The EU has proposed only incremental changes to data protection law in Europe, but their significance lies in a new ability to fine digital services – including the giant platforms – for privacy breaches.
The law covers the consent users give to the acquisition and processing of behavioural data. This is considered valuable by advertisers and publishers. Privacy groups lost several points in the Commission's drafting process. But despite concessions, the online ad industry, worth €36bn in Europe, still isn't happy.
In a statement, the Internet Advertising Bureau said the "the future of the web as we know it" was in "danger".
Co-founder of privacy company Baycloud, Valerie O'Neil, told us:
The real significance of the new proposal is the linking of it to the General Data Protection Regulation, especially in regard to the very large fines – up to €20m, or 4 per cent of turnover, whichever is the bigger – that can be imposed. Google, Facebook and others will now need to sit up and take notice. Although the ability of non-profits to initiate class actions, allowed under Article 80 of the GDPR and which could lead to even greater costs on data miners, has been removed, it is possible that this may be re-inserted when European Parliament debates its amendments.
O'Neil noted a minor change in which visitors to a website for analytics purposes do not require consent, as long as any personal data collected is only processed by the first party. This means web analytics based on the Google Analytics system, which Google uses to drive its targeted and behavioural advertising business, continues to need prior informed consent, while analytics based on the first-party hosted Piwik system "would probably not".
Over a decade parties have rowed about what "implied consent" entails. This is what led to the notorious Cookie Popup.
"There never was a requirement for the elaborate but irritatingly ineffective 'cookie banner' smokescreens currently deployed, and the new proposal does not mention them either, although the lobbyist's lie that users were 'overloaded with requests to provide consent' has found its way into the proposal," O'Neil told The Reg. ®