One year ago, the U.K. Information Commissioner's Office (ICO) published a new set of guidelines to help companies achieve compliance with amendments made to the European Union's Directive on Privacy and Electronic Communication (E-Privacy Directive) in 2009. After a year-long grace period, the revised laws went into effect across the U.K. on May 26. However, recent comments – and a last-minute change – made by the ICO have some declaring the move just another chapter in a line of toothless enforcement efforts.
EU data privacy through the years
The roots of this legislation can be traced back to the EU Data Protection Directive issued in 1995. While this marked an important step in safeguarding consumer information, there were a few inherent weaknesses.
According to CIO.com, the move followed the EU tradition of issuing directives as opposed to concrete regulation. As a result, member nations have adopted a "patchwork quilt" of their own laws in the intervening years, make international commerce a particularly complicated and confusing pursuit. Additionally, the directive was published three years before Google was even incorporated, leaving it woefully underprepared to speak on data security issues of the digital age.
To better align with the times, the original E-Privacy Directive made its debut in 2003 as regulators realized the need to provide prescriptive advice on how to best safeguard consumer information in the Internet age. In 2009, an amendment was passed requiring consent before any web service could store or access information held or generated on users' machines. Most notably, this applied to cookies used to document and analyze website traffic.
EU member states were then given until May 25, 2011, to incorporate these provisions into their own local frameworks. As the U.K. did so, it essentially imposed a one-year grace period in which it offered private sector companies advice and recommendations on how to revise their protocols for full compliance.
But as the expiration date approached, many were wondering if the ICO was actually ready to move beyond the role of benevolent advisor to strict regulator.
The business community responds
A certain degree of pushback can be expected anytime a new set of regulations is imposed on private sector companies. But the response to this particular directive has ranged from victimization to outright defiance.
The first argument provided by the business community tends to be a financial one, with many companies suggesting that the cumbersome compliance requirements could severely limit their commercial potential.
"We're ignoring it and waiting to see who gets sued and what happens," one London-based startup founder explained in an interview with GigaOM. "We have a ton of revenue-generating work that needs to be done. This is just a distraction that does nothing for the business except waste time and resource."
The impact could be especially potent in the arena of cloud computing. According to CIO.com, European companies may be discouraged from partnering with cloud service providers outside of the EU – or even their own country – considering the complexity and level of detail required to conduct comprehensive audits and confirm compliance.
The hurdles set up for cloud-based companies have also been taken as an indicator that the ICO and EU regulators at large do not have a clear understanding of digital business models. The crackdown on cookies that is so central to the data privacy reforms could cripple modern marketing efforts.
According to Ad Age's Shaina Boone, the law could significantly erode the quality of experience available to the Internet consumer. With no data to inform their decisions, companies will struggle to recognize emerging demands and improve their products and services.
"If you opt out [of cookies], the next time you go to Netflix, you won't receive any movie recommendations because Netflix won't remember what you've watched in the past," Boone wrote. "Amazon's famed 1-Click experience will have to be replaced by 15 clicks. Ratings and reviews will cease to exist, effectively silencing the critic in all of us."
It remains to be seen how consumers will balance convenience and privacy when presented with a full explanation of web-tracking and an opt-out procedure, but early results have given at least some credence to digital marketers' claims that the sky could be falling.
After the ICO included an opt-out clause on its site in May 2011, Chinwag blogger Sam Michel placed a Freedom of Information request for the web logs. As it turns out, there was a 90 percent drop in the number of website visitors willing to accept Google Analytics cookies. Applied in a commercial context, that could seriously compromise any number of digital business models that have popped up in the last five years.
ICO cedes ground with 'implied consent'
In an 11th hour maneuver, the ICO has made a concession that has left some scratching their heads and others downright infuriated. According to the Guardian, the cookies policy was "watered down" hours before it was supposed to go into effect by deferring to a framework of "implied consent."
"This is a striking shift. Previously the ICO said that implied consent would be unlikely to work," marketing and privacy law expert Osborne Clarke told reporters. "Now it says that implied consent is a valid form of consent."
By placing a greater burden on end users to make an informed decision, it seems clear that the ICO may have caved to criticism from the business community. According to the Guardian, it was only six months ago that regulators asserted that the general awareness for data protection mechanisms simply wasn't there yet. Now a "dramatic change" has come hours before the deadline and essentially nullified the efforts of companies that had diligently been reconfiguring their websites at their own expense.
What's more, this update could very well put the U.K. out of step with continental data security provisions and amplify the prevailing confusion across the EU's 27 member states.
In the end, the UK cookie amendment seems to be just the latest example of lofty rhetoric boiling down to toothless legislation. Even before the concession was made, companies seemed confident that they could delay progress and evade prosecution. Now, regulators may have indirectly issued them a warrant to do so.
Data Security News from SimplySecurity.com by Trend Micro