Response to the consultation by the Department for Business Innovation and Skills regarding its proposals for implementing the revised EU Electronic Communications Framework
This is a collaborative submission from a group of academics based in the UK with expertise in information technology law and related areas. The preparation of this response has been funded by the Information Technology Think Tank, which is supported by the Arts and Humanities Research Council and led by the SCRIPT/AHRC Centre for Research in Intellectual Property and Technology, University of Edinburgh.
This response has been prepared by Ms Judith Rauhofer and Dr Christopher Marsden, University of Essex. Important contributions to preparing the response were also made by Dr Ian Brown, Oxford Internet Institute, University of Oxford and Professor Burkhard Schafer, University of Edinburgh. In addition, this response is submitted by the following individuals: Dr Abbe Brown, SCRIPT, University of Edinburgh, and Professor Abdul Paliwala, University of Warwick
Questions and Responses
Questions 1 to 9
No response is provided to questions Q1 to Q9.
Minimum quality of service (Network Neutrality)
Although the consultation document does not seek views in relation to the government’s plans for the establishment of a minimum service requirement under Article 22(3) of the Universal Service Directive, the authors would like to raise the following issues.
In paragraph 188 of the consultation document, the government states that it proposes;
‘to implement the changes to Article 22(3) [Universal Service Directive] through a minor amendment to the Communications Act to give Ofcom the necessary power [to impose minimum quality of service obligations on electronic communications network and service providers]. On 24 June 2010, Ofcom published a consultation document on traffic management, where it states that its likely initial view would be to explore existing competition tools and consumer transparency options before considering using these powers. Ofcom’s consultation closed on 9th September 2010’. 
BIS has publicly stated that issues concerning the open Internet and network neutrality are too broad-ranging and politically important to be left to the regulator. The Minister has recently affirmed, corrected and reaffirmed his commitment to an open Internet, and claimed to agree with Sir Tim Berners Lee on the centrality of network neutrality to freedom of expression and Internet innovation.  The Impact Assessment and overall Framework fails to consider the need for ex ante provisions beyond competition powers and consumer transparency, simply stating a binary 0 or 1 option. At p. 99 of the Impact Assessment, it is stated that:
‘[c]urrently consumers are not always provided with all the information about terms and conditions and the quality of service they can expect, or are provided with the information in a way that is not user friendly, when making decisions and they may therefore make sub-optimal decisions.’
However, the remedy to this is only considered in relation to disabled users, though logically one can extend the chosen path with that for general users: ‘Ofcom is likely to consider using existing competition tools and consumer transparency options before considering using this power.’ 
Option 2, to extend powers to provide a further set of potential tools for intervention, should have been considered, as the French regulator, Autorité de Régulation des Communications Électroniques et des Postes (ARCEP) has done with its ‘Ten Network Neutrality Principles’ under the proposed French intervention.   The fact that BIS and Ofcom do not yet agree with such a policy does not mean excluding an Option 2 from the Impact Assessment. Not to consider a further alternative is poor Impact Assessment practice.
Questions 11 and 12
No response is provided to Q11 and Q12.
Breach of Personal Data and Penalties
We welcome suggestions as to how the provisions of the Directive could be better enforced.
The enforcement of data controllers’ compliance with the EU data protection framework has long been blighted by the lack of an effective enforcement regime. This has been recognised by the European Commission on many occasions, most recently in the Commission’s Communication ‘A comprehensive approach on personal data protection in the European Union’.  As a result, the need to provide ‘a stronger institutional arrangement for the effective enforcement of data protection rules’ and to make ‘remedies and sanctions more effective’ constitute two of the core challenges faced by the European Commission when reviewing the provisions of the 1995 Data Protection Directive.
Similar considerations informed the inclusion of a new Article 15a(1) in the revised ePrivacy Directive which requires member states to adopt rules on ‘effective, proportionate and dissuasive’ penalties, including criminal sanctions where appropriate, for infringements of national data protection provisions, and to take all measures necessary to ensure that those penalties are implemented.
The recent expansion of the Information Commissioner’s enforcement powers which were introduced through the Criminal Justice and Immigration Act 2008 and the Coroners and Justice Act 2009 are likely to go some way towards achieving that objective. In particular, the Information Commissioner’s power under section 55A of the Data Protection Act 1998 to impose a fine of up to £500,000 for serious contraventions of the Act, is likely to deter many small to medium enterprises that act as data controllers and for whom such a fine would have a noticeable impact on profit. However, it is questionable whether even a fine of £500,000 may act as a sufficient deterrent for large multinational companies where the cost of compliance with data protection requirements may exceed the potential value of a fine. Better deterrents may have to be put in place in relation to this type of data controller.
A decision by the Home Secretary to exercise her power under section 77 of the Criminal Justice and Immigration Act 2008 to issue secondary legislation to introduce custodial sentences of up to 12 months on summary conviction, and up to two years imprisonment for a conviction on indictment for those involved in the illegal trade of personal information may also contribute to improved compliance with the data protection framework. The threat of custodial sentences often serves to ‘concentrate the CEOs mind’ and the introduction of such sentences may therefore motivate the company officers which may be liable under the relevant provisions to put in place more effective procedures for compliance with data protection requirements. However, in view of the government’s plans to reduce the prison population and to limit the use of custodial sentences as much as possible, it is at least questionable whether the adoption of criminal sanctions is desirable from a public policy point of view.
It would therefore be useful to consider other types of sanctions directed, among other things, at the way in which violations of the framework are policed, the way in which they are publicized and the way in which company officers are incentivised to ensure compliance by their company.
Policing of violations
Currently, the Information Commissioner may only serve an assessment notice under section 41A(2) of the Data Protection Act 1998 on government departments or on a public authority or a person of a description specifically designated for that purposes. As part of the notice, the Information Commissioner can impose a requirement on the data controller to submit to a compulsory audit. This permits him, among other things, to enter specified premises at little or no notice. The majority of private data controllers are currently exempt from this provision which considerably affects the Information Commissioner’s ability to carry out unannounced audits of those private controllers data processing activities where he suspects a breach of any of the provisions of the Act. The government should therefore consider to expand the Information Commissioner’s powers under section 41A(2) of the Act to private data controllers. Such an expansion of powers should be accompanied by an increase in funding for the Information Commissioner to ensure that the Commissioner can carry out his obligations adequately and effectively.
Notification of data security breaches
Article 4(3) of the ePrivacy Directive as revised requires member states to ensure that certain data controllers must notify a personal data breach to the competent national authority (and, where appropriate to the data subjects affected by the breach) without undue delay. As set out in the Impact Assessment, the notification of data breaches is designed to provide consumers with information about which service providers have suffered breaches, so they are able to make informed decisions when deciding to whom to give personal data.
At the moment, the notification requirement is limited to providers of publicly available communications services. The effectiveness of this notification regime should be kept under review. If it proves effective, the UK government should advocate the extension of the requirement to all other data controllers in the context of the upcoming review of the 1995 Data Protection Directive. In this context that Information Commissioner’s office should be encouraged to collect the necessary statistical information that will enable the government to compare the effectiveness of the new system in accordance with a number of pre-agreed indicators.
Incentivising company officers
It is widely accepted in professions that the threat of losing the right to practice or be commercially active in that profession acts as a strong incentive to comply with the rules of conduct of that profession. In addition, in the context of company law, various provisions of the Company Directors Disqualification 1986 provide for the disqualification of a company director in cases where he is convicted of an indictable offence, where there has been a persistent breach of the company’s obligation to comply with provisions of the companies legislation requiring any return, account or other document to be filed with Companies House, or where the director is seen as unfit to lead a company for other reasons. The government should consider whether provisions should be introduced which allow for the disqualification of a company director if the company is found to have been in serious or persistent breach of any of the provisions of the Data Protection Act 1998.
Alternatively, the government could introduce an obligation on companies to include a statement that it has complied with its obligations under the Act as part of its annual return under companies legislation. Such a statement should be based on an annual internal audit of the company’s data processing activities. Any breach of this obligation may result in the disqualification of the director responsible under section 3(1) of the 1986 Act. This approach would not only strengthen enforcement, it would also encourage companies publicly to take responsibility for their data processing activities. It would also complement an approach recently suggested by the Article 29 Working Party that the revised Data Protection Directive should include a new ‘accountability principle’. 
We welcome views on our proposed approach to implement the amendments to the Directive in relation to cookies by way of copying out the Directive text.
While the implementation of the amendments to the Directive by way of copying out the Directive text would ensure the UK’s compliance with its obligations under EU law, the text in question is ambiguous and open to a variety of interpretations. Many of the industry standards to be developed in this area will depend on the guidance provided by relevant data protection authorities. The Impact Assessment seems to suggest that the UK government expects much of this guidance to be developed by the Information Commissioner’s Office which, the government concludes, should be given ‘the flexibility to adjust to changes in usage and technology’.  However, if interpretation of the relevant provisions is left to the national regulator, it is likely that national regulators in different EU member states will exercise their discretion in different ways. Given the global nature of the electronic communications market such an approach is therefore bound to create a number of practical problems for data subjects as well as online providers.
Protection of individuals’ privacy
- while cookies and/or the information they transmit may not be able to identify a living individual on their own, they may well be able to do so in combination with other information held by the recipient of the transmitted information or a third party. This is particularly true in the case of ‘first party cookies’ which are commonly used by online providers for session management, personalisation and recognition purposes where the information transmitted by the cookie is later combined with the personal information the internet user has provided to the provider in the course of a sale or other contact.
- the use of anonymous cookies by the website owner or by online advertising companies (‘third party cookies’) for the purpose of tracking an internet user’s personal browsing habits can still affect individual user’s rights if the information gathered about the user allows for the potential identification of the user through ever more sophisticated systems of profiling and data mining. 
- online behavioural data generated by individual users and collected and mined by online providers and online advertising networks may cause economic harm to the user in question despite the fact that the user’s actual identity may never be ‘reverse engineered’. This may be the case, for example, if that behavioural data is used for the purpose of automated, dynamic pricing  where the price quoted to an individual user for certain goods or services is based on the provider’s expectation of the amount that user is willing or able to pay. Such pricing is likely to be discriminatory if the individual user has no means to discover that the price quoted to him is different from that quoted to another internet user.
In practice, as the Article 29 Working Party pointed out in its recent Opinion on online behavioural advertising , only one of the four most popular commercial browsers rejects third party cookies by default. The majority of browsers are therefore set up to accept cookies unless the user makes a conscious decision to change those settings. The information that online providers give to internet users in order to comply with their information obligation under Article 5(3) reflects this reality. It usually consists of an acknowledgement in providers’ privacy policies that
- cookies are stored on the users’ equipment; and
- a more or less detailed description of how to change browser settings from the ‘accept cookies’ default to a ‘reject cookies’ setting. 
The government’s contention in the Impact Assessment, that following the introduction of the revised provision ‘users will be able to make informed changes to the browser settings to suit their individual privacy needs and should therefore feel more confident using the internet’ therefore ignores the fact that users are already able to make those changes based on the information provided to them now. The only practical change that the government’s proposal is likely to bring about is a change in the wording of the providers’ privacy policies. Where, currently, providers inform users on how to exercise their right to opt out of receiving cookies, under the government’s proposals, providers would most probably use their privacy policies to inform users of the browser’s likely default setting to accept cookies and to imply the users’ opt-in consent to those default settings.
The basic problem with this approach results from the fact that, as is widely recognised, internet users do not, as a rule:
- read privacy policies before using an online services. These policies are usually complex documents which users often find difficult to understand. Users also feel that as these policies are non-negotiable, they have little to gain from familiarising themselves with their content if their decision to use the service in any case has already been made.
- make changes to the browser settings even where the way in which this is to be achieved is explained to the user in plain English. This is partly because of user inertia and partly because of a well-known propensity for accepting default settings of technology for fear of upsetting the functioning of that technology. The latter is particularly understandable in the case of cookie settings as most providers’ privacy policies make it abundantly clear that refusing cookies may result in a loss of functionality of the online service.
It is true, as the Impact Assessment points out, that an increase in users who block cookies may result in a loss of revenue generated by behavioural and interest based advertising which enables many online services to be provided at no financial cost to users. Any changes to the current set-up will therefore have to balance the internet users’ right to privacy with the online providers’ commercial objectives and the internet users’ interest in being able to obtain online services at low or no cost. However, the ‘loss-of-revenue’ argument must be seen as only one of the elements that should be taken into account when deciding on the level of regulation required in this context. In particular, it should not, of itself, be used to justify the continued and unchecked right of online services to base their revenue models on such a privacy-intrusive technology. To do so would not only mean that the government values the interests of businesses in revenue generation above the interests of consumers. It would also provide online providers with no incentive to develop other, less privacy-intrusive means of generating income from the services they offer. Consumers will often be willing, out of a lack of knowledge or because they are in an inferior bargaining position, to agree to contractual provisions which ultimately harm their interests. This problem has been recognised and much of consumer protection legislation is aimed at preventing sellers and service providers from exploiting this situation by prohibiting the inclusion of certain provisions in consumer contracts. There is no reason, why similar considerations should not play a part when looking at internet users’ ability or willingness to protect their own privacy, given that many users will not be able properly to evaluate the full consequences of the decisions they are making (or, in the case of default settings, they are choosing not to make).
Browser-control-resistant identifiers (‘Flash cookies’ and similar)
In addition, the use of browser settings is unlikely to address the problems created through the use of identifiers (including user agents, add-ons, plug-ins and other cookie type data collection tools) that cannot currently be blocked by the privacy and security settings of most commercial browsers. These identifiers are often known as ‘flash cookies’ after a plug-in of the Adobe Flash software. Experience has shown that these browser-control-resistant identifiers are more and more widely used, particularly for the purpose of tracking user behaviour. 
It is clear that the use of browser settings to obtain user consent that is envisaged in Recital 66 of the Citizens’ Rights Directive is unworkable in relation to browser-control-resistant identifiers. Although users of such identifiers might argue that an internet user’s consent to accept cookies - as expressed through his browser settings - should also permit the storage of those identifiers, from the user’s perspective, this expectation is unreasonable. A device that will not be affected by a clear user choice to block it, should not be able to benefit from a general user choice to ‘accept cookies’ which will often be made without the user even being aware of the existence of such browser-control-resistant agents.
As current technology is incapable of dealing with these identifiers, regulatory or self-regulatory intervention may be necessary to achieve the policy objective set out in Article 5(3) of the revised ePrivacy Directive. Although it is likely that personal data collected by those agents will always be collected in contravention of the Data Protection Act 1998 and the ePrivacy Regulations (unless those who use those agents obtain consent by other means), detection of the use of those agents is difficult and time-consuming. In practice, it will therefore be almost impossible for the Information Commissioner’s Office to enforce the law against everyone who uses browser-control-resistant identifiers to collect personal data in contravention of the user’s browser settings.
In addition, many browser-control-resistant identifiers have the ability to reinstate (‘re-spawn’) traditional cookies connected to them even after the user deleted those traditional cookies. Because of this ability ‘to bring back the dead’ they are often known as ‘zombie cookies’. This is a deceptive practice, which clearly contravenes user choice and which circumvents existing browser technology. The government’s proposals set out in the consultation document and the impact assessment would have no effect on the continued use of this technology.
Legal certainty and European harmonisation
Consequently, providers situated in the UK will not be able to rely on, or benefit from, the relaxed approach outlined in the government’s preferred option (Option 2), if they wish to offer goods and service to customers in other EU member states where a more restrictive interpretation of the Directive’s provisions may apply. As a result, providers may prefer a slightly more restrictive interpretation of the ways in which they can achieve compliance with the requirements of Article 5(3) as amended provided that this interpretation represents a harmonised approach across all EU member states which would allow providers to trade freely across EU borders without having to invest time, money and expertise in achieving compliance with the requirements of different legal systems.
- the new provisions are interpreted in a way which ensures that users’ decision to change browser settings to ‘accept cookies’ will be accepted as their express consent to providers’ processing of the information transmitted by those cookies across all EU member states;
- providers, including providers of third party cookies, will be required to provide clear, comprehensive and fully visible information about their processing activities;
- it should be made clear that the procedure for obtaining consent set out in Recital 66 does not apply to browser-control-resistant identifiers. Ideally, manufacturers of those agents should be encouraged to re-configure them in a way that allows internet users to control their use via browser settings. Where this is not possible, it should be made clear that the use of browser-control-resistant identifiers to collect personal data and to track internet user behaviour is subject to obtaining the user’s express consent (for example, via a tick box or a pop-up window).
- re-spawning traditional cookies after they have been deleted by users should be prohibited by law.
- the national regulator should be given appropriate resources to enforce the existing legal provisions against providers who are in breach of the ban on the use of ‘re-spawning’ devices and who use browser-control-resistant identifiers with obtaining the user’s express consent. Individual data subjects as well as consumer protection organisations should be provided with enforceable remedies against those providers.
Impact Assessments and Equality Impact Assessment
The Government invites views and comments from respondents on the impact assessments and equality impact assessment which have been produced to support implementation of the revised electronic communications Framework.
New information provision requirements (IA No: BIS0109)
In Impact Assessment Number BIS0109, the government proposes to insert a new requirement on providers of providers of publicly available electronic communications services ‘to have a procedure in place to be able to respond to request for information from the police or security services’ in the Regulations intended to implement the amendments to the ePrivacy Directive in the UK. The decision to introduce such an obligation is surprising given that:
- the government fails to mention this proposal in the Consultation Paper to which the Impact Assessment relates. This runs the risk that it may be overlooked by many respondents to the consultation and that the proposal will not receive the public scrutiny it deserves;
- it is not mandated in any way by the provisions of the Citizen’s Rights Directive that the current legislative proposal is designed to transpose but is included in addition to those provisions. This approach is in stark contrast to the government’s own promise in the context of this consultation paper, that it ‘will be implementing the amendments associated with the revised Framework ... in a proportionate manner to achieve the desired outcomes without gold-plating’. 
The introduction of such an obligation in the context of this consultation is undesirable for a number of reasons:
- Provisions regulating access by public authorities to information held by communication service providers (usually communications/traffic data and intercepted electronic communications) are already included in the Acquisition and Disclosure of Communications Data Code of Practice and the Interception of Communications Code of Practice brought into force under section 71 of the Regulation of Investigatory Powers Act 2001 (‘RIPA’). They cover in some detail the steps which service providers must take in order to assist public authorities in relation to information disclosure requests. It therefore questionable whether additional provisions governing the modalities of data transfers from communications services providers to public authorities are necessary in practice.
- While it would be useful to provide the Information Commissioner’s Office with powers of oversight over the extent to which public authorities make use of their rights under RIPA to request individuals’ personal information from communications service providers, it has generally been accepted that in the UK this power is exercised by the Interception of Communications Commissioner who addresses this issue as part of his annual report. Although it has been shown in a different context, that there may be gaps between the oversight powers of the Interception of Information Commissioner and the Information Commissioner which need to be closed  it seems curious that the Information Commissioner’s Office should be required to use its already insufficient resources to police the establishment of procedural rules designed to facilitate the provision of information over which the Information Commissioner lacks jurisdiction. The government should not use the Information Commissioner’s Office as an ‘enforcement agent’ for the police and security service whose duties include the obligation to ensure that those services can access the information they request in the most efficient way.
- The fact that communications service providers will be expected to bear the costs of establishing the relevant procedures contradict the government’s frequently published intentions that it intends to minimise the organisational and economical cost of regulatory compliance on business.
If the government feels that the provisions of the existing codes of practice need to be amended or supplemented in any way, it would be prudent that proposals for such amendments should be the subject of a separate consultation. This is true, in particular, given the controversy that arose when the above codes of practice were first published and the impact which the imposition of additional requirements is likely to have, both on the commercial (and hence competitive) position of UK communications service providers and the rights of individuals to the protection of their personal data. The government should provide a more substantive explanation of why it feels that the existing provisions are not sufficient and why it feels that it must impose more structured requirements on providers. Oversight of the way in which providers comply with their information requirements must be specifically addressed. The government should also make it clear whether the proposed new information requirement is designed to allow public authorities the right to access personal information which may not currently be covered by any of the existing regulations.
Regard to consumer needs
The proposals made are certainly more attentive to the government’s Code of Practice on Consultation and the advice of the Better Regulation Executive than the extraordinary method chosen to consult ‘stakeholders’ on RIPA amendments to assuage the European Commission after the PHORM debacle.  The authors strongly suggest that, for future consultations, the government should improve its consultation practice, taking into account consumer needs by degrouping its list of consultees. ‘Interest groups’ currently only accounts for business lobbies and a few government funded consumer groups.
The government should add such institutions as the Foundation for Information Policy Research, Privacy International, Creative Commons UK and the Open Rights Group - clearly these are expert and consumer-interest groups whose input would make the government’s consultations more effective, not least because they would provide a ‘critical friend’ role that the Communications Consumer Panel claims but does not always achieve. A category called ‘Civil Society and Consumer’ would help the government to identify such general groups, in addition to other ‘Third Sector’ groups which comprise those representing particular affected constituencies. This would better conform to Impact Assessment state-of-the-art.
 See http://www.bis.gov.uk/Consultations/revised-eu-electronic-communications-framework?cat=open. This response has been approved by the Executive of BILETA (the British and Irish Law, Education and Technology Association (http://www.bileta.ac.uk/default.aspx) and is therefore submitted on behalf of BILETA.
 Ms Judith Rauhofer specializes in cyberlaw, online privacy and data protection. She is dually qualified in Germany and the UK as a Rechtsanwältin and Solicitor respectively and has spent five years working in legal practice. She is currently employed as data protection editor by an online legal information service in London while completing a doctoral thesis on the human rights implications of data retention at the University of Vienna. She has held a number of academic positions; most recently she worked as a Research Fellow for the Centre of Law, Information and Converging Technologies at the University of Central Lancashire. She is a member of the Executive of the British & Irish Law, Education & Technology Association (BILETA).
 Dr Christopher T. Marsden is Senior Lecturer at the School of Law of the University of Essex, Colchester, UK and a Fellow of both Keio University http://www.keio.ac.jp/english/research/atoz_it_its.html) and GLOCOM, International University of Japan (http://www.glocom.ac.jp/e/organization/).
He has published on network neutrality and other issues surrounding bottleneck gatekeepers in European communications since 1997. He has also consulted for various Member State governments including the Department for Trade and Industry and Ofcom on Internet content regulation , the European Commission itself, the OSCE and Council of Europe, as well as non-EU governments and private corporations and thinktanks during that period. His most recent book is ‘Net Neutrality: Towards a Co-regulatory Solution’ (Bloomsbury Academic, London, 2010) (http://www.bloomsburyacademic.com/view/NetNeutrality_9781849662192/book-ba-9781849662192.xml?mode=book&page=1&pageSize=8&result=1&resultPage=/search&sortBy=ft:score($doc)&t1=1222|Information+and+Communications+Technology).
His blog on network neutrality in Europe has received more than 30,000 viewings in 2010 http://chrismarsden.blogspot.com/). He has also responded by invitation to the FCC network neutrality consultation as noted by ‘Washington Watch’ (https://www.neca.org/cms400min/WorkArea/linkit.aspx?LinkIdentifier=id&ItemID=2979), and to the European Commission consultation. (http://www.scribd.com/doc/34398109/OPEN-INTERNET-AND-NET-NEUTRALITY-IN-EUROPE-Marsden-respons%E2%80%A6) He was the only independent expert invited to address the joint European Commission-European Parliament Network Neutrality Summit on 11 November in Brussels. (http://www.scribd.com/doc/42298185/Three-Wise-Monkeys-of-Net-Neutrality)
 A refresher for the Minister would be: Cooper, Alissa (2010) The Next Tim Berners-Lee: Response to Ofcom Discussion on Traffic Management and Net Neutrality, 9 September 2010, at http://stakeholders.ofcom.org.uk/binaries/consultations/net-neutrality/responses/Cooper_A.pdf
 Autorité de régulation des communications électroniques et des postes (2010) Internet and network neutrality: proposals and recommendations, September, at http://www.arcep.fr/uploads/tx_gspublication/net-neutralite-orientations-sept2010-eng.pdf
 COM(2010) 609 final, 4 November 2010; available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.
 Article 29 Working Party Opinion 3/2010 on the principle of accountability, 13 July 2010.
 Impact Assessment, p. 157
 See, for example, the ease with which technology experts managed to identify individual users from a pool of anonymised web search queries published by US search engine AOL in 2006, “A Face Is Exposed for AOL Searcher No. 4417749”, New York Times, 9 August 2006, available at http://select.nytimes.com/gst/abstract.html?res=F10612FC345B0C7A8CDDA10894DE404482. See also, P Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” (August 13, 2009). University of Colorado Law Legal Studies Research Paper No. 09-12. Available at SSRN: http://ssrn.com/abstract=1450006; and Korff, Douwe, New Challenges to Data Protection (Study for the European Commission), Working Paper No. 2: Data Protection Laws in the EU: The Difficulties in Meeting the Challenges Posed by Global Social and Technical Developments (January 15, 2010), Section 4.1, sub-section on personal data and data subject, and the issues of anonymisation, pseudonymisation, re-identifiability and profiling, in particular pp. 48 - 51. Available at SSRN: http://ssrn.com/abstract=1638949.
 See, for example, C R Taylor, “Private Demands and Demands For Privacy: Dynamic Pricing and the Market for Customer Information”, RAND Journal of Economics, Volume 35, No.4, Winter 2004, pp. 631-650.
 Impact Assessment, p.153.
 Impact Assessment, p.146
 WP171, 2/2010, 22 June 2010.
 “You deleted your cookies? Think again!”, Epicentre - Wired.com, 10 August 2009, available at http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/, last visited, 26 November 2010. See also K McKinley, “Cleaning Up After Cookies, Version 1.0”, 31 December 2008, available at https://www.isecpartners.com/storage/white-papers/iSEC_Cleaning_Up_After_Cookies.pdf. In some cases it is possible to block browser-control-resistant identifiers through the installation of browser add-ons, although this usually requires a certain level of technical expertise that is unlikely to be present in the majority of internet users. In some cases, those identifiers may also be disabled or deleted by changing the flash cookie’s settings or visiting the website of its manufacturer. However, this is a time-consuming approach that, too, that should not be imposed on internet users.
 WP56, 30 May 2002.
 Ibid., p.11.
 Impact Assessment, p. 5.
 Proposals to close these gaps are currently the subject of another consultation “Regulation of Investigatory Powers Act 2000: Proposed Amendments Affecting Lawful Interception” issued by the Home Office on 10 November 2010, available at http://www.homeoffice.gov.uk/publications/consultations/ripa-effect-lawful-intercep/ripa-amend-effect-lawful-incep?view=Binary.