EU Internet Privacy Rules

    This past June, I was lucky enough to go on a much-needed vacation to Spain.  Naturally, I took in the culture, enjoyed the local cuisine and, well, pretty much behaved like any other tourist would.  Spain certainly left an impression on me, yet one of the oddest aspects of my trip came from a relatively unexpected source: my smart phone’s internet browsing capabilities.  Now, before you start judging me as a bad sightseer, please let me explain.

    Like most people these days, I basically take my smart phone everywhere I go.  Among its many uses, my smart phone puts the internet right at my fingertips, which enables me to keep up with the news.  Since I am Springfield-born and bred, I have a lot of hometown pride and I try to be fairly involved in the community.  I enjoy visiting local news websites to stay current on Springfield’s happenings – even when I am on vacation in another country.   Since I am a U.S. citizen, I am not used to being blocked from some of my favorite websites.  However, this is exactly what happened in Spain.

    As we saw in the recent Facebook scandal, our personal information is a highly-sought after commodity.  Even though protection laws in the U.S. offer up some restrictions on the use of our private data by websites, we might as well be the Wild West when compared to the EU.  European laws regulate the internet more heavily than our own laws here in the U.S.  This is partially because internet data privacy in the European Union is taken very seriously, even being classified as a “fundamental right” under the EU’s Charter of Fundamental Rights.  In keeping with this concept, the EU recently passed a new law in March that is known as the General Data Protection Regulation, or GDPR, of which I will get into more detail shortly.

    Recent innovations in the fields of data mining and analytics have resulted in incredible technological advances that have enabled an alarming amount of personal data collection over the past several years.  There is so much personal data on the internet that can be quickly analyzed that people often find themselves the victims of unwanted personal disclosures that they never would have dreamed would have made it to the World Wide Web.  In this regard, the most common technology used by companies to collect user data comes from internet cookies.  

    To give you the rundown, an “internet cookie” is basically a very small and unseen text file that a website stores on a user’s hardware when he/she visits.  And once the cookie has been stored, each time a user returns to the cookie’s source site, the cookie automatically lets the site know who the user is and any other relevant information necessary to personalize their browsing experience.  Cookies provide ease of internet use and convenience, but they are also used for targeted advertising, which can feel like an unwanted privacy violation.  In this regard, the EU takes a much harder legal stance on regulating cookies than does its U.S. counterpart.  The newly implemented GDPR gives testament to this.

    The GDPR expands what counts as personal data and individual rights over that data – but only protects residents living inside of the EU.  The new law ostensibly grants users the majority of control when it comes to the use and distribution of their personal data by websites.  The EU claims that European internet users must actively agree (or “opt-in”) to allow cookies to track their data.  U.S. law takes an “opt-out” approach to cookies, in which a user needs to actively disable them in order prevent the tracking of their personal data.  Since the EU has been somewhat unclear as to what constitutes legal consent by users to use their personal data, many companies have implemented practice known as “notice and opt-out”, wherein banners are openly displayed on their website that give users the "option" to opt-in.  These banners, if ignored or closed by a user, are treated as implied legal consent to personal data collection by the website.  Moreover, under GDPR, citizens of the EU have a right to have their data deleted if they don’t want an internet company to use it.  And if any such request for deletion is made by a user, their personal data must be deleted without undue delay if the company does not want to suffer a monetary penalty.

    I say "ostensibly" because, in my opinion, the EU rules don't change anything except adding a new banner to websites.  For example, a British clothing site has a banner on it that states: " We use cookies . . We’re an honest bunch so if you continue without changing your settings, we’ll assume that you are happy to receive all cookies.  Click here to read the nitty-gritty of our cookie policy."  If you read the "nitty-gritty" on their cookie policy, it tells you that if you don't want cookies, you need to change your browser settings.  So, although the EU says you have to "opt-in," if you don't change your browser settings and continue visiting the same websites, they will continue to use cookies on your computer.

    Because of the be cookie rules, certain U.S. sites have chosen not to comply with EU laws, rendering them unpublishable by EU standards, thus explaining my inability to catch up on the latest Springfield happenings on some of our local websites while I was over in Spain.

    More recently, EU lawmakers have focused their attention on implementing drastic changes to the use of copyrighted materials on the European internet.  Current pending legislation in the EU, known as the Directive on Copyright in the Digital Single Market (or European Copyright Directive), seeks to regulate the use of copyrighted material over the EU internet.  While March’s new GDPR is purportedly a consumer-friendly measure, the European Copyright Directive appears to be much more favorable to internet businesses – particularly very large ones.  

    The two most controversial aspects of the European Copyright Directive come from Article 11 and Article 13 of the drafted legislation.  Commonly referred to as “the link tax,” Article 11 states that if a website desires to use snippets of online journalistic content or provide links to outside content, the website must first pay for a license from the content publisher.  Among the chief concerns here is the possibility that only the largest internet companies (e.g. Microsoft, Google, and Facebook) will be able to afford to pay publishers for showing snippets of news articles on their sites.  Many are fearful that less financially successful internet companies would fade into oblivion in the EU due to their lack of resources to pay the proposed licensing fees.  That being said, Article 11 is the less controversial of the two proposed laws.

    The second EU proposal, Article 13, provides that certain internet companies such as YouTube, Reddit, and Tumblr that host large amounts of user-uploaded content must actively monitor that content in order to identify and stop possible copyright infringement.  In the event of copyright infringement, the supporting website would be legally liable to the original copyright holder.  This would disincentivise the continued operation of various user-generated platforms, resulting in what many believe to be a masked form of internet censorship.  To put this into perspective for those of us living in the U.S., the inventor of the internet, Tim Berners-Lee, as well as Wikipedia founder Jimmy Wales, have each come out against Article 13, opining it to be an “imminent threat” to the future of the internet.

    As it now stands, the European Copyright Directive remains pending and undecided by EU lawmakers, who are next scheduled to vote on the law in September.  Since this proposed EU law may very well change the face of the internet as we know it (especially over in Europe), this is something worth keeping an eye on.