advertisement

EU wants tighter online privacy

BRUSSELS — The European Union wants companies such as Google Inc. or Facebook Inc. to give people more control over how their online habits are tracked, requirements that could crimp Internet firms' ability to target advertising.

Internet companies, privacy activists and the EU's executive commission are likely to wrestle over the specifics of the rules, which cut to the heart of funding models not only for technology firms but also for many online news sites and blogs.

"People should be able to give their informed consent to the processing of their personal data," the European Commission said Thursday in a new strategy paper.

It also wants users to be able to modify and delete any information that has been collected, giving them "a right to be forgotten."

Thursday's strategy paper will form the basis for an overhaul of the EU's 15-year-old laws on data protection scheduled for next year. It is open for public consultation until January, and the commission aims to propose legislation by mid-2011. Any new laws would have to be approved by the European Parliament and national governments.

Tracking an individual's search history to target online advertising is a key revenue source for companies such as Yahoo! Inc. and Google.

Other firms use cookies — small files placed on a user's computer — or pop-up windows to track the websites a user has visited in the past or the books and clothing he has bought online.

The more closely ads can be linked to a user's interests, the more likely they are to be successful.

But privacy watchdogs have raised concerns over whether this information can be linked to an individual's name or address, what it could be used for, and how long it can be stored.

Technological advances and the many players involved in so-called behavioral advertising "make it difficult for an individual to know and understand if personal data are being collected, by whom, and for what purpose," the commission says in its strategy.

Websites should be more transparent about who is collecting data, and why, and how Internet used can "access, rectify or delete their data," it adds.

However, Thursday's document doesn't say whether the EU intends to require users to specifically "opt in" to having their data collected, or whether it is enough to allow them to "opt out."

Another key question will be how prominently websites have to display any opt-out buttons or links and how complicated the process could be. Google, for instance, already has a small "Privacy" link on its homepage, through which users can edit or clear their Web history.

As it stand right now, the commission's strategy looks "ambitious," said Wim Nauwelaerts, a counsel at Brussels-based law firm Hunton & Williams who has advised several technology firms on privacy issues.

"The EU's data protection framework already had the reputation of being one of the most stringent out there," said Nauwelaerts. "And this only reinforces it."

Google and its big rivals say they never link an individual's data to his name or address and that they don't collect information on sensitive issues such as health or sexual orientation.

Google has come under fire after vans collecting data for its StreetView application also scooped up sensitive information from unprotected wireless networks.

Facebook last month acknowledged that 10 of its most popular "apps" transmitted information about its users to advertisers and data-gathering firms.

Google declined to comment on Thursday's strategy paper, saying it was too early in the process. Facebook and Microsoft Corp., which runs search engine Bing, didn't respond to requests for comment.

In the U.S., several proposals by lawmakers to tighten data protection laws have failed to gain much traction in Congress. But privacy experts said they were encouraged by the EU's push to strengthen online privacy laws.

New EU rules are certain to create a "spillover effect" that raises the bar for privacy standards around the globe, including in the U.S., said Marc Rotenberg, president of the Electronic Privacy Information Center.

The U.S., he said, has been reluctant to update rules governing the collection of personal data online and has instead placed "blind faith in self-regulation."

But "the EU directive is a wake-up call," said Rotenberg, who last week testified on privacy issues in the European Parliament. "The U.S. will now have to work to catch up."

Jeffrey Chester, executive director of the Center for Digital Democracy, a not-for-profit group based in Washington, believes that despite the bitter political climate in the capital, online privacy legislation may be one area ripe for bipartisan compromise.

The U.S. Federal Trade Commission also is expected to weigh in on the matter.

The FTC will soon issue a report outlining recommendations on how to ensure that consumers know what information is being collected about them on the Web and how it is being used, and give them control over that data.