About IAB Europe · About IAB Europe Media Technology Agencies 25European national trade groups ......
33
Transcript of About IAB Europe · About IAB Europe Media Technology Agencies 25European national trade groups ......
About IAB Europe
Media Technology Agencies
25 European national trade
groups
70 direct corporate
members
representing over 5000 companies
What I’m going to cover:
1. The GDPR – what has happened since May?
2. E-Privacy – state of play on the new proposed regulation
3. Learnings & options going forward
1. GDPR – May 2018 until now
• New European Data Protection Board, with power to take binding decisions and levy fines
• European Commission / DG JUST dialogue with industry
• National DPAs in period of “constructive engagement” with companies – for how long?
• IAB Europe – Transparency & Consent Framework
1. GDPR – May 2018 until now
• New European Data Protection Board, with power to take binding decisions and levy fines
• Only locus of judicial review is the European Court of Justice (CJEU)
• Corpus of Article 29 Working Party Opinions have been officially (re-) ratified - EFFECT?
• No real improvement (yet) in processes for consulting business
1. GDPR – May 2018 until now
• Role of the European Commission• Continuing engagement by DG JUST /
Commissioner Jourová
• DG JUST would own any future revision of the GDPR
• Ongoing dialogue with industry via regular roundtables – practical, results-oriented approach
Vĕra Jourová
European Commissioner for
Justice, Consumer
Protection & Gender
Equality
Transparency & Consent Framework
http://advertisingconsent.eu
Transparency & Consent Framework
What does the TCF currently do?
� The TCF enables dynamic disclosures of third parties partnering with
publishers and providers of other online services, and the collection and
propagation of information about user consent for data processing by same
� Interface with the user is a CMP – Consent Management Provider
� Disclosure enables use of the legitimate interests legal basis, so there is
“partial accommodation” of legitimate interests – more on this below
� User consent is captured in binary daisy string format
� Cookie and mobile app implementations currently
Transparency & Consent Framework
What does the TCF currently do (cont’d)?
� Vendors register on Global Vendor List – select data processing purposes
they need consent for
� Publishers allow disclosure only of vendors they authorise
� Users consent to specific vendors and specific data processing purposes
� Currently five data processing purposes:� Information storage & access
� Personalisation
� Ad selection, delivery & reporting
� Content selection, delivery, reporting
� Measurement
� Three “features” – offline data matching, device linking, geolocation data
use – lined to purposes
Transparency & Consent Framework
Extending the TCF to accommodate legitimate interests legal basis� Publisher feedback as from March 2018 made clear support for legitimate
interest was a condition for uptake
� IAB Tech Lab considered different technical options and proposed out-of-band
signal, a JSON (text) file solution
� Would make the TCF a compound solution => daisy string + Pubvendors.json
� Pubvendors.json sits on publisher or other website
� Standardised way for publishers to whitelist vendors whom they wish to
work with and prescribe what those vendors may do
� Publishers can limit purposes and features on a per vendor basis
� Must be read by vendors and is binding on them
Transparency & Consent Framework
Extending the TCF to accommodate legitimate interests (cont’d)
� Facilitates GDPR compliance by providing an audit trail since files will be versioned
� Optional v. mandatory deployment by publishers – still under discussion
� Tools to help publishers generate pubvendors.json file and help vendors ingest it are under construction
� Extension has required overhaul of TCF Policies � Policies Working Group continuing to work through issues arising –
target timing = end October � Initial public consultation version of technical specification issued in May� Implementation version expected in Q4 of 2018� Daisy string spec will also be modified to add a flag to alert vendors to
presence of pubvendors.json file and pass the version of the file that was used
Transparency & Consent Framework
• Data processing purposes
▪ Revision of purposes to simplify, reflect DPA feedback and additional
publisher objectives
▪ Reconciling consumers’ need for simplicity, vendors’ need for operational
efficiencies, publishers’ need for control & “flexibility”
▪ Idea of splitting purposes disclosed to users, on the one hand, from “back-
end” publisher controls, on the other, has been floated, but utility of the
signal depends on standardised wording and clarity around what data
processing user actually consented to & what was disclosed
▪ “Data Processing Purposes” Working Group continuing to work through
issues
2. E-Privacy – the new proposal
• Why another new law?
• What does it cover?
• What could its impact be?
• Where are we in the process?
• What can be done?• [AI argument]
The Cookie law (current vs proposed)
ePrivacy Directive Article 5(3)
Member States shall ensure that thestoring of information, or the gaining ofaccess to information already stored, inthe terminal equipment of a subscriber oruser is only allowed on condition that thesubscriber or user concerned has given hisor her consent…
Unless it’s sole purpose is carrying out atransmission of a communication, or strictlynecessary to provide explicitly requestedservices.
ePrivacy Regulation Article 8(1) (Original Proposal)
The use of processing and storagecapabilities of terminal equipment and thecollection of information from end-users’terminal equipment, including about itssoftware and hardware, other than by the end-user concerned shall be prohibited, except onthe following grounds:
a) Solely necessary for transmission ofcommunication;
b) Consent has been given;
c) Functional reasons (i.e. shopping cartcookies);
d) Web audience measuring;
What does it mean?
• ‘Storing information’, ‘making use of storage and processing capabilities’, and ‘accessing/collection’ of information stored means:
• In short: if you want to make use of device data, you need consent.
cookies device fingerprints device
IDs
images directory
How does this relate to GDPR?
• The ePrivacy Directive is more specific, therefore it takes precedence over GDPR where it is relevant. This lex specialisconcept is enshrined in the GDPR.
• ‘Consent’ in ePrivacy (Directive or Regulation) is defined by the GDPR.
• For data processing, GDPR has six co-equal legal bases for processing, whereas ePrivacy specifies that storing and/or accessing information can only be justified by consent.
Relationship between ePrivacy Directive and GDPR
• Collection of data from a user’s device requires
under the ePD.
• Processing of personal data requires a e.g. consent, or legitimate interest.
• Where both apply at the same time the more specific
rule of the ePDprevails.
Processing
personal data
Consent GDPR Legal Basis
Consent
Consent
GDPR Legal Basis
Consent
Collection of data
from a device
ePrivacy Directive GDPR
GET CONSENT AS DEFINED BYePrivacy Directive
Cookie Consent RuleData Protection Act
Wet bescherming
persoonsgegevens
ePrivacy rules before GDPR
Bundesdatenschutzgesetz
GET CONSENT AS DEFINED BYePrivacy Directive
Cookie Consent Rule
ePrivacy rules after GDPR
General Data
Protection Regulation
Reminder – Consent per the GDPR
Consent =is
• Clear affirmative action signifying agreement to the processing of personal data.
• Freely given, specific, informed, and unambiguous.
• Need to be able to demonstrate that the user has consented to the processing of their personal data.
• Consent must be revocable at any time. Revoking consent must be as easy as granting consent.
Reminder – Consent per the GDPR
Consent ≠is NOT
• Consent ≠ silence/inactivity
• Consent ≠ freely given if
inappropriately bundled.
• Consent ≠ freely given if
inappropriately a condition
• Consent ≠ freely given in situations of
“power imbalance”
ePrivacy Regulation – what is being proposed?
• The European Parliament’s Report calls for:
• A prohibition on denying access to users who do not consent to data being used for advertising purpose;
• Software Privacy Settings – any software must offer the option to prevent any other party from interfering with a device, a range of settings has to be presented on each installation;
Is there any chance for a ‘lighter’ touch?
• The European Council has as of yet NOT agreed on an approach;
• There seems to be some will to introduce more exemptions from the consent rule, but no traction for alternatives to consent.
• There may be an exemption for security and fraud prevention in Council’s text.
• The Commission’s proposal introduced an exemption for ‘web audience measuring’ but this is being interpreted strictly as ‘mere statistical counting’.
• Rotating presidency of
a member state of the
EU
• Presidency changes
hands every 6 months
• President member
state is Council chief
negotiator
Malta
H1/2017
Estonia
H2/2017
Bulgaria
H1/2018
Austria
H2/2018
Romania
H1/2019
Finland
H2/2019
Croatia
H1/2020
Germany
H2/2020
Portugal
H1/2021
Slovenia
H2/2021
France
H1/2022
Czech Republic
H2/2022WHO IS IN CHARGE IN COUNCIL?
3. Learnings & options going forward
• Erosion of position / perception of online advertising since GDPR was first proposed
• “Perfect storm” of multiple factors
• Growing gap between business and regulators
• Can compliance + ‘smart’ challenging of extreme provisions in the GDPR be a way to bridge the gap?
3. Learnings & options going forward
• Erosion of position / perception of online advertising since GDPR was first proposed
Viviane Reding, former
EU Commissioner
Giovanni Buttarelli, European
Data Protection Supervisor
(EDPS)
Since 2012, data-driven advertising has gone from something that was OK if users had
transparency & control (GDPR) to something they need to be protected from out of the box
3. Learnings & options going forward
• “Perfect storm” of multiple factors:• Snowden / government surveillance issue
• Companies seen as benefitting the most are non-European
• Data breaches (e.g. Cambridge Analytica)
• Fake news
• Difficulty of rendering technically complex subjects to lawmakers
• Timing of EU copyright reform
• Potential media allies have split focus
• Actual course of the file is an aggravating factor
3. Learnings & options going forward
• Growing gap between business and regulators
• On the one hand,• Industry focused on data-as-the-new-oil• Individual companies competing in an
ever-more-challenging market• Rapid technological evolution, AI, etc.
• Meanwhile,• Civil society and some regulators may
see GDPR and ePrivacy, in combination, as opportunity to end “tracking” once and for all
=> Parallel universes of discourse?
3. Learnings & options going forward
• IAB Europe strategy• Lead on GDPR compliance
• TCF
• Engagement with EDPB, DG JUST
• Counter the narrative that only non-Europeans benefit
• Challenge extreme notions in the GDPR (e.g. freely-given consent)
• Public speaking, blogs, etc.
• Academic articles
• Legal challenge?
