise the stability of the entire online advertising industry.
It would be advisable to expressly and unambiguously supplement Art. 8 (1)(c) with the right of the provider of a specific website to determine the rules for the use of the website even if it is available to “anybody” without obligatory registration, i.e. in making the website accessible only to those who grant their consent to some degree of segmentation, e.g. by enabling cookies. Again, the possibility of assessment of the legitimate interests of third parties may be envisaged, which could be addressed by reference to Art. 6 (1)(f) of the GDPR. For the sake of completeness, we point out that the considered solution consisting in the obligation to offer a paid version lacks any business logic, since according to our practical experience, users are not interested in such a service, at least not in the Czech Republic.
The provisions that do not sufficiently take into account the well-functioning models that are currently used include also Article 15, which, in our opinion, may also affect general online business directories; there, it would be necessary to obtain the consent with the publishing of data also from natural persons operating businesses, even from those who publish their contact information on their websites. Such directories represent well-functioning established models that do not give rise to any controversies. We therefore recommend implementing the opt-out system for natural persons operating businesses.
Impact on users
Although the goal of the proposed tool is to improve the level of the users’ privacy on the internet, the individual measures may negatively influence the users and their comfort in using internet services; paradoxically, the measures may not even necessarily ensure a higher level of user privacy.
The Commission acknowledges that the users are currently being inconvenienced by information banners – many users have developed “banner blindness”. However, the proposed measures may lead to an even higher number of banners displayed, since, in practice, the implementation of the measures will not stop the use of banners.
The Proposal foresees an option granted to the users to set up the level of privacy in their browser and every new application (software) at first use, and to easily change the level of privacy at any time. However, this may cause some discomfort to the users, considering the amount of applications one uses on a daily basis. The privacy settings alone will not and cannot prevent displaying banners to the users on some sites.
Since the Proposal assumes that the publisher is entitled to make access to free content conditional on processing of data for advertising purposes, banners requiring consent will necessarily be displayed to users who set up the highest level of privacy as a default setting or refuse third-party cookies. Moreover, even the users’ responses to such requests (consent or refusal of consent) are technically stored as cookies that are a priori blocked by users requesting the highest level of privacy. For this reason, the publishers are not able to ascertain the users’ prior responses and will have to request the users’ consent repeatedly each time the users visit the site.
What is more, if a large majority of users select the strict settings for cookies, the service providers will use alternative (although more costly) methods of identifying the users to which the technical settings of the software do not apply, to use the consent granted by the users for the users’ repeated visits. Cookies, i.e. the standard method that has been used for years and is known to the users, will became only one among many other types of identifiers. As a result, the higher amount of identifiers will become less transparent and more difficult for the users to comprehend.
Having regard to the subcontracting relationships not only in the area of advertising, but also in other analytics, the new system will probably require greater involvement by the user, will be more bothersome for the user, and will not even increase the user’s privacy.
Economic significance of online advertising
On-line advertising is a key component and driving force of European digital economics, enabling publishers and application developers to invest in further innovations. In 2014, online advertising (indirect and induced effects excluded) generated gross value added in the amount of EUR 22 billion in the EU. Advertising is the basic source of income for online media publishers and application developers: in 2014, 75% of their total income originated from online advertising (and 25% from the paid alternatives).
Only a very small amount of users are willing to pay for online news: a whole range of studies suggests that in 2016, only 9% users of a sample of 50 thousand users paid for online advertising; 68% of users granted their consent to cover the publishers’ costs through the displaying of advertising (only 9% agreed with paid content – the percentage varies by the individual states and studies: in the Netherlands and Great Britain, for example, only 2% and 4% of the users, respectively, were willing to pay for the content).
The 2014 study by SPIR “Monetisation of Internet Content” included also a survey focused, among other things, on the willingness of Czech users to pay for online content. The survey indicates e.g. that 2% of Czech internet users are definitely willing to pay for the on-line versions of newspapers, and 13% think that they might be willing to pay. Let us not forget the fundamental difference between being willing to do something and actually doing it. Only 0.4% of the users declared that they had actually paid for online versions of newspapers during the previous 12 months. The reluctance to pay for online content was confirmed also by a pilot project by Mafra publishing house that informed the users of various ways to finance content and offered them content free of advertising based on a subscription. Only a negligible amount of users (less than 1‰) used that option.
Online advertising directly supports 0.9 million jobs in Europe (1.4 million if indirect and induced effects are included).
Proposed solution – approach based on the degree of risk and transparency
SPIR agrees with the declared aim of the proposed Regulation that lies in ensuring the privacy of internet users. We believe that such aim can be achieved without negative side effects that may be brought about by the existing wording of the Proposal.
The risk-based approach should become the key starting point. For this purpose, profiling based on personal data as addressed by the GDPR and segmentation for the purposes of targeted advertising must be distinguished. In case of segmentation, only basic user information is collected, i.e. information not allowing to identify the user in any manner (e.g. the user is a male interested in sports and rock music); therefore, there is no danger of any significant interference with the user's privacy.
Transparency is another key factor. In order to avoid the possibility that a user categorically refuses any processing of his/her personal data, even though such processing would not interfere with his/her privacy in any manner, and thus jeopardises the mere existence of the content provider, it is necessary to ensure that the user knows what happens to his/her data (and what the data are, specifically), the purpose for which the data are collected, processed and used. Users should be able to make qualified decisions between various levels of privacy settings, instead of acting on the false premise that third-party cookies are automatically dangerous.
Basic user knowledge of the online privacy issues should include the fact that cookies are generated by the websites visited by the users. The cookies then store information on the users’ browsing patterns, such as web settings or the data included in the user’s profile. Cookies only contain short text information and are available only within a single internet browser. There are two types of cookies: first-party cookies pertaining to the website specified in the address bar, and third-party cookies. These come from other websites and some of their elements are included in the website visited (e.g. advertisements, images, and also traffic monitoring scripts). Some cookies help the websites e.g. remember the users’ preferred settings so that the settings can be used for the users’ repeated visits, or the users’ geographic location based on which the users are offered suitable content, e.g. a weather forecast.
Enabling first-party cookies is important to even display the visited website properly. Third-party cookies are important, too. Some elements of the websites’ content are provided from other domains owned by the same providers for technical reasons; typically, this includes video content that simply cannot be displayed without allowing third-party cookies. Third-party cookies enable also measuring site traffic, which is truly crucial information for the provider. Third-party cookies are also important for correct displaying of advertising and for basic segmentation of visitors; without such segmentation, any advertising is less relevant for the users, and, therefore, more bothersome. At the same time, cookies allow to decrease the frequency of advertising delivery (without them, the advertising system cannot recognise that the advertisement has already been displayed and even larger amount of repeated advertisements is delivered to the users).
The practice not only in the Czech Republic, but also in other European countries shows that advertising is a crucial source of funding for a vast majority of media. Internet users must be aware of the fact that if they do not want to pay for the content, they must accept advertising. Targeted advertising is the least bothersome for users and the least demanding as to frequency. Also, thanks to its effectiveness, it ensures that the content providers obtain the funds necessary to create valuable content. Non-targeted advertising is not very attractive for advertisers, since it is less effective than targeted advertising, and, therefore, more costly and less profitable; non-targeted advertising is also more bothersome to the users and leads to a decrease in the quality and diversity of content.
A specific proposal for a technical solution by SPIR is under preparation and will be distributed separately.
 We intentionally avoid the word “profile”, since it does not reflect the most commonly used non-invasive techniques of identifying user preferences. Most publishers have neither the means nor the interest to track user behaviour on their websites in detail and only use basic segmentation of users in a few very broad categories.
 The Commission’s comments on the Regulation seem to suggest that such option is technically allowed; nevertheless, it would be more than appropriate to stipulate such possibility in the text of the Regulation to avoid any doubts.
 http://www.iabeurope.eu/wp-content/uploads/2016/07/IAB-Europe-Attitudes-towards-Programmatic-Advertisingreport_June-2016-v3.pdf http://reutersinstitute.politics.ox.ac.uk/sites/default/files/Digital-News-Report-2016.pdf