Tomorrow is the one year anniversary of the EU’s General Data Protection Regulation (GDPR). The landmark law created a unified, pan-European approach to privacy and data regulation. It was designed to protect EU citizens against non-consensual data collection by global tech companies and give individuals more control over their personal data. It also carries potentially severe penalties for violators.
Since being implemented last May, GDPR has impacted privacy debates around the world. It has also been an influence on California’s forthcoming CCPA, set to take effect next January. But has GDPR accomplished what it set out to do; is it working?
For perspective, we asked Johnny Ryan, chief policy and industry relations officer at Brave Software. A long-time privacy advocate and vocal critic of industry data-collection practices, he was substantially responsible for the recently announced Irish investigation into potentially improper exposure of personal data in Google’s programmatic platform.
We invited him to reflect on the impact of GDPR on the digital ecosystem and how it has changed the lives of marketers. Most of the changes Ryan expects have yet to take place, as he discusses in the interview below.
ML: What have been the most significant effects of GDPR on marketers and brands?
JR: Marketers are now controllers, even when they do not realize that they are. This exposes them to legal hazards, and will ultimately cause them to be more careful about the targeting that is used in their campaigns. In June the European Union’s highest court ruled that marketers are responsible for how data is used in marketing campaigns — even if they never directly touch the data.
The European Court of Justice ruled that a marketer’s use of Facebook for advertising “gives Facebook the opportunity to place cookies on the computer or another device of a person visiting its fan page, whether or not that person has a Facebook account.” In addition, the Court observed that the marketer “can ask for — and thereby request the processing of — demographic data relating to its target audience” such as age, sex, relationships, occupation, lifestyles, areas of interest, purchases and online purchasing habits, and geographical data.” According to the Court, a marketer is therefore “a controller responsible for that processing.”
This applies to RTB: marketers are liable as “controllers” of the processing undertaken by the various adtech businesses involved in the RTB system on their behalf. RTB broadcasts personal data without security in hundreds of billions of bid requests every day. It is the most massive data breach ever recorded. Marketers now find themselves liable for it because of the adtech companies they or their agencies work with.
ML: What has changed in the day-to-day lives of marketers following GDPR?
JR: Most marketers are not aware of the risk that RTB companies expose them to. Otherwise, they would already have conducted data protection impact assessments (DPIAs), as required by Article 35 of the GDPR. DPIAs are required when AdTech is profiling and using intimate personal data (referred to as “special category personal data” in article 9) on a large scale to target people in the European market. The inescapable conclusion of any such assessment is that RTB is a “data protection free zone,” as The Economist indicated. This conclusion triggers Article 36 of the GDPR, requiring a marketer to alert a data protection regulator in an EU Member State about the risks it has uncovered.
ML: What changes have you observed in data collection practices?
JR: Change has yet to happen. As I told the Senate Judiciary Committee when I testified this week, we are at the very start of the application of the GDPR. But things are looking bleak for Google, Facebook, and the conventional RTB companies. They will be forced to reform.
ML: There seems to be a fair amount of non-compliance with GDPR. Why haven’t there been more fines or callouts of violators?
JR: [This week] the Irish Data Protection Commission announced that it was launching a probe of Google DoubleClick/Authorized Buyers on suspicion of infringement. This, finally, marks the start of enforcement action that will force adtech to reform.
ML: Have there been any “unintended consequences” of GDPR? For example, some argue that it has strengthened the hand of dominant companies vs. smaller competitors.
JR: First, let me dispel this idea that Google and Facebook benefit from the GDPR in the medium term. The GDPR is risk-based. That means Big Tech that creates big risks get big scrutiny and potentially big penalties. Regulators are only starting to enforce the GDPR and it will take years to have full effect. But already, things are looking bleak for our colleagues at Google and Facebook. Their year-over-year growth declined steadily in Europe since the GDPR – despite a buoyant advertising market.
They face multiple investigations and it is very likely that they will be forced to change how they do business. Google’s consent has already been ruled invalid. Yes, of course things are even bleaker for other tracking companies, that don’t have a search business to fall back on, as Google does.
Second, let me talk about the nonsense “consent” notices that currently despoil the Web. The IAB’s consent gambit was certainly an unintended consequence. However, these annoying and unlawful consent notices will become a rarity, if there is enforcement. Article 7 (3) of the GDPR requires that an opt-in must be as easy to undo as it was to give in the first place, and that people can do so without detriment.
Once this is enforced, consent messages will become far less annoying in Europe – because if a company insists on harassing you to opt-in, and you finally click OK, it will be required to keep reminding you that you can opt back out again. In addition, most of the consent notices are for RTB companies whose processing is itself unlawful. So enforcement against Google and the IAB on RTB will prevent the majority of these notices.
ML: Finally, what does the experience of GDPR in Europe say about the implementation of CCPA in the US?
JR: Very little. Although its animating principles are noble, I think the CCPA is a pale imitation of the GDPR.