data protection

On 28th March 2017, a proposition adopted by the American Congress cleared the way for Internet Service Providers to sell user data. The history of what you have surfed on the internet is valuable information for businesses. It gives them an indication of your likes and dislikes, your thoughts, and the things you seek online. 

Since such data can give these businesses quite a bit of an idea about your political and religious views and what kind of products or services you prefer, it’s precious. Such data makes it possible to create your profile so advertisements that cater to your preferences can be targeted at you. However, that might not settle well with consumers.

Trump legalizes using and sharing browsing history by ISPs

In October 2016, consumer privacy was sought to be protected by the Obama administration when the Federal Communication Commission (FCC) adopted a regulation to protect it. The FCC started recognizing browser history as sensitive information after these rules were formulated. Consumers were now being given a choice not to share any of it. 

Download Now

Later, President Trump repealed net neutrality so ISPs like AT&T or Verizon could use the information they gathered about their clients.

However, net neutrality also protects other things. For instance, ISPs can divide traffic into fast and slow lanes without net neutrality. In other cases, they might offer their partners’ services at better speeds. 

The situation in Europe

Personal information sale comes under the purview of the Data Protection Legislation. Since 25th May 2018, it has been governed by the General Data Protection Directive. The GDPR’s Article 6 lays down the conditions under which user data sales will be considered legal. User data can be collected and processed by ISPs only on individual consent or when it’s deemed to be of legitimate interest

Working Party 29 in 2019 shared its opinion on how legitimate interest can be applied. Apart from being lawful, there should be no ambiguity in its explanation, so balancing it against the data subject’s fundamental rights is possible. 

Moreover, the issue of legitimate interest must be present and real. The Working Party 29 also adds that legitimate interest shall under no circumstances allow the controller to excessively monitor its clients’ behavior. Neither can data be sold or used for profiling on the pretext of legitimate interest. Hence, ISPs can’t use legitimate interest to justify selling user browser history to any third party. 

Strict provisions govern sensitive information processing

Further, the GDPR’s Article 9 stipulates that processing any personal data that reveals ethnic or racial origins, union memberships, religious or political beliefs, or political opinions is strictly prohibited. ISPs are also barred from processing any data related to biometric, health, or genetic data that may make it possible to uniquely identify an individual. Neither is any ISP allowed to process any data that concerns any individual’s sexual orientation. 

In this regard, legitimate interest has no relevance. It’s only user consent that Internet Service Providers can cite when processing sensitive data. However, as per the provisions of the GDPR, any member state is free to reject the issue of user consent to justify sensitive data processing. Even the protection of vital interests cannot justify any purpose for collecting and sharing user data. 

Conditions for consent

The conditions for valid consent are laid out in Article 7 of the GDPR. Consent requests shall have to be presented in a distinguishable manner on a form that’s intelligible and easy to access. Moreover, the language used should be clear and lucid. Positive action should indicate the giving of consent. It can’t be implicit. Consent can be withdrawn by the data subject at any time, and they will be duly informed about it. 

Internet Service Providers shall therefore have to inform users clearly and transparently that browser history shall be processed and sold by them. This issue must be presented clearly in an easily accessible form. Therefore, read privacy policies to understand how companies handle your data, including online services and your ISP. 

Many people also fight online tracking by using a VPN for PC. A Virtual Private Network stops ISPs from seeing what you do online by encrypting traffic. Furthermore, ISPs also won’t be able to slow down internet connections based on your activities. Such tools are excellent options for retaining more privacy online. 


In the US, ISPs can legally collect and sell your browsing details. In Europe, restrictions apply. However, companies have been found to bypass laws and create user profiles based on their surfing histories. Thus, you should know how to protect yourself. The first step is reading the conditions of your accounts and services. Look for red flags, like if a company mentions that they sell data to unidentified third parties. 

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here