![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
This article examines the soft-law politics of regulating behaviours on the internet in the European Union (EU) context. It shows the struggles behind internet standards, and delegation of power to commercial actors, while looking at spam and web-cookies as a case study. This article argues that by creating a false division between private and public spaces on the internet, it was possible to legitimize certain practices over others, despite being similar. In this way, spam was categorized as unsolicited communication associated with private space, whereas web-cookies were categorized as wanted communication in public space. By influencing and lobbying EU legislation and Internet Engineering Task Force (IETF) technical standards, the advertising industry and tech companies simultaneously authorize and institutionalize their own practices and illegalize people’s ‘problematic’ behaviour and other advertising companies. In this way, EU legislation and internet standards create a naturalized discourse that institutionalizes the roles of different actors in the online market, while emphasizing the central role of commercial actors in creating, defining, managing and enforcing the online market. Thus, spam operates as a regulatory tool applied to any type of behaviour that can interfere with the functioning of the EU e-commerce.
KEYWORDS:
Disclosure statement
No potential conflict of interest was reported by the author.
Notes
1. Termed cookies hereafter.
2. European advisory body which consists data protection authority representative from each of the member states, and was founded following Article 29 of the Data Protection Directive (95/46/EC). The main goal of this body is to provide opinions and recommendations to the European Commission in regards to data protection.
3. This is called the opt-out versus opt-in mechanisms. Opt-out means that people are automatically receiving a form of communication and then have the option refuse receiving it, which is usually done by unsubscribing. Opt-in means that people need to indicate whether they want to receive communication or not.
4. According to Smith they are
a graphics on a Web page or in an Email message that is designed to monitor who is reading the Web page or Email message. Web Bugs are often invisible because they are typically only 1-by-1 pixel in size. They are represented as HTML IMG tags. (Citation1999)
5. For example, Web sites would get a public key encryption and be ‘approved’ for secure business transactions by an external entity, usually consisting private sector and governments, called Certificate Authority (CA) or Trusted Third Party (DeNardis Citation2007, 689). This shows that only commercial communication was worth protection.
6. As the A29WP observe:
As recital 26 of Directive 95/46 specifies, data are qualified as personal data as soon as a link can be established with the identity of the data subject (in this case, the user of the IP address) by the controller or any person using reasonable means. In the case of IP addresses the ISP is always able to make a link between the user identity and the IP addresses and so may be other parties, for instance by making use of available registers of allocated IP addresses or by using other existing technical means. (Citation2002, 3)
7. Some of the arguments that the advertising industry presents is that with dynamic IP addresses (meaning that the address number changes from time to time) it is hard to deduce the profile of people. However, in 2010 the A29WP rejected such claims by observing that
behavioural advertising normally involves the collection of IP addresses and the processing of unique identifiers (through the cookie). The use of such devices with a unique identifier allows the tracking of users of a specific computer even when dynamic IP addresses are used. In other words, such devices enable data subjects to be ‘singled out’, even if their real names are not known. (Citation2010, 9)
8. According to the A29WP, ‘Cookies should, by default, not be sent or stored’ (Citation1999, 3).
9. Flash cookies, also known as Local Share Object (LSO), are the next generation of cookies. They can contain
up to 100KB of information by default, compared to 4KB by HTTP cookies … Flash cookies do not have expiration dates by default, whereas HTTP cookies expire at the end of a session unless programmed otherwise … Flash cookies are stored in a separate directory that many users are unaware of and do not know how to control. (Tene and Polenetsky Citation2012, 293)