Amazon, a pair of shoes and my Data Privacy walks away

Try to remember the last time you shopped from Amazon. Most likely you are another happy consumer that has enjoyed the benefits of e-shopping in terms of service, price and delivery time. It is also highly possible that you already master the plethora of reasons not to get into your car and experience all that painful traffic to go to the mall and spend hours of your precious time trying to find the pair of shoes of your dreams, which satisfies not only your wife but also your wallet at the same time. Your electronic transaction is now complete and you just received the email notification with your order number and delivery info. Congratulations, you are one of the million clients that made a purchase through Amazon that day. The question now is: what do you do after that? Do you go out to have drinks and brag about your new shoes or you keep surfing on the web? I guess it’s the latter. If so, have you by any chance noticed a small 300 X 250 pixel Google Adsense Web banner on the right sidebar of the next website your visit? What do you see? You see an advert of the product category that the item you just purchased belongs to, shoes. Coincidence? Magic? Fate? Neither of the three. You just need to open up your eyes and see the appalling truth. That marketers use data mining as a tool to investigate consumer behaviour is not news. For years researchers and marketers have been collecting and processing purchases in order to discover the holy grail of marketing; new ways of market segmentation based on novel statistical modeling techniques. Today, the main area of focus of every descent marketer is the media that has changed society in the 21^st century, the Internet. The amount of research that sheds light on the way consumers behave on the Web is staggering. The biggest opportunity for a new generation marketer today is the traces that customers daily leave on the Web through their interaction on social media, their online purchases, the clicks on advertising banners, even the terms they use in search engines. Imagine all this information compiled and clustered into different segments. Then imagine yourself as a serial number in one of those big bags. Is this a scenario of a science fiction movie? I am afraid not. The “Perfect Advert” Nowadays, many big Internet giants like Facebook, Google and Amazon, are using this new marketing trend to show the “right” advert to the right people at the right moment. It seems like the perfect advert has been invented; 100% targeted, 100% accurate, 100% effective. Ideally a “perfect advert” like this can be the key to a “perfect economy”. Moreover, a “perfect advert” can satisfy better the needs of consumers and thus render the society a better place to live in. The big question remains, though: what is the price we pay for a “perfect advert”? In spite of the low monetary cost of this kind of web adverts compared to traditional adverts, the actual price that contemporary society is paying for them is nothing less but the people’s freedom. Again, try to remember whether you have given your consent that you wanted to see Google adverts related to the products you bought in Amazon. The answer is that you haven’t but even if you had, we are so little educated on the way our private data are being collected and processed, that you would never be able to realize this.  This is not only a European phenomenon, but rather a global one. The data privacy loopholes in the legislation globally are so huge that Internet companies like Facebook, Google, Amazon, Microsoft and the peer can basically play around with our privacy in the way they desire in order to perfectly serve their lucrative business model. Thus, next time you meet with a web banner of a product you are interested in or you have talked about with your friends in social media last week, do not think it is karma. Data privacy in Europe Europe currently has an anachronistic legislation on data privacy that dates back to 1995 when the internet was just being conceived as an idea. It is clear that a system like this is not able to protect the European consumer, not even concerning his fundamental privacy rights, not to mention complex cases that came with the current expansion of this new interactive media. However, it was only last year that the European Commission proposed a significant reform in data protection rules. The aims of this important reform as stated in the Memo/13/233 are the following:

• “The need to replace the current 1995 Data Protection Directive with a directly applicable Regulation that covers the processing of personal data. A single set of rules on data protection, valid across the EU will remove unnecessary administrative requirements for companies and can save businesses around €2.3 billion a year.
• The need to maintain a broad definition of “personal data”. This is in line with the current 1995 Directive. This is also in line with the case law of the Court of Justice which ruled, for example, that IP addresses are personal data (the SABAM case). At the last Justice Council in March Vice-President Reding made clear that narrowing this definition would mean that some data protected in the past would no longer be covered in the future – which is not an outcome the Commission would be prepared to accept. (see SPEECH/13/209).
• The need to give ‘explicit consent’ as one of the legitimate grounds for processing data. The current Directive states since 1995 that consent has to be  ‘unambiguous’. The Commission’s proposal foresees that if and when consent is used as a ground for processing, then it has to be a real and valid consent: it cannot be presumed that when a person remains silent or does not act, this means consent. As Vice-President Reding explained in a recent speech (see SPEECH/13/197), consent is only one of several bases which make the processing of personal data lawful.  Therefore, in practice, businesses do not need to worry about having to adapt existing business models.
• The need to have a “one-stop shop” for companies that operate in several EU countries. The Commission’s proposal cuts red tape by introducing a one-stop shop for businesses to deal with regulators. In the future, companies will only have to deal with the data protection authorities in the EU country in which they have their main establishment: one interlocutor, not 27 (or more).
• The scope of the Data Protection Law Enforcement Directive. A new Directive will apply general data protection principles and rules to police and judicial authorities in criminal matters. These rules will apply to both domestic processing and cross-border transfers of data and enhance trust between law enforcement authorities.”

The road of Data Privacy Reform is not full of roses Unfortunately, it has been more than a year now and the reform has not been put into place yet. The main reason is because a big reform like that to be applied by all 27 member countries is bound to clash with various interests, corporate and political. As described in a previous story of mine with the title “Facebook and Google to treat Europe as the 51^st State of the USA”, there has been tremendous lobbying pressure towards the EU officials responsible for this project.  I would like to quote here a paragraph from this article that proves this: “Let’s start with the vice-president of the European Commission, EU Justice Commissioner, Viviane Reding, who described last year the US lobbying effort on the issue as “absolutely fierce”, according to the Telegraph. What is more, Jan Philipp Albrecht, the German MEP that is fighting for stricter data privacy rules in the European Parliament has stated in Financial Times: “Throughout the last year there has been a massive campaign from the side of AmCham [American Chamber of Commerce], which organized events throughout Europe and met with many MEPs in Brussels and Strasbourg”… “But now, since January when my report was published, lobbyists, especially from Silicon Valley, have stepped up their campaign to water down the EU privacy regulation.” Also, Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, has repeatedly expressed his dissatisfaction for the unorthodox US lobbying on this issue, and particularly for the approach of the infamous Internet Giants of the Silicon Valley.” What now? The big question, though, is whether there has been any progress since February on the issue. The facts show, unfortunately, that there have been some water downs on the initial reform due to the suffocating pressure from businesses and politicians. One of the main pressure sources comes from the usual lobbying endeavours of the big Internet dinosaurs that make money out of private data, like Facebook with its Facebook Ads and Google with its Google Adsense. It is evident that this reform will make the rules much stricter for them and thus it will result in profit loss. Interestingly, according to this reform a fine up to 2% of the company’s turnover can be imposed to the company caught violating the new data privacy rules. One can imagine what this can mean for a company like Facebook with $ 5.1 bn in 2012. Moreover, another issue that seems to bug those big conglomerates is the “right to be forgotten” and the right of data transferability. With the new reform the user will be able to opt for complete deletion of all information stored about him that are no longer accurate e.g. in Google results. Also, she will have the right to transfer his data from one service provider to the other. All this, apparently, causes excruciating headaches to the masters of the Internet. Furthermore, this time it is not only those American corporate giants that claim changes on the reform but EU member states as well. At least 9 EU members were represented by the Irish Presidency of the Council of the EU and have written a letter that is asking for amendments on the proposal for the reformed regulation on Data Privacy. These countries are asking for more risk-based approach that takes into account the size of the company and for more flexibility in the public sector. The reason for this is first the fact that this new regulation is not going to be a simple directive where the member states will be able to localize and adjust as they wish. Instead, the philosophy of the new data privacy is holistic and will be the same for the 27 countries. Another reason is of course the large pressures that these member states accept by the local Internet companies and lobbying organizations. Time for some Privacy The new EU Data Protection Regulation is scheduled to be voted in June. While for the Irish Presidency of the Council of the EU this is a big bet, I find it difficult to believe how this will be possible since everybody wants to mingle and water down the regulation already. It has been going back and forth for more than a year now and I am not sure how this huge project will be completed in a couple of months time, so that it is ready for vote by the end of the Irish Presidency. It is understandable that the golden cut between the Commission and the Market needs to be found. However, it is of critical importance not to make compromisements on the data protection of the consumer for the sake of any big company or political power. After all, the European consumer has been waiting for this precious Web safety net for almost 20 years now. It is high time that he is remunerated for his patience.