EU privacy rules should encourage businesses to advertise using non-personal data, Sippel says

European telecom and adtech companies should innovate in using non-personal data to advertise, rather than lobbying for lighter EU privacy rules, the European Parliament’s chief negotiator on the file has said.

"I'm not talking about destroying any kind of industry economic area, but we need to be ready, and businesses need to be ready, to change that business model,” Birgit Sippel, a German Socialist member of the EU assembly, told MLex during a recent interview.

Sippel said that telecom companies and Internet platforms should consider economic changes in the next five to 10 years and develop business models based on less intrusive uses of personal data. “The ad industry is not looking into the possibilities to do their job without focusing on very, very targeted individual information about users,” she said.

The e-Privacy Regulation, proposed by the European Commission in January 2017, is still being negotiated between the EU institutions. The parliament held its first talks with national governments on May 20.

Companies and privacy advocates have been frustrated that the talks on the bill have dragged on for years. The commission originally envisaged that the bill would be approved to coincide with the General Data Protection Regulation, which took effect in May 2018.

Governments reached an agreement in February this year on their approach. EU lawmakers agreed their text of the draft bill in October 2017.

Portugal, which is chairing talks among governments for the first half of 2021, will lead the Council of the EU in another round of negotiations on the file in June. Slovenia will then chair the talks in the second half of 2021, though it doesn’t expect to wrap up negotiations with the parliament in that time period.

Discussions are expected to remain difficult as governments’ approaches on sensitive issues such as the processing of metadata on users’ devices, users' consent for cookies, and data retention have put them in direct conflict with the parliament.

The outcome of these talks will be crucial for the telecom industry, which has complained for years that it has been prevented from using metadata and location data in innovative ways, while increasingly having to compete with Internet-based services that do not face such constraints.

Innovative data uses

The legislation will seek to balance businesses’ demands for more flexibility in using personal data - particularly metadata and cookies used for behavioral advertising - with the bloc’s commitment to upholding the strict requirements in the GDPR.

Sippel said EU governments have tipped the balance towards businesses’ needs, rather than protecting privacy and citizens’ fundamental rights.

“My impression is that at least from the Council [of the EU] side, maybe even from some more conservative parties [in the parliament], they are not really talking about balancing, but what they are really talking about is watering down protections, GDPR fundamental rights, to give businesses an opportunity,” she said.

Sippel said that since the GDPR took effect, startups have found ways to use non-personal, anonymized data in innovative ways while still protecting privacy and avoiding profiling.

“If we look into some good ideas of startups, on companies using digitalization in an already privacy-friendly way - in a way where we use digitalization without using personal data - there are a lot of things we can do without interfering in personal data, without interfering in communication,” she said.

For example, companies are using weather data to improve agriculture or sensors to check on plants’ growth, so farmers use less water and pesticides. In cities, buildings that have been deserted because of Covid-19 restrictions can be used for greenhouses, bringing food closer to urban populations, she said.

“We have to keep in mind our responsibility regarding businesses and employment for the future, making use of digitalization to facilitate those people, and that might also include changes in industry,” she said.

But telecom companies and utilities are eager to use vast troves of location and traffic data that can be anonymized. Under the council’s draft text, companies can use metadata that reveals the location, time and identity of persons involved in electronic communications.

They are also allowed the use of personal data for “further compatible processing”- meaning that they can develop new services and compete with Internet-based service providers. The parliament’s draft text, in contrast, restricts the use of this data.

Sippel warned that technologies that collect personal data, such as smart electric meters, could potentially be used for profiling individuals. The issue is how much data companies collect and whether that information could be collected from multiple sources to build up profiles of customers, she said.

“Big companies have a lot of personal data and we think this is wrong because they do profiling, or they sell the data, or the outcome of the analyses of data of many people, so that we are manipulated,” she said.

New data-collection models

Internet platforms are also eager to see how EU negotiators resolve a debate over users’ consent for targeted advertising, particularly after the European Parliament called on the commission last year “to further assess options for regulating targeted advertising, including a phaseout leading to a ban” as part of a separate EU proposal on tech regulation.

Today, a group of 32 human - and digital-rights groups wrote to EU negotiators urging them to impose legally binding privacy controls that would allow users to communicate their preferences for cookies automatically to the sites they visit through their browsers.

During a May 6 discussion* on the e-Privacy legislation, Sippel said websites can be improved through “privacy by design and default” so that users can clearly see buttons for accepting or denying cookies.

When asked during the MLex interview about new models of data collection that don’t rely on processing third-party cookies, Sippel said it’s not easy to say “yes or no” on whether this approach improves personal-data protection.

For example, Google is developing a system to group its users in cohorts of hundreds or thousands of like-minded people, and displaying ads to that aggregated collection of users. The search giant says this approach, dubbed the Federated Learning of Cohorts, will better protect the privacy of individuals.

“The question is - the devil is in the details - how much data from how many people do you have?” Sippel said. “Frankly, I don’t think many people do have those details right now.”

* e-Privacy Regulation: Challenges and Opportunities for Privacy Enhancing Technologies, XXII Permanent Seminary of the Google Chair, May 6, 2021