Europäischer Datenschutzbeauftragter Hustinx: “Do not track or right on track? – The privacy implications of online behavioural advertising”

Der europäische Datenschutzbeauftragte Peter Hustinx hat kürzlich einen Vortrag zum Thema “Do not track or right on track? – The privacy implications of online behavioural advertising” gehalten und diesen im Internet veröffentlicht. Herr Hustinx gibt darin einen guten Überblick über die zu erwartenden Entwicklungen im Bereich Online-Marketing und Datenschutz.

Die aus meiner Sicht wichtigsten Passagen des englischsprachigen Vortrages lauten:

“(…) At a general level, there also seems to be a growing consensus that a better balance can be found on the basis of three key principles: i.e. transparency, fairness and user control. (…)

As to Article 5(3) of the e-Privacy Directive, it is important to know that the storing of information and the accessing of information stored in the user’s terminal´ are considered as an intrusion in the private sphere of the user. This is expressly stated in recital 24 of the 2002 version of the Directive and recital 65 of the revised version. (…)

The new text of Article 5(3) requires consent of the user concerned, which must be given before the storing or accessing of information. The e-Privacy Directive also makes it clear that this consent should fulfil the requirements of Article 2(h) of the Data Protection Directive, i.e. it should be a “freely given, specific and informed indication of his wishes” by which the user signifies his agreement to information being stored or accessed on his terminal. (…)

The information given should be “clear and comprehensive”. This means that it should be clear, precise and easily understandable, and should cover all relevant substance. It follows immediately from the text that the information should be given before the user’s consent. This information should also be readily available to the user without great efforts: the user must be provided with the relevant information.

The text does not specify who should provide this information. However, it is obvious that the first candidate to do so is the ad network provider who stores or accesses information on the computer terminal. This does not prevent that the website operator or publisher is often also in a good – or perhaps even better – position to provide the required information.

The frequency of the information is not mentioned. The text certainly does not require that the information is given each time a cookie is stored or accessed on a terminal. Indeed, it allows a practical approach under which both information and consent are provided at certain intervals and for certain categories of activities. (…)

This leads to a few other issues, such as the role of browser settings. Recital 66 of the revised e-Privacy Directive is often referred to in this context. However, what it says is that “where it is technically possible and effect…