Claims that big Internet companies, such as Google or Yahoo, track the on-line behaviour of millions of users to sell the resulting data to on-line advertisers raise difficult issues, such as whether these data could also be used for other purposes that violate personal privacy, data protection, industry and consumer protection bodies told the European Parliament’s Civil Liberties Committee. The fact that privacy laws differ markedly from country to country, while Internet use knows no borders, complicates any attempt at a definitive answer, but a common EU, or even transatlantic, approach on how to protect internet users’ data is badly needed, stressed MEP Sophia in ‘t Veld of the Netherlands.
On the other hand, Internet companies are unlikely to give up on their activities: on-line advertising is a USD 27 billion market, which is expected to double in four years. “Community law on data protection does apply on the Internet, it applies to both online and offline realities (...) existing rules do apply and do provide safeguards,” said European Data Protection Supervisor Peter Hustinx, in contrast to the view, stated by MEP Stavros Lambrinidis of Greece, at a press conference beforehand, that “there is no EU legislation per se to ensure that information targeting behaviour for marketing purposes will not be used for other activities that far exceed the initial purpose.” MEPs asked Internet companies’ representatives how industry can minimise the risk of breaching privacy rules. “Has the US Administration or any other government requested access to personal data for purposes of police investigations? If so, who determines whether the protection of privacy is being violated?” asked Lambrinidis.
For Google, Global Privacy Counsel Peter Fleischer said: “If a law enforcement authority makes a concrete request to, let’s say, investigate child pornography, and if it is made through valid legal process, we respond to it. And the rules vary in each particular country, so this is why we have to face it with a good team of lawyers. We also challenged a disproportionate request for millions of pieces of information in a US court, and we won,” he added, observing that this set an important precedent. One issue that prompted considerable debate is whether or not the Internet Protocol (IP) address (a 32-bit numeric address that serves as an identifier for each computer) should be defined as “personal data” and subject to specific privacy rules. “From a US perspective, there is no consensus over this issue,” said US Federal Trade Commissioner representative Pamela Harbour. Fleischer added: “There is no black or white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals.” The Executive Director of the Electronic Privacy Information Center, (EPIC) Marc Rotenberg, disagreed.
“I wish this was the case, but we are moving towards the IP6 model, for which it will be even more the case that IP addresses will be personably identifiable,” he said, adding that business operations such as the acquisition of Doubleclick by Google in April 2007 “underscore the need to bring data protection into account when the responsible authorities review the merger”. The Google-Double Click deal is currently being examined by the European Commission. “We have to know who is consulting what - otherwise our business would not work,” said Fleischer, pointing out that the growth in services on the Internet, supplied virtually free, is “partly due to advertising.”
Microsoft representative Thomas Nyrup agreed that ”the Internet would not be what it is without advertising.” He nonetheless stressed the need to ensure respect for the three principles of “consent, transparency and security” because the “the consumer must be able to check how his data is shared.” The confidentiality and security of Internet exchanges are not guaranteed and it is doubtful whether targeted advertising broadens consumer choice said Cornelia Kutterer, for the consumer body Bureau Europeen des Unions de Consommateurs (BEUC). Artemi Rallo Lombarte, of the Spanish data protection authority, advocated defining international rules to protect the privacy of Internet users, to ensure that they are informed of the use made of their data. Civil Liberties Committee Chairman Jean-Marie Cavada of France then asked about analyses done on the content of e-mail sent via Internet messaging services.
Microsoft’s representative denied that his firm engages in this practice, but Google’s admitted to it, but reiterated that it was done solely for advertising purposes. Rotenberg judged this a “very sensitive” issue, which he likened to telephoning to reserve a table at an excellent French restaurant, only to be immediately called back by another restaurateur seeking to cancel the reservation. In ‘t Veld noted that “Facebook” social network users had recently objected to the use made of their personal data, and had obliged the company to change its practices. “Consumers must be able to exercise their power,” she said. She also criticised certain public authorities whom she said “use personal data without any rule, and want to keep it that way.”