This report is provided by London partner Quentin Archer:
London, April 25 2012: IAPP Europe is currently holding its Data Protection Intensive 2012 in London, of which Hogan Lovells is a sponsor. The keynote speakers on the first day of the conference were Christopher Graham, UK Information Commissioner, and Terry von Bibra, VP Advertising Marketplaces EMEA for Yahoo! Inc.
Christopher Graham spoke in favour of more proportionate regulation, pointing out that the ICO could not do everything. The ICO was there to promote information rights in general – the right to know as well as the right to privacy.
The ICO keeps track of public concerns. In its 2011 survey, protecting personal information was of more concern to the UK populace than unemployment, health and national security, coming second only to crime.
Enforcement is not the only answer to good regulation. It is also important to empower and educate citizens and businesses.
On cookies, the clock is ticking, as the 26th May deadline is approaching – enforcement will be realistic and pragmatic. The ICO had been asked whether analytics cookies were "essential" and so not subject to regulation. In his personal view the answer was "no", but he was hardly going to put all work of the office on hold to pursue the issue of analytics and cookies. However, if he found that there were complaints about companies who had really done nothing to attempt to comply with the cookie rules, then we could expect that he would be active.
Very recently the ICO’s staff had been doing mystery shopping to see what personal data was left on discarded storage devices. They had discovered that mobile and memory sticks were largely clean, but an alarming number of secondhand hard drives offered for sale contained a worrying amount of corporate and personal information. So an initiative to warn the public about this was being launched today.
The ICO offers a carrot and stick approach to regulation. Its Good Practice function offered free audits to check for compliance and has been very successful. But the stick were the civil monetary penalties, of which there had been fourteen so far. They key point in deciding on a penalty was what the data controller knew about the likelihood of risk. There will be more enforcement, and one can expect a more rigorous approach in some cases.
Revamping the EU Framework will be a long haul. The ICO wants compliance, consistency, co-operation, proportionate intervention and a global perspective. He does not want over-regulation.
Terry von Bibra of Yahoo! pointed out that his company provided an enormous number of free services, all funded by advertising. They have to derive a yield from the pages delivered to users.
At the same time privacy is very important to their users. They had to create a global approach to serve their users.
Yahoo used a Content Optimisation Relevance Engine (CORE) to determine what content was of relevance to users at different times of the day. It personalised the site for users and had improved the click-through rate from the home page by 300%.
This was about using data for the benefit of the user, but of course the same model was used for advertising too.
Now they offer users the chance to peronalise their advertising experience, through Yahoo! Ad Interest Manager. This was a good example of privacy by design. The user’s choices are fed back to third parties whose advertisements were displayed on Yahoo! to ensure that the user’s wishes were respected.
Yahoo! is also participating with browser manufacturers in a similar initiative.
On the new EU Regulation, Terry von Bibra favors a good compromise between protecting privacy and delivering to the user the information he or she needs. The rules on consent had to be realistic – it is too hard for small companies to collect data by setting up user accounts, for example.
The right to be forgotten means different things to different people – but it has to be developed in a way which did not harm the rights and interests of other users.
At the heart of the issue, however, is trust – Yahoo! would have no business if it were to lose the trust of its users. Users are concerned with their privacy, but they did not want their user experience to be impaired. That balance had to be respected by both regulators and business.