Should we worry about filter bubbles? external link

Zuiderveen Borgesius, F., Trilling, D., Trilling, D., Bodó, B., Vreese, C.H. de & Helberger, N.
Internet Policy Review, vol. 5, num: 1, 2016

Abstract

Some fear that personalised communication can lead to information cocoons or filter bubbles. For instance, a personalised news website could give more prominence to conservative or liberal media items, based on the (assumed) political interests of the user. As a result, users may encounter only a limited range of political ideas. We synthesise empirical research on the extent and effects of self-selected personalisation, where people actively choose which content they receive, and pre-selected personalisation, where algorithms personalise content for users without any deliberate user choice. We conclude that at present there is little empirical evidence that warrants any worries about filter bubbles.

behavioural targeting, Big data, frontpage, Personal data, profiling

Bibtex

Article{Borgesius2016, title = {Should we worry about filter bubbles?}, author = {Zuiderveen Borgesius, F. and Trilling, D. and Bodó, B. and Vreese, C.H. de and Helberger, N.}, url = {http://policyreview.info/node/401/pdf}, doi = {https://doi.org/10.14763/2016.1.401}, year = {0401}, date = {2016-04-01}, journal = {Internet Policy Review}, volume = {5}, number = {1}, pages = {}, abstract = {Some fear that personalised communication can lead to information cocoons or filter bubbles. For instance, a personalised news website could give more prominence to conservative or liberal media items, based on the (assumed) political interests of the user. As a result, users may encounter only a limited range of political ideas. We synthesise empirical research on the extent and effects of self-selected personalisation, where people actively choose which content they receive, and pre-selected personalisation, where algorithms personalise content for users without any deliberate user choice. We conclude that at present there is little empirical evidence that warrants any worries about filter bubbles.}, keywords = {behavioural targeting, Big data, frontpage, Personal data, profiling}, }

Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new data protection regulation external link

Computer Law & Security Review, num: 2, pp: 256-271., 2016

Abstract

Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people’s online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.

behavioural targeting, cookies, Data protection law, IP addresses, online behavioural advertising, Personal data, Privacy, profiling, pseudonymous data, tracking

Bibtex

Article{nokey, title = {Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new data protection regulation}, author = {Zuiderveen Borgesius, F.}, url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2733115}, year = {0223}, date = {2016-02-23}, journal = {Computer Law & Security Review}, number = {2}, abstract = {Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people’s online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.}, keywords = {behavioural targeting, cookies, Data protection law, IP addresses, online behavioural advertising, Personal data, Privacy, profiling, pseudonymous data, tracking}, }

Online Price Discrimination and Data Protection Law external link

Abstract

Online shops can offer each website customer a different price – a practice called first degree price discrimination, or personalised pricing. An online shop can recognise a customer, for instance through a cookie, and categorise the customer as a rich or a poor person. The shop could, for instance, charge rich people higher prices. From an economic perspective, there are good arguments in favour of price discrimination. But many regard price discrimination as unfair or manipulative. This paper examines whether European data protection law applies to personalised pricing. Data protection law applies if personal data are processed. This paper argues that personalised pricing generally entails the processing of personal data. Therefore, data protection law generally applies to personalised pricing. That conclusion has several implications. For instance, data protection law requires a company to inform people about the purpose of processing their personal data. A company must inform customers if it personalises prices.

Consumer law, cookies, Data protection law, discrimination, Grondrechten, Personal data, personalised prices, Price discrimination, Privacy, tracking

Bibtex

Article{nokey, title = {Online Price Discrimination and Data Protection Law}, author = {Zuiderveen Borgesius, F.}, url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2652665}, year = {0901}, date = {2015-09-01}, abstract = {Online shops can offer each website customer a different price – a practice called first degree price discrimination, or personalised pricing. An online shop can recognise a customer, for instance through a cookie, and categorise the customer as a rich or a poor person. The shop could, for instance, charge rich people higher prices. From an economic perspective, there are good arguments in favour of price discrimination. But many regard price discrimination as unfair or manipulative. This paper examines whether European data protection law applies to personalised pricing. Data protection law applies if personal data are processed. This paper argues that personalised pricing generally entails the processing of personal data. Therefore, data protection law generally applies to personalised pricing. That conclusion has several implications. For instance, data protection law requires a company to inform people about the purpose of processing their personal data. A company must inform customers if it personalises prices.}, keywords = {Consumer law, cookies, Data protection law, discrimination, Grondrechten, Personal data, personalised prices, Price discrimination, Privacy, tracking}, }

Personal data processing for behavioural targeting: which legal basis? external link

International Data Privacy Law, 2015

Abstract

Key Points:
The European Union Charter of Fundamental Rights only allows personal data processing if a data controller has a legal basis for the processing.
This paper argues that, in most circumstances, the only available legal basis for the processing of personal data for behavioural targeting is the data subject's unambiguous consent.
Furthermore, the paper argues that the cookie consent requirement from the e-Privacy Directive does not provide a legal basis for the processing of personal data.
Therefore, even if companies could use an opt-out system to comply with the e-Privacy Directive's consent requirement for using a tracking cookie, they would generally have to obtain the data subject's unambiguous consent if they process personal data for behavioural targeting.

behavioural targeting, Grondrechten, Personal data, Privacy

Bibtex

Article{nokey, title = {Personal data processing for behavioural targeting: which legal basis?}, author = {Zuiderveen Borgesius, F.}, url = {http://idpl.oxfordjournals.org/content/early/2015/06/23/idpl.ipv011.abstract?keytype=ref&ijkey=vlrPCGCUMXW8kAz}, year = {0625}, date = {2015-06-25}, journal = {International Data Privacy Law}, abstract = {Key Points: The European Union Charter of Fundamental Rights only allows personal data processing if a data controller has a legal basis for the processing. This paper argues that, in most circumstances, the only available legal basis for the processing of personal data for behavioural targeting is the data subject's unambiguous consent. Furthermore, the paper argues that the cookie consent requirement from the e-Privacy Directive does not provide a legal basis for the processing of personal data. Therefore, even if companies could use an opt-out system to comply with the e-Privacy Directive's consent requirement for using a tracking cookie, they would generally have to obtain the data subject's unambiguous consent if they process personal data for behavioural targeting.}, keywords = {behavioural targeting, Grondrechten, Personal data, Privacy}, }

The Court of Justice and the Data Retention Directive in Digital Rights Ireland external link

European Law Review, num: 6, pp: 835-850., 2015

Abstract

In Digital Rights Ireland, the Court of Justice invalidated the 2006 Data Retention Directive, which required private providers to retain for a considerable period electronic communication metadata for law enforcement purposes. In this landmark ruling, the EU judiciary introduced a strict scrutiny test for EU legislative acts that interfere seriously with important rights protected by the Charter of Fundamental Rights and the European Convention on Human Rights—in this case, the rights to privacy and data protection—and applied a rigorous assessment of the proportionality of the measure under the Charter, criticising numerous aspects of the Directive. This article presents and analyses the judgment, discussing its implications for constitutional review and constitutionalism in the European Union, and the substantive and procedural constraints that it imposes on EU and national data retention schemes. It concludes by reflecting on the ruling’s impact on European integration and data related policies.

Data protection, data retention, electronic communications, EU law, Fundamental rights, Grondrechten, Ireland, Personal data, Privacy, proportionality

Bibtex

Article{nokey, title = {The Court of Justice and the Data Retention Directive in Digital Rights Ireland}, author = {Irion, K.}, url = {http://www.ivir.nl/publicaties/download/1456.pdf}, year = {0115}, date = {2015-01-15}, journal = {European Law Review}, number = {6}, abstract = {In Digital Rights Ireland, the Court of Justice invalidated the 2006 Data Retention Directive, which required private providers to retain for a considerable period electronic communication metadata for law enforcement purposes. In this landmark ruling, the EU judiciary introduced a strict scrutiny test for EU legislative acts that interfere seriously with important rights protected by the Charter of Fundamental Rights and the European Convention on Human Rights—in this case, the rights to privacy and data protection—and applied a rigorous assessment of the proportionality of the measure under the Charter, criticising numerous aspects of the Directive. This article presents and analyses the judgment, discussing its implications for constitutional review and constitutionalism in the European Union, and the substantive and procedural constraints that it imposes on EU and national data retention schemes. It concludes by reflecting on the ruling’s impact on European integration and data related policies.}, keywords = {Data protection, data retention, electronic communications, EU law, Fundamental rights, Grondrechten, Ireland, Personal data, Privacy, proportionality}, }