FW: speech by VP Neelie Kroes

EC VP Neelie Kroes has just made a speech about  DNT progress.

http://europa.eu/rapid/press-release_SPEECH-12-716_en.htm

 

 

 

The Centre for European Policy Studies (CEPS)/Brussels, 

11 October 2012

Thank you for inviting me today. 

Online privacy and online business need to go hand in hand. Privacy is a
fundamental right; if your idea doesn't work with that, it won't work at
all. Because people won't use what they don't trust. And they will stop
using what they learn to distrust. If that happens, online businesses miss
out on a huge opportunity of new and bigger markets. 

We need a corporate culture that respects its customers and their privacy.
Being transparent: making all citizens aware what's at stake, and which
tools they can use. So today I want to say to those involved in Online
Behavioural Advertising self-regulation here in Europe: well done for
reaching another milestone and launching the legal entity governing your
programme this week. The signatories deserve praise and encouragement for
going in the right direction. You have worked hard, and have done well. 

Of course, we also need a corporate culture that respects our legal privacy
rules which go beyond transparency. The new provisions in the ePrivacy
directive, the so-called "cookie rules", require informed consent before
information is stored or accessed on a user's device, their computer or
smartphone. Including when somebody wants to store or access cookies for
advertising or other tracking purposes. All providers need to respect and
implement these rules.

Over a year ago I set out how industry should deal with them. At the time
stakeholders were just waking up to the issue; by now, those rules are in
force in almost all Member States. 

The Digital Agenda is about helping online business to grow. And it's about
an open Internet where innovation can continue to change our world. So we
are not agnostic as to how industry implements the cookie rules: this is
important to our goals. And that's why, in June last year, I urged all
interested parties to come to the standardisation table, and agree a Do Not
Track standard, or "DNT". A standard making it simple for Internet users to
say "don't track me"; and describing how websites should respect this
choice. 

It's not hard to see how DNT can help with cookie consent – and help the
Digital Agenda. Put simply, DNT can be a universal mechanism to communicate
relevant consent – or lack of consent. It should apply to tracking via
cookies, and also by other means. It should apply to all network devices and
applications, independently of the purpose of tracking. It should “work on
the web”, be scalable globally, and in keeping with the end-to-end
principle. 

That was my challenge to industry. Just over a year later, it's time to
assess progress. 

Several browser manufacturers have quickly incorporated the emerging DNT:
and that's positive. 

But let me be frank: standardisation work is not going according to plan. In
fact, I am increasingly concerned. About the delay, and about the turn taken
by the discussions hosted by the World Wide Web Consortium (W3C). I think
that won't come as a surprise to you. And I know that my colleagues across
the Atlantic, at the Federal Trade Commission, feel the same. 

What is the problem? Top of my list comes the watering down of the standard.


I said it last June, and I said it in January. Loud and clear. But, for the
avoidance of doubt, I will say it again today: the DNT standard must be rich
and meaningful enough to make a difference, when it comes to protecting
people's privacy. 

It should build on the principle of informed consent, giving people control
over their information.

And, indeed, it must be designed to let people choose to not be tracked. The
clue is in the name: do NOT track. 

So, let me spell out some specific concerns. 

First, how users are informed about default settings in their software and
devices. That's a crucial aspect: is the default option to allow tracking,
or to decline consent? The Commission services were very clear on this point
in their letter to the W3C: at installation or first use, users must be
informed about the importance of their DNT choice. They must be told about
any default setting; and prompted to keep or to change it. Because without
that, most users aren't making an informed choice. 

Second, the DNT standard should not let websites "second-guess" or disregard
user choices. Recently, there were reports about a popular web server
introducing a feature that amounted to overriding the DNT signal; in effect,
ignoring users' wishes. I find that troubling, and undesirable. 

And third, what can be done without consent should be limited; and
justifiable, in the light of the standard's overall aim. But the exceptions
now on the table seem extremely broad. Jon Leibowitz, the FTC's Chairman,
called them "a loophole you could drive a virtual truck through". And you
can see why. Take the exception discussed for "market research". We need to
be clearer, much clearer, about what that means, and how far it goes. Of
course anonymisation, or privacy safeguards like retention limits, could
mitigate here. But this cannot be an open-ended "get-out clause".

In short: there are many reasons for concern. Time is not on our side. So to
all of those taking part in these discussions I say today: you need to find
a good consensus – and fast. 

Make no mistake. I am not naïve. The way the discussion is going right now
shows that the DNT standard, on its own, will not guarantee satisfying legal
cookie requirements. Not least because the emerging consensus appears to
exclude first-party cookies from the scope. 

But DNT is still useful and valuable. 

The fact is, we need, as far as possible, a simple and uniform way of
addressing e-privacy – across different providers and different types of
tracking. You shouldn't have every provider reinventing the wheel on this
one. 

Going the whole way would be better than going half way – of course! But
going half the way together is better than leaving everyone on their own.
Because it is a common approach, open and generative, fit for the global
web.

But, if DNT only goes half way, providers will need to ensure legal
compliance beyond that. There will be a delta, things providers need to do
to get valid cookie consent; on top of or beyond implementing DNT. 

So there should be a discussion about what that delta looks like in the EU
Member States. Given the legal requirements and given the state of the
standard. With the providers who will need to know the answer. And with the
authorities enforcing ePrivacy, who will need to set out their position. 

Not least, because DNT is already here with us. It's built into several
browsers, and used by many Europeans. Therefore, today, in Europe, it
already makes a difference whether DNT signals are sent. Do you think
companies should get away with saying that they "don't understand the
message", because DNT is not yet standardised, and continuing to place
tracking cookies without consent? I don't. 

So you won't be surprised to hear that the responsible authorities in the
Member States are looking at how to enforce these ePrivacy rules. And I will
put this topic on the agenda for their next meeting in the Article 29
Working Party, before the end of the year.

In short, nobody in Europe should want to see DNT standardisation stall or
fail. It's in no-one's interest. The cookie consent rules will be enforced
and providers will have to comply. Nobody wants users who can't trust the
web; nobody wants expensive ad-hoc solutions; nobody wants to be sued for
illegal tracking. 

When I say this is in everyone's interest, I mean everyone. Including
American companies. Because if you want to track Europeans, you have to play
by our rules. Our new data protection framework is crystal-clear on that
point.Including online businesses. In the long term, the online economy
won't grow if it acts against the grain, against the wishes of ordinary
users, against their need for trust. And under such conditions, nor can
online services prosper: including "freemium" services.

My conviction is simple: online privacy and online business don't just go
very well together: they need each other. We need to understand online
privacy more as a market in its own right. A market grounded in a respected
legal framework. A market that benefits from transparency. A market that
will specialise as it matures. 

What does that mean? Well, ask yourself: does it make sense for every
company to become expert in "big data", finding out what people like, want,
think, from their digital traces? Does it make sense for every online
company to track past, current and future users online? Would that be
cost-effective? Well, not necessarily. And that is why I am expecting new
business models in this space. For example services that track and profile
on the user's behalf and under the user's control; services that make
information available, to advertisers and others, with the user's consent
and yes, why not, for payment.

As we have learned from the advertising sector itself: consumers don't mind
advertising; not even the more targeted kind. What they do mind is the
proliferation of profiles about themselves. Give them knowledge and give
them control, and everything is possible. 

To sum up:

A sound DNT standard will be successful. I have no doubt about that. 

But I am worried about the soundness of what we are getting – and about the
slow speed. Failing to deliver would mean everyone loses. Users miss out on
an easy way to protect their privacy, websites miss out on a simple and
user-friendly way to comply with consent requirements. And, ultimately,
advertisers lose out, too. 

So let's avoid that scenario. I am convinced that a rich standard is still
possible. One that avoids the pitfalls I've mentioned. I realise it may take
a few additional months, but it is still, at the moment, the best outcome
for everyone. 

But time is running out: this is the last opportunity. We must act quickly,
and make DNT available to all Internet users. 

And then, we can concentrate on growing the online economy, and online
privacy, together: WITH users, and not against them