Can Internet Service Providers sell the browser history of its users?

1.    Repeal of the privacy rules in the US

On 28 March 2017, the American Congress adopted the proposition that Internet Service Providers could sell the browser history of its users, without their permission.

The browser history is quite valuable information for companies. It shows what you think, what you are looking for and what you like. It also contains sensitive information. It can provide clues to your political preference, your health, your religious views. It is clear that this information is worth a lot, but that does not mean that it should be on the market.

In October 2016, under president Obama, the Federal Communication Commission (FCC) adopted regulation that protected the privacy of consumers. With these rules, the FCC recognizes that browser history is considered as sensitive information, and consumers were given the choice whether or not to share the information;

It is little surprising that under president Trump, these rules are repealed, and that Internet Service Providers such as AT&T or Verizon can use your browser history freely. It does not really matter which browser a consumer uses. 

Google Chrome for instance provides the possibility to surf the web “incognito”. This implies that Google Chrome will not record your history, but Internet Service Providers still can do so. 

Another possibility to escape is the use of a decent VPN connection.

It is a positive signal that there exist (smaller) American Internet Providers, which already announced that they will not sell the browser history without the consent of their users.

2.    In Europe

The sale of personal information falls under the scope of the Data Protection legislation and as from 25 May 2018, will be governed by the General Data Protection Directive.

2.1    Lawfulness of the processing

In Article 6 of the GDPR, the conditions of the lawfulness of the processing are set out. The Internet Service Providers can collect and process the personal information of its users, based on the consent of the individual, or on grounds of a legitimate interest. A legitimate interest can be subject to interpretation.

In 2014, Working Party 29 has issued an opinion on the application of a legitimate interest. It has to be lawful, it has to be clearly explained in order to make it possible to balance it against the fundamental rights of the data subject, and the legitimate interest must be real and present. 

The Working Party 29 clarifies that the legitimate interest can be used for some marketing purposes, given that this allows the controller to get to know its customers, and to meet the wishes of its clients. 

The Working Party 29 immediately adds that a legitimate interest does absolutely not allow that the controller will monitor the behavior of its clients excessively, or will sell this, or will use for profiling.

As a result, Internet Service Providers will not be able to use a legitimate interest as a justification to sell the browser history of its users to third parties.

2.2    Strict provisions concerning the processing of sensitive information

Furthermore, pursuant to Article 9 of the GDRP, it is not allowed to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership. It is also not prohibited to process health, biometric or genetic data for the purpose of uniquely identifying a natural person data or data concerning a person’s sexual orientation.

The legitimate interest is of no relevance in this regard. The only exception that Internet Service Providers could use to process sensitive data is the consent of its customer. However, the GDPR provides the possibility for member states to exclude consent as a justification for the processing of sensitive data. As soon as a member state uses this possibility, it will be basically impossible for Internet Service Providers to sell the browser history of its users. The other justification grounds such as the protection of vital interests, the necessity for the purpose of carrying out obligations cannot be applied.

The consent should be given by a positive action, it cannot be implicit

2.3   Consent

Article 7 of the GDRP specifies the conditions for a valid consent. The request for consent has to be presented in a manner, which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. The consent should be given by a positive action, it cannot be implicit. The data subject has the right to withdraw its consent at any time and shall be duly informed.

In regard to the activities of Internet Service Providers, it implies that they have to inform their users in clear and transparent way of the fact that they process or sell the browser history. This cannot be buried in the general conditions, but should be presented in an understandable and easily accessible form.

3.   To conclude

Internet Service Providers on the European market cannot sell the browser history of their users, without their explicit and informed consent, and so it should be.