EU Data Protection and Privacy Directives


Webtrends Analytics


How can Webtrends’ clients prepare for the new laws? European countries were required to implement the new directive (Directive 2009/136/EC) by May 25, 2011, and until these laws are enacted, there are a few practical steps that Webtrends’ clients can follow in order to prepare for these new laws. These are:

Provide information about all personal data processing to website users

We suggest that this is done through a clearly signposted Privacy Policy that fully explains the use of cookies and other tracking codes for web analytics, web optimization and other online marketing purposes. Since the new rules emphasize transparency, even if you already set out clear information in your Privacy Policy, we suggest that you review the language to ensure that it is as clear and comprehensive as possible.

Obtain the prior consent of website users to the use of their personal data

Your privacy policy should explain to users how they can control the storage of and access to cookies on their devices and refer them to their browser interfaces for further information. It should also provide a link to a form providing the information listed above and a clear and user friendly explanation of the mechanism for refusing to make their personal data available, including the loss of benefits such as ease of login and preference-based content.

Monitor news sources

Webtrends recommends that you monitor news from the EU Commission and national governments over the coming months to determine how this directive will be implemented. The Field Fisher Waterhouse law firm, for example, provides publications and press-releases on its web site, http://www.ffw.com/, to which you can subscribe.

Where can I find the text of the directives?

There are several directives to consider (click on the links to the official text):

The original Directive 95/46/EC often called the Data Protection Directive.
The Privacy Directive 2002/58/EC designed to address primarily the emergence of mobile devices.
Directive 2009/136/EC requires users give consent prior to storing of info on their device or access to info on the device.

What’s the object of these directives?

The object of these directives is to ensure user’s (called “data subjects”) right to privacy with respect to processing of their personal data. In essence, the directives say that any time a user’s personal data is collected and processed other than for the immediate fulfillment of a request, the user must provide prior consent to the use of this data. Who must comply with data protection law? The Data Protection Directive establishes the concept of “controllers” and “processors” and creates specific legal obligations applicable to controllers. A controller is a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In practice, the key aspect of this definition is the ability to decide how personal data is being collected, stored, used, altered and disclosed. Webtrends OnPremises customers are the data controllers.

The Data Protection Directive applies to controllers that are either:
Established in a country in the EU or, (where not established in the EU) make use of equipment situated in a country in the EU (except where the equipment is used only for transit purposes).

As a result all EU based controllers must comply with the Data Protection Directive as it is implemented in the EU Member State in which they operate. Likewise, a controller based outside the EU but who uses equipment located in the EU (for hosting personal data, for example) must also comply.

What data is considered personal data?

The precise definition of personal data varies across the EU due to the slightly different ways in which the Data Protection Directives are implemented in law. Fundamentally, personal data is any information that relates to an identified or identifiable living individual (known as a “data subject”). An identifiable individual is a person who can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

Are IP addresses personal data?

An IP address can be personal data depending on the way in which it is used; if an IP address is processed with the aim of identifying an individual, the IP address may be deemed personal data. The approach taken to IP addresses as personal data will differ slightly between EU Member States. Most importantly, some DPAs (Data Protection Agency), especially in Germany, have taken the position that IP addresses are personal data. Webtrends clients that are subject to the more restrictive legal interpretations of the directives can implement changes in their use of Webtrends technology described in Webtrends IP-Less Tracking.

Are cookies personal data?

Cookies are generally regarded as personal data because they are used to track the activities of a computer and differentiate between users. In the context of compliance with data protection laws it is useful to distinguish between “first party” cookies and “third party” cookies. First party cookies are cookies placed by the operator of the website visited by the user. These cookies enable the website’s operator to advertise its own products or tailor its website to the user based on the information gathered by its own cookies. The website operator will be the controller of the personal data gathered by its own, first party, cookies. Webtrends technology enables the use of first party cookies to collect data. Third party cookies are cookies sent by an entity other than the domain of the website being visited. Third parties “typically advertising networks” may enter into agreements with a number of partner websites to enable them to serve cookies from those websites and collect information about visitors for the purposes of serving tailored advertising on a number of websites. Where the third party determines the means and purposes of the processing of personal data it gathers from its third party cookies, it will be a controller and must comply with the Data Protection Directive as it is implemented in the EU Member State in which it operates. Based on the difference in first party cookies and third party cookies, it is important to confirm that a vendor is using a first party cookie to collect data from your websites.

So, is it legal to collect personal data and IP addresses?

Yes, the use of cookies and the collection of personal data remain legal as long as you comply with the EU data protection requirements, such as the consent rules (see “How can consent be obtained?” below).

Is this not just relating to information stored for advertising purposes?

No, the directive applies to any personal data processed entirely or partly by automatic means.

What are the new rules on personal data?

The November 2009 directive 2009/136/EC amended the rules affecting the use of personal data. The revised directive says that the storing of information or the gaining of access to information already stored on the device of an Internet user is allowed on the condition that the user concerned has given his or her “prior consent”, having been provided with clear and comprehensive information. Specific laws adopting such new directive must be passed by each European country by May 25th, 2011.

How can consent be obtained?

The latest directive, 2009/136/EC, clarifies that consent must be obtained prior to any processing of personal data. The meaning of “consent” should be read in the context of the result that the EU legislators intended to achieve, that is to tackle the problem that unwanted software such as adware, junk, or even viruses and spyware may be installed on a user’s hard drive without their knowledge and consent.

What should you get consent for?

Consent must apply to any processing of the personal data, including storing of data on the users device (such as with cookies), collecting data from the user’s device, and using this data for subsequent activities (such as behavioral targeting). Note that the directives also apply to data that have not been obtained from the data subject, such as data about the user that you may automatically retrieve from social networks.

Disclaimer: This information is not intended to constitute legal advice and should not be relied upon in lieu of consultation with appropriate legal advisers in your own jurisdiction. It may not be current as the laws in the area of Internet privacy change frequently.

More Information

Excluding IP addresses in Webtrends