Posts

PageFair writes to all EU Member States about the ePrivacy Regulation

This week PageFair wrote to the permanent representatives of all Member States of the European Union in support for the proposed ePrivacy Regulation.
Our remarks were tightly bounded by our expertise in online advertising technology. We do not have an opinion on how the proposed Regulation will impact other areas.
The letter addresses four issues:

  1. PageFair supports the ePrivacy Regulation as a positive contribution to online advertising, provided a minor amendment is made to paragraph 1 of Article 8.
  2. We propose an amendment to Article 8 to allow privacy-by-design advertising. This is because the current drafting of Article 8 will prevent websites from displaying privacy-by-design advertising.
  3. We particularly support the Parliament’s 96th and 99th amendments. These are essential to enable standard Internet Protocol connections to be made in many useful contexts that do not impact of privacy.
  4. We show that tracking is not necessary for the online advertising & media industry to thrive. As we note in the letter, behavioural online advertising currently accounts for only a quarter of European publishers’ gross revenue.

[x_button shape=”rounded” size=”regular” float=”none” href=”https://pagefair.com/wp-content/uploads/2018/03/PageFair-letter-on-ePrivacy-to-perm-reps-13-March-2018.pdf” info=”none” info_place=”top” info_trigger=”hover”]Read the letter [/x_button]

The digital economy requires a foundation of trust to enable innovation and growth. The enormous growth of adblocking (to 615 million active devices) across the globe proves the terrible cost of not regulating. We are witnessing the collapse of the mechanism by which audiences support the majority of online news reports, entertainment videos, cartoons, blogs, and cat videos that make the Web so valuable and interesting. Self-regulation, lax data protection and enforcement have resulted in business practices that promise a bleak future for European digital publishers.
Therefore, we commend the Commission and Parliament’s work thus far, and wish the Council (of Ministers of the Member States) well in their deliberations.

PageFair's long letter to the Article 29 Working Party

This note discusses a letter that PageFair submitted to the Article 29 Working Party. The answers may shape the future of the adtech industry. 
Eventually the data protection authorities of Europe will gain a thorough understanding of the adtech industry, and enforce data protection upon it. This will change how the industry works. Until then, we are in a period of uncertainty. Industry can not move forward, business can not flourish. Limbo does not serve the interests of publishers. Therefore we press for certainty.
This week PageFair wrote a letter to the Article 29 Working Party presenting insight on the inner workings of adtech, warts and all.
Our letter asked the working party to consider five questions. We suspect that the answers may shape the future of the adtech industry.

  1. We asked for further guidance about two issues that determine the granularity of consent required. First, we asked what the scope of a single “purpose” for processing personal data is. Since one must have a legal basis for each purpose, a clear understanding of scope of an individual purpose is important to determine the number of purposes, and thus the number of granular opt-ins required.
  2. The second question about granularity of consent asked whether multiple controllers that pursue identical purposes should be unbundled from each other. In other words, should consent be requested not only per purpose, but per controller too. This is important because it should not be assumed that a person trusts all data controllers equally. Nor is it likely that all controllers apply equal safeguards of personal data. Therefore, we asked whether it was appropriate to bundle multiple controllers together in a single consent request without the opportunity to accept some, and not all.
  3. We asked for guidance on how explicit consent operates for websites and apps, where a controller wishes to process special categories of personal data. Previously the Working Party cited the double opt-in as method of explicit consent for e-mail marketing. We presented wireframes of how this might operate on web and mobile.
  4. We asked for clarification that all unique identifiers are personal data. This is important because the presence of a unique ID enables the combining of data about the person associated with that unique ID, even if the party that originally assigned the unique ID did so randomly, without any understanding of who the data subject is.
  5. We asked for guidance on how Article 13 of the GDPR applies to non-tracking cookies (without personal data) as opposed to personal data. This is important because some paragraphs of this article were intended to apply to personal data and are not appropriate for non-personal data.

In addition to these questions we made three statements.

  1. Websites, apps, and adtech vendors leak personal data to unknown parties in routine advertising operation (via “RTB” bid requests, cookie syncs, JavaScript ad units, mobile SDKs, and other 3rd party integrations). This is preventable.
  2. We noted our support for the Working Party’s view that the GDPR forbids the demanding of consent for 3rd party tracking that is unrelated to the provision of an online service.
  3. It is untenable for any publisher, adtech vendor, or trade body, to claim that they must use personal data for online advertising. As we and others have shown, sophisticated adtech can work without personal data.

The full letter is available here.
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

Why the GDPR ‘legitimate interest’ provision will not save you

The “legitimate interest” provision in the GDPR will not save behavioral advertising and data brokers from the challenge of obtaining consent for personally identifiable data.

As previous PageFair analysis illustrates, personal data will become toxic except where it has been obtained and used with consent once the General Data Protection Regulation is applied in May 2018.
[prompt type=”left” title=”Access the GDPR/ePR repository” message=”A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.” button_text=”Access Now” href=”https://pagefair.com/datapolicydocs/”]
Even so, many advertising intermediaries believe that they can continue to use personal data without consent because of an apparent carve-out related to “legitimate interest” contained in the GDPR. This is a false hope.

Legitimate interest

The GDPR does indeed provide for “legitimate interest” as a legal basis for using personal data without obtaining consent.[1] A legitimate interest provision was also included in the previous Data Protection Directive 95/46/EC.[2] However, the GDPR now includes an explicit mention of direct marketing as a legitimate interest (in Recital 47),[3] which has lured many adtech businesses into the comfortable but erroneous supposition that they will not have to ask people for permission use their personal data.

A legitimate interest is a clearly articulated benefit to a single company, or to society as a whole,[4] that can be derived from processing personal data in a lawful way.[5] However, the Article 29 Working Party of data protection authorities of EU countries has already made it clear that merely having a legitimate interest does not entitle one to use personal data.[6]

The objective of the “legitimate interest” provision is to give controllers “necessary flexibility for data controllers for situations where there is no undue impact on data subjects”.[7] The Article 29 Working Party cautioned that it is not to be used “on the basis that it is less constraining than the other grounds”.[8] In other words, it is not a get-out-of-jail-free card.

Under the Data Protection Directive that preceded the GDPR some EU countries viewed it as “an ‘open door’ to legitimize any data processing which does not fit in one of the other legal grounds.”[9] This will end with the GDPR, which harmonizes the approach across all the countries of the European Union.

The balancing test 

Article 6 (f) of the GDPR includes the following important caveat: “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.[10] In other words, a business that intends to use personal data must balance its legitimate interest not only against the rights of the data subject, which is a significant test in itself,[11] but also the data subject’s interests, irrespective of whether these interests are legitimate or not.[12] Any company that hopes to use legitimate interest also bears the onus for demonstrating that its interest is favored in such a balancing test.[13] 

This is not a figurative exercise. The Article 29 Working Party cautions that the balancing test should be documented in such a way that data subjects, data authorities, and the courts can examine.[14] It should encompass a broad range of factors[15] including “any possible (potential or actual) consequences of data processing”.[16] This would include, for example, “broader emotional impacts” and the “chilling effect on … freedom of research or free speech, that may result from co­ntinuous monitoring/tracking”.[17] 

The test also must consider the manner in which personal data are processed. For example,

“whether large amounts of personal data are processed or combined with other data (e.g. in the case of profiling…). Seemingly innocuous data, when processed on a large scale and combined with other data may lead to inferences about more sensitive data”.[18] 

Europe’s data protection authorities take a dim view of such large scale processing: ­­­­

“Such analysis may lead to uncanny, unexpected, and sometimes also inaccurate predictions, for example, concerning the behavior or personality of the individuals concerned. Depending on the nature and impact of these predictions, this may be highly intrusive to the individual’s privacy”.[19] 

A further factor in the balancing test is mentioned in Recital 47 of the GDPR: “…taking into consideration the reasonable expectation of data subjects based on their relationship to the controller”.[20] A business involved in digital advertising must ask the following question: Is it reasonable to assume that a regular person who peruses the web expects that their behavior is being tracked and measured, consolidated across devices, and that the results of these operations are being traded between different companies that he or she has never heard of, and retained for further trading and consolidation over considerable periods of time?

Behavioral advertising and data-brokering must be based on consent 

The legitimate interest provision in the GDPR sets a high bar. Indeed, the Working Party’s concern about the negative impacts of personal data misuse is so broad as to encompass those that result from many cumulative actions, and where “it may be difficult to identify which processing activity by which controller played a key role”.[21] This is bad news for the cascade of cookie syncing and data trading typical of behavioral advertising.

The Article 29 Working Party has considered what a balancing test would yield where behavioral advertising is concerned. It concluded that “consent should be required, for example, for tracking and profiling for purposes of … behavioral advertising, data-brokering, … [and] tracking-based digital market research”.[22]

The Working Party regards the balance as follows: “the economic interest of business organizations to get to know their customers by tracking and monitoring their activities online and offline” must be balanced “against the (fundamental) rights to privacy and the protection of personal data of these individuals and their interest not to be unduly monitored”.[23]

Consent – and nothing short of it – is the necessary legal basis for processing personally identifiable for behavioral advertising.

Two options  

Therefore, hundreds of adtech companies, who who cannot legitimately obtain the personal data they depend on, are facing a huge challenge. There are two categories of options.

Option 1. Invest heavily in obtaining consent

For the majority of advertising intermediaries this will require reaching an accommodation with publishers who have direct and trusted relationships with end-users. Whatever this accommodation is, it is likely to tip the balance of power away from adtech and back in favor of publishers. Publishers may recover some of the marketing spend that they lost to the many advertising technology companies of the Lumascape in the shift to digital. As we have suggested previously, mergers with, or acquisition of, media properties may be one way for global advertising holding companies to buy trusted first party relationships with end-users, and establishing a means of requesting end-users consent.

Option 2. Avoid the GDPR’s liabilities and regulatory overhead with a no personally identifiable data approach

Programmatic and behavioral advertising are possible without personally identifiable data. A personal data firewall can free brands and intermediaries from the GDPR’s new liabilities and regulatory overhead by anonymizing data while delivering relevant advertising.

We will be writing more about this.

 

Invitation:

RightsCon, Brussels, March 29, 5.15pm – 6.15pm

I will be on the EDRi panel at RightsCon, alongside representatives of the European Data Protection Supervisor and the IAB. Please come and say hello.

[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

Notes

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 6, paragraph 1, f.

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 7 (f).

[3] “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Recital 47.

[4] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 10.

[5] ibid., pp 10-11.

[6] ibid., p. 25.

[7] ibid., p. 10.

[8] ibid,, p. 3.

[9] ibid., p. 5.

[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 6, para 1 (f).

[11] Data protection is a fundamental right in European Law. Article 8 of The European Charter of Fundamental Rights enshrines the right of every citizen to “the protection of personal data concerning him or her”. The European Union Charter of Fundamental Rights, Article 8, paragraph 1. “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”. The European Union Charter of Fundamental Rights, Article 8, paragraph 2.

[12] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 9, 30.

[13] ibid., p. 52.

[14] ibid., p. 43, 53-54.

[15] ibid., pp 33, 50-51, 55-56.

[16] ibid., p. 37.

[17] ibid., p. 37.

[18] ibid., p. 39.

[19] ibid., p. 39.

[20] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Recital 47.

[21] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 37.

[22] ibid., p. 46.

[23] ibid.

Why the GDPR 'legitimate interest' provision will not save you

The “legitimate interest” provision in the GDPR will not save behavioral advertising and data brokers from the challenge of obtaining consent for personally identifiable data.
As previous PageFair analysis illustrates, personal data will become toxic except where it has been obtained and used with consent once the General Data Protection Regulation is applied in May 2018.
[prompt type=”left” title=”Access the GDPR/ePR repository” message=”A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.” button_text=”Access Now” href=”https://pagefair.com/datapolicydocs/”]
Even so, many advertising intermediaries believe that they can continue to use personal data without consent because of an apparent carve-out related to “legitimate interest” contained in the GDPR. This is a false hope.
Legitimate interest
The GDPR does indeed provide for “legitimate interest” as a legal basis for using personal data without obtaining consent.[1] A legitimate interest provision was also included in the previous Data Protection Directive 95/46/EC.[2] However, the GDPR now includes an explicit mention of direct marketing as a legitimate interest (in Recital 47),[3] which has lured many adtech businesses into the comfortable but erroneous supposition that they will not have to ask people for permission use their personal data.
A legitimate interest is a clearly articulated benefit to a single company, or to society as a whole,[4] that can be derived from processing personal data in a lawful way.[5] However, the Article 29 Working Party of data protection authorities of EU countries has already made it clear that merely having a legitimate interest does not entitle one to use personal data.[6]
The objective of the “legitimate interest” provision is to give controllers “necessary flexibility for data controllers for situations where there is no undue impact on data subjects”.[7] The Article 29 Working Party cautioned that it is not to be used “on the basis that it is less constraining than the other grounds”.[8] In other words, it is not a get-out-of-jail-free card.
Under the Data Protection Directive that preceded the GDPR some EU countries viewed it as “an ‘open door’ to legitimize any data processing which does not fit in one of the other legal grounds.”[9] This will end with the GDPR, which harmonizes the approach across all the countries of the European Union.
The balancing test 
Article 6 (f) of the GDPR includes the following important caveat: “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.[10] In other words, a business that intends to use personal data must balance its legitimate interest not only against the rights of the data subject, which is a significant test in itself,[11] but also the data subject’s interests, irrespective of whether these interests are legitimate or not.[12] Any company that hopes to use legitimate interest also bears the onus for demonstrating that its interest is favored in such a balancing test.[13] 
This is not a figurative exercise. The Article 29 Working Party cautions that the balancing test should be documented in such a way that data subjects, data authorities, and the courts can examine.[14] It should encompass a broad range of factors[15] including “any possible (potential or actual) consequences of data processing”.[16] This would include, for example, “broader emotional impacts” and the “chilling effect on … freedom of research or free speech, that may result from co­ntinuous monitoring/tracking”.[17] 
The test also must consider the manner in which personal data are processed. For example,

“whether large amounts of personal data are processed or combined with other data (e.g. in the case of profiling…). Seemingly innocuous data, when processed on a large scale and combined with other data may lead to inferences about more sensitive data”.[18] 

Europe’s data protection authorities take a dim view of such large scale processing: ­­­­

“Such analysis may lead to uncanny, unexpected, and sometimes also inaccurate predictions, for example, concerning the behavior or personality of the individuals concerned. Depending on the nature and impact of these predictions, this may be highly intrusive to the individual’s privacy”.[19] 

A further factor in the balancing test is mentioned in Recital 47 of the GDPR: “…taking into consideration the reasonable expectation of data subjects based on their relationship to the controller”.[20] A business involved in digital advertising must ask the following question: Is it reasonable to assume that a regular person who peruses the web expects that their behavior is being tracked and measured, consolidated across devices, and that the results of these operations are being traded between different companies that he or she has never heard of, and retained for further trading and consolidation over considerable periods of time?
Behavioral advertising and data-brokering must be based on consent 
The legitimate interest provision in the GDPR sets a high bar. Indeed, the Working Party’s concern about the negative impacts of personal data misuse is so broad as to encompass those that result from many cumulative actions, and where “it may be difficult to identify which processing activity by which controller played a key role”.[21] This is bad news for the cascade of cookie syncing and data trading typical of behavioral advertising.
The Article 29 Working Party has considered what a balancing test would yield where behavioral advertising is concerned. It concluded that “consent should be required, for example, for tracking and profiling for purposes of … behavioral advertising, data-brokering, … [and] tracking-based digital market research”.[22]
The Working Party regards the balance as follows: “the economic interest of business organizations to get to know their customers by tracking and monitoring their activities online and offline” must be balanced “against the (fundamental) rights to privacy and the protection of personal data of these individuals and their interest not to be unduly monitored”.[23]
Consent – and nothing short of it – is the necessary legal basis for processing personally identifiable for behavioral advertising.
Two options  
Therefore, hundreds of adtech companies, who who cannot legitimately obtain the personal data they depend on, are facing a huge challenge. There are two categories of options.
Option 1. Invest heavily in obtaining consent
For the majority of advertising intermediaries this will require reaching an accommodation with publishers who have direct and trusted relationships with end-users. Whatever this accommodation is, it is likely to tip the balance of power away from adtech and back in favor of publishers. Publishers may recover some of the marketing spend that they lost to the many advertising technology companies of the Lumascape in the shift to digital. As we have suggested previously, mergers with, or acquisition of, media properties may be one way for global advertising holding companies to buy trusted first party relationships with end-users, and establishing a means of requesting end-users consent.
Option 2. Avoid the GDPR’s liabilities and regulatory overhead with a no personally identifiable data approach
Programmatic and behavioral advertising are possible without personally identifiable data. A personal data firewall can free brands and intermediaries from the GDPR’s new liabilities and regulatory overhead by anonymizing data while delivering relevant advertising.
We will be writing more about this.
 
Invitation:
RightsCon, Brussels, March 29, 5.15pm – 6.15pm
I will be on the EDRi panel at RightsCon, alongside representatives of the European Data Protection Supervisor and the IAB. Please come and say hello.
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

Notes

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 6, paragraph 1, f.
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 7 (f).
[3] “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Recital 47.
[4] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 10.
[5] ibid., pp 10-11.
[6] ibid., p. 25.
[7] ibid., p. 10.
[8] ibid,, p. 3.
[9] ibid., p. 5.
[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 6, para 1 (f).
[11] Data protection is a fundamental right in European Law. Article 8 of The European Charter of Fundamental Rights enshrines the right of every citizen to “the protection of personal data concerning him or her”. The European Union Charter of Fundamental Rights, Article 8, paragraph 1. “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”. The European Union Charter of Fundamental Rights, Article 8, paragraph 2.
[12] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 9, 30.
[13] ibid., p. 52.
[14] ibid., p. 43, 53-54.
[15] ibid., pp 33, 50-51, 55-56.
[16] ibid., p. 37.
[17] ibid., p. 37.
[18] ibid., p. 39.
[19] ibid., p. 39.
[20] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Recital 47.
[21] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 37.
[22] ibid., p. 46.
[23] ibid.