Editing Internet privacy (section)

===European General Data protection regulation===
In 2009 the [[European Union]] had for the first time created awareness for tracking practices when the ePrivacy-Directive (2009/136/EC) was put in force.<ref name="Directive 2009/136/EC">{{cite journal| title=Directive 2009/136/EC of the European Parliament and of the Council| url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0136| journal=[[Official Journal of the European Union]]| volume=337| pages=11–36| date=18 December 2009| access-date=4 January 2024}}</ref> In order to comply with this directive, websites had to actively inform the visitor about the use of cookies. This disclosure has been typically implemented by showing small information banners. Nine years later, by 25 May 2018 the European General Data Protection Regulation (GDPR) came into force,<ref>{{cite journal| title=Regulation (EU) 2016/679 of the European Parliament and of the Council| url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679| journal=[[Official Journal of the European Union]]| volume=119| pages=1–88| date=4 May 2016| access-date=4 January 2024}}</ref> which aims to regulate and restrict the usage of personal data in general, irrespective of how the information is being processed.<ref>{{Cite book |last=Skiera |first=Bernd |url=https://www.worldcat.org/oclc/1303894344 |title=The impact of the GDPR on the online advertising market |date=2022 |others=Klaus Miller, Yuxi Jin, Lennart Kraft, René Laub, Julia Schmitt |isbn=978-3-9824173-0-1 |location=Frankfurt am Main |oclc=1303894344}}</ref> The regulation primarily applies to so-called “controllers”, which are (a) all organizations that process personal information within the European Union, and (b) all organizations which process personal information of EU-based persons outside the European Union. Article 4 (1) defines personal information as anything that may be used for identifying a “data subject” (e.g. natural person) either directly or in combination with other personal information. In theory, this even takes common Internet identifiers such as cookies or IP Addresses in the scope of this regulation. Processing such personal information is restricted unless a "lawful reason" according to Article 6 (1) applies. The most important lawful reason for data processing on the Internet is the explicit consent given by the data subject. More strict requirements apply for sensitive personal information (Art 9), which may be used for revealing information about ethnic origin, political opinion, religion, trade union membership, biometrics, health or sexual orientation. However, explicit user content still is sufficient to process such sensitive personal information (Art 9 (2) lit a). “Explicit consent” requires an affirmative act (Art 4 (11)), which is given if the individual person is able to freely choose and does consequently actively opt-in.

As of June 2020, typical cookie implementations are not compliant with this regulation, and other practices such as [[device fingerprint]]ing, cross-website-logins <ref>{{Cite magazine|date=2 July 2020|title=Security risks of logging in with facebook|url=https://www.wired.com/story/security-risks-of-logging-in-with-facebook/|magazine=Wired|access-date=3 July 2020|archive-date=3 July 2020|archive-url=https://web.archive.org/web/20200703202751/https://www.wired.com/story/security-risks-of-logging-in-with-facebook/|url-status=live}}</ref> or 3rd-party requests are typically not disclosed, even though many opinions consider such methods in the scope of the GDPR.<ref>{{cite web|date=2 July 2020|title=The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers|url=https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers|website=European Frontier Foundation|access-date=3 July 2020|archive-date=2 August 2020|archive-url=https://web.archive.org/web/20200802050700/https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers|url-status=live}}</ref> The reason for this controversy is the ePrivacy-Directive 2009/136/EC<ref name="Directive 2009/136/EC" /> which is still unchanged in force. An updated version of this directive, formulated as [[ePrivacy Regulation]], shall enlarge the scope from cookies only to any type of tracking method. It shall furthermore cover any kind of electronic communication channels such as [[Skype]] or [[WhatsApp]]. The new ePrivacy-Regulation was planned to come into force alongside the GDPR, but as of July 2020, it was still under review. Some people assume that lobbying is the reason for this massive delay.<ref>{{cite web|date=2 July 2020|title=e-Privacy Regulation victim of a "lobby onslaught"|url=https://edri.org/coe-eprivacy-regulation-victim-of-lobby-onslaught/|website=European Digital Rights|access-date=3 July 2020|archive-date=4 July 2020|archive-url=https://web.archive.org/web/20200704231417/https://edri.org/coe-eprivacy-regulation-victim-of-lobby-onslaught/|url-status=live}}</ref>

Irrespective of the pending ePrivacy-Regulation, the European High Court decided in October 2019 (case C-673/17<ref>{{cite web|date=2 July 2020|title=JUDGMENT OF THE COURT 1/10/2019|url=http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6162209|website=Court of Justice of the European Union|access-date=3 July 2020|archive-date=3 July 2020|archive-url=https://web.archive.org/web/20200703212743/http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6162209|url-status=live}}</ref>) that the current law is not fulfilled if the disclosed information in the cookie disclaimer is imprecise, or if the consent checkbox is pre-checked. Consequently, many cookie disclaimers that were in use at that time were confirmed to be incompliant with the current data protection laws. However, even this high court judgment only refers to cookies and not to other tracking methods.