Insights from Osborne Clarke’s legal experts on the business impact of the new EU General Data Protection Regulation for the online advertising industry.
The new General Data Protection Regulation is set to introduce fundamental changes to the data protection regime in Europe with effect from 2018. It raises some particular challenges for ad exchanges, DSPs, SSPs, DMPs and others in the adtech sector – with additional compliance requirements, significantly increased risk and a number of key questions as yet unanswered.
We’ll be talking with our clients about what the GDPR will mean for them in practice. However here are ten immediate observations for those working in the online advertising sector.
1. Some adtech businesses at least will find it harder to argue they’re not processing “personal data”
The GDPR expressly calls out that individuals “may be associated with” online identifiers such as IP addresses and cookie identifiers, and that these may – particularly when combined with other information – be used to identify individuals and to create profiles connected with them.
The Regulation doesn’t go as far as expressly stating that all information linked to a particular IP address or cookie ID must necessarily be treated as “personal data”. Rather, the test under the definition of “personal data” is whether a natural person “can be identified, directly or indirectly, in particular by reference to an identifier such as… …an online identifier”. So those who say they can offer data or serve ads on a “unique user” basis may be on the back foot in seeking to argue they are not processing personal data, even if they don’t know the names of the individuals involved.
The Court of Justice of the European Union is expected in 2016 to clarify the position in relation to IP addresses (Case C-582-14, Breyer), although a number of data protection authorities in Europe already see these as generally (or always) amounting to personal data.
Under the GDPR, “pseudonymised” personal data will still be treated as personal data. However, pseudonymisation is incentivised in a number of ways, and a business which pseudonymises all data may potentially find it easier to justify processing under the “legitimate interests” ground (see (3) below).
|“German DPAs and – with a more nuanced approach – courts have held that IP addresses, mobile device identifiers and likely also cookie IDs (depending on the data stored) qualify as personal data. Based on the GDPR text, we would not expect the German authorities to take any different approach going forward.”
Ulrich Baumgartner, Partner, Germany
2. Just because your business is entirely outside the EU doesn’t mean you’re not caught by the GDPR
The Regulation will apply to data controllers outside the EU where their processing relates to monitoring the behaviour of data subjects in the EU. That means a lot of adtech businesses which could previously ignore EU data privacy laws will need to comply with the GDPR to the extent they are processing “personal data” as defined. Non-EU businesses caught by the long arm of the GDPR will need to appoint an EU representative. (There is an exemption for “occasional” processing but this is unlikely to be relevant for most adtech businesses.)
|“Some adtech businesses may see the new EU regime as prohibitive, and may use geo-IP filtering to avoid processing data from the region. Others may choose a “compartmentalised” model, with EU data handled solely by a European entity and hosted on EU servers.”
Claire Bouchenard, Partner, Paris
3. You may not always need consent to process personal data lawfully
Under current EU data protection laws, adtech businesses wishing to process personal data would generally need either to:
(a) have consent from the data subject (difficult for many adtech intermediaries, who may have no direct contact with data subjects); or
(b) be able to show that the processing is necessary for the business’s legitimate interests or the legitimate interests of those to whom the data are disclosed.
A number of European data protection authorities have been resistant to the idea of processing by adtech providers falling within the scope of “legitimate interests”. However, there are a couple of reasons to believe that that may now change.
First, data processing for direct marketing purposes is expressly called out in the GDPR’s recitals as something that may be regarded as carried out for a legitimate interest (although there is no corresponding express statement in relation to processing for targeted online advertising that does not amount to “direct marketing”).
Secondly, the “balancing exercise” to assess legitimate interests under existing law (as set out in Art29WP Opinion 06/2014) will need to be re-evaluated to take into account changes under the GDPR that give data subjects greater protection. In particular:
- Under the GDPR, it will be easier for data subjects to opt out of processing based on legitimate interests. Whereas previously data subjects could only object to processing carried out on this basis if they had a “justified objection” based on “compelling legitimate grounds”, now the tables will be turned: if a data subject objects then the onus will be on the business to show “compelling legitimate grounds” which override the interests, rights and freedoms of the data subject. (This is on top of data subjects’ rights to object to processing of personal data for direct marketing purposes – including profiling for such purposes.)
- Data controllers will have to be more transparent and give data subjects more information about how to exercise control over processing carried out on this basis.
While the direct effect of those factors may appear disadvantageous for adtech businesses – with stronger opt-out rights and challenging transparency obligations – there is a potential “silver lining”. These additional protections for data subjects may mean that adtech sector businesses will have significantly increased scope to rely on the “legitimate interests” ground.
That said, there will be a number of areas where “legitimate interests” alone will not be enough, including the following:
- Profiling activities leading to “legal effects” for individuals or that “significantly affect” them will generally require explicit prior opt-in consent. The scope of this requirement is not yet fully clear (and the derogation allowing statutory authorisation of particular profiling activities on an individual Member State basis may muddy the waters further in due course). However , it is at least arguable that, for instance, differential pricing based on data profiling could “significantly affect” those to whom advertising is served.
- Processing of “special categories” of personal data (often referred to as “sensitive personal data”) will require explicit consent if that data has not been “manifestly made public” by the data subject and no other exception applies. Adtech businesses will need to take care with actual or inferred data about racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, health, sex life or sexual orientation, and also now genetic or biometric data processed for unique identification purposes.
- European “cookies laws” under the e-Privacy Directive remain in place. So existing consent requirements in relation to setting and accessing cookies (and other information on a user’s device) still need to be complied with, and may yet evolve in different directions.
|“The good news for adtech businesses is that there’s still a “legitimate interests” ground for processing, as an alternative to consent. The bad news is that it’s not yet clear whether its scope – and the information and notification requirements – will be interpreted in a way that is workable for all businesses in this sector. Official guidance is urgently needed.”
Emily Jones, Partner, UK
4. Compliance with information/notification requirements may be challenging for some adtech businesses – will we see more (and longer) pop-ups?
The GDPR imposes a number of additional information requirements:
- Where you get personal data other than direct from the data subject (for instance, if personal data is made available to you as a potential bidder in a real-time bidding scenario) then, subject to various exceptions, there is a requirement to communicate various information to the individual. That will include (amongst other things):
- your data protection officer’s name and contact details;
- details of the legal basis for processing (including any “legitimate interests”);
- how long data will be stored (or how the period will be determined);
- details of rights to object to processing; and
- “meaningful information about the logic involved” in any profiling (and its “significance and… …envisaged consequences… …for the data subject”).
Importantly, an exception applies where the provision of information “proves impossible or would involve a disproportionate effort”. In those circumstances, you need to take other “appropriate measures” instead, including making the relevant information publicly available (for example, on your website).
- However, as a separate obligation – whether you’ve obtained personal data directly or indirectly – individuals must be notified of their rights to object to profiling, to processing for direct marketing purposes and to any processing justified under the “legitimate grounds” basis. These rights must be “explicitly brought to the attention of the data subject” and “presented clearly and separately from any other information” – at the latest at the time of first communication with the data subject. If an ad served to an individual is taken to be a “communication with” that person, then this raises a significant challenge: will the EDAA’s “ad options” icon satisfy this requirement, and if not then will some active communication programme be necessary? We may see existing pop-up notices expanding as one way of trying to cover these points.
- Where you collect data direct from the data subject (which may not be relevant in a lot of adtech scenarios), disclosures are required at the time of collection. No “disproportionate effort” exemption applies in this case.
|“Adtech providers may need – directly or indirectly – to establish connections with website publishers that enable them to make the necessary disclosures to end users. A new range of industry icons may also be part of the answer.”
Jeroen Lub, Partner, The Netherlands
5. You may need to appoint a “Data Protection Officer”
A Data Protection Officer must be designated by any entity whose core activities consist of processing activities which inherently “require regular and systematic monitoring of data subjects on a large scale”. The DPO may be a staff member or appointed under a service contract. Their contact details must be published. They are supposed to be involved in all data protection issues, and must report into the highest management level of the business. They can have other roles and responsibilities as long as these don’t create a conflict of interest.
With a large number of businesses likely to need a DPO, individuals who have the “expert knowledge of data protection law and practices” required under the GDPR will be much in demand.
|“In a number of important respects, the GDPR brings all of the EU up towards the higher compliance requirements currently in place in Member States such as Spain.”
Rafael Garcia Del Poyo, Partner, Spain
6. You may also need to carry out a formal data protection “impact assessment”
An impact assessment must be carried out in advance where processing is likely to result in a “high risk for the rights and freedoms of individuals”.
Countries’ data protection authorities can publish lists of the kinds of processing that are caught by this requirement. However, the GDPR already specifies that an impact requirement will be required if (amongst other things) there is to be:
(a) large scale processing of “special categories of personal data” (see above); or
(b) a systematic and extensive evaluation of personal aspects based on automated processing on which decisions are based that “produce legal effects concerning the individual or similarly significantly affect the individual”.
As yet, there is no case law or official guidance to indicate what “legal effects” or “significantly affect” mean here. One would expect credit rating decisions to be covered, but it is not yet fully clear whether and in what circumstances decisions as to which advertising to serve could be said to “significantly affect” an individual.
In any event, most businesses will need to carry out some kind of internal review and assessment – apart from anything else to determine whether a formal impact assessment is necessary. If a formal assessment is needed, and if it discloses a high risk in the absence of mitigation measures, then prior consultation with the data protection authority is also required.
7. Privacy notices will need to be re-worked
Increased disclosure and transparency requirements mean that privacy notices may require more detail, and may need to be re-worked for increased clarity. Adtech businesses may face some tricky decisions in terms of how to give data subjects adequate clarity without giving away proprietary or business sensitive information about their algorithms and data sources.
|“It’s not just privacy notices that will need to be re-drafted. MSAs and other business terms will also need to be reviewed to reflect the position under the GDPR.”
Federico Ferrara, Partner, Italy
8. Positioning yourself as a “data processor” won’t be such a good strategy any more
Under the current regime, it is data controllers rather than data processors who carry almost all of the burden of regulatory compliance. Data processors – who carry out processing on behalf of a data controller – are not directly subject to the existing legislation in most Member States. Under the GDPR, however, data processors will be subject to certain obligations – for instance in relation to data transfers and data security – and will be vulnerable to direct damages claims.
On the plus side, the GDPR potentially gives ad network providers, publishers, advertisers and other online advertising players more flexibility in defining their respective roles. In particular, the GDPR introduces on a pan-European basis the concept of joint controllership for situations where two or more controllers jointly determine the purposes and means of the processing of personal data. This is not uncommon in the online advertising space; and in fact the Article 29 Working Party has previously taken the view that publishers who transfer data to ad network providers may act as joint controllers (WP 171).
To implement a joint controllership, however, the businesses involved will need to have an agreement setting out their respective responsibilities for GDPR compliance, including as to provision of information to data subjects and what happens when data subjects exercise their rights. An arrangement like this could for instance stipulate which processing activities are covered by the joint controllership of a publisher and an ad network (and which activities are not) and could provide that the publisher takes responsibility for giving users the required information about that processing on behalf of both itself and the ad network.
|“Adtech businesses should re-assess their roles and responsibilities under the new GDPR. In certain scenarios, it might be worthwhile making active use of the concept of joint controllership.”
Dr Flemming Moos, Partner, Germany
9. Potential penalties under the GDPR are eye-watering
Businesses which fail to comply with the GDPR’s requirements can be fined €20 million or up to 4% of their worldwide turnover (whichever is higher) for serious breaches. The GDPR also provides for a form of “class action” that public interest groups can bring on behalf of affected data subjects.
|“The huge potential fines under the GDPR, coupled with long-arm extra-territorial reach, mean the risk profile for US adtech businesses will be massively multiplied come 2018.”
Steve Wilson, Partner (UK qualified), Silicon Valley
10. There’s not a lot of time to get your business in shape
The GDPR is expected to be passed into EU law in the coming months in 2016 following preparation of all language versions and final technical checks. It will then become effective two years later. Some businesses will need to drive through major operational and technical changes in that period in order to achieve compliance by the time the legislation becomes effective.
|“The adtech industry may benefit from getting behind one or more trade associations and agreeing a code of conduct for approval by the data protection authorities. The GDPR expressly envisages that different sectors may wish to do so to help clarify how the Regulation applies in their space.”
Nick Johnson, Partner, UK