EU General Data Protection Regulation: What You Need to Know (Part 3)

In the third of a series of pieces exploring the new General Data Protection Regulation (GDPR) coming into force across the EU, ExchangeWire hear from Yves Schwarzbart (pictured below), head of policy and regulatory affairs, IAB UK, about the road to compliance.

27 April, 2016 will likely go down in history as the dawn of a new age in data protection. It was the day that Martin Schulz, President of the European Parliament (EP), dotted the i’s and crossed the t’s of the now formally ratified General Data Protection Regulation (GDPR). His signature put an end to one of the most significant legislative developments of the digital age. The new rules will start being applied from 25 May, 2018; and, from start to finish, it will have taken over six years to bring the world’s most comprehensive data protection framework into being.

There’s already been a fair amount of noise about what the new rules might mean in practice. This will no doubt increase as the time left to achieve compliance and enforcement dwindles. Any lingering suspense is by no means surprising. Despite setting out to provide one set of clear and streamlined rules for the entirety of the European Union (EU), the final outcome is one riddled with open doors for national flexibility and filled with ambiguity.

Making sense of this ambiguity is the most significant exercise for any sector. The digital advertising industry will have to do its part to define these ambiguities within its own context through organisations such as the IAB. Identifying the most pressing issue areas that our industry needs to address should, therefore, serve as a good starting point.

Back to basics: What is personal data?

The GDPR undoubtedly broadens the scope of personal data compared to existing law and – perhaps more importantly – also goes far beyond the distinctly US notion of ‘Personally Identifiable Information (PII)’.

One thing is clear: personal data under the GDPR is not just data that allows companies to identify an individual by name or other directly identifiable data. Rather, the new rules place a great emphasis on direct and indirect identification, or, more precisely, the potential to ‘individuate’ through, for example, certain location data or unique identifiers. In other words, the opportunity to ‘single out’ a device for the purpose of audience segmentation will – in all likelihood – already qualify as processing personal data.

This isn’t to say that all data will be treated the same, or that all data will automatically be personal data. The GDPR still clarifies that ‘anonymous’ data falls outside its scope; although anonymous data is perhaps harder than ever before to define, given the broad definition of personal data. The GDPR also provides the first legal definition of ‘pseudonymised data’. Although still considered personal data, processing pseudonymised data will bring with it certain benefits to ease the burden of compliance in a number of areas (more detail below).

The Compliance Journey (1): Find yourself a legal basis to process personal data

Yves Schwarzbart | IAB UKUpon determining whether the processing of personal data takes place, a company will need to look for a legal basis on which it can justify this processing. To that end, the GDPR sets out six grounds for justification. Of the six, the two most frequently associated with the digital advertising industry are ‘consent’ and the ‘legitimate interest’ clause.

Obtaining consent from users is already a hot topic for industry with the implementation of the revised ePrivacy Directive (aka the ‘cookie law’) in May 2011. This law remains in place, but will go through a review to align it with the GDPR (expected in 2016/17).

The GDPR itself goes to great lengths to strengthen the role of consent as a control mechanism for individuals. Any processing of personal data will require the ‘unambiguous’ consent of the individual, unless the processing is about so-called special categories of personal data (i.e. sensitive data such as health data or ‘data revealing racial or ethnic origin’) in which case the ‘explicit’ consent from the user is needed. What ‘unambiguous’ consent means in practice will require further clarification though, not least as affirmative action is required to ensure its validity.

As Eduardo Ustaran outlined in Part 2 of this series those relying on consent as grounds for processing will have to meet very high conditions, beyond the ones mentioned above, including the burden of proof. Many of these standards will, therefore, be easier to meet for those companies that have a direct relationship with users, whether these are advertisers, platforms or publishers.

The GDPR also allows for the processing of personal data if a company can show that it is necessary for its legitimate interest. This applies having gone through a balancing test to assess the effect of its processing activities vis-à-vis the ‘interests or fundamental rights and freedoms of the data subject which require protection of personal data’. In the past, data protection authorities across Europe generally regarded this legal justification as unsuitable for a large part of the online advertising industry, particularly for ad tech providers.

That said, there are reasons to believe that this rather restrictive interpretation of the legitimate interest legal ground may need reviewing. The GDPR offers increased rights for individuals (see below) and, as mentioned above, incentivises companies to provide further safeguards, such as pseudonymisation, that work in the interest of an individual, making this a particular interesting area for the digital advertising industry.

The Compliance Journey (2): Understand an individual’s rights and your obligations

Once a company has found a way to lawfully process personal data, it will have to consider the rights it has to offer individuals, as well as the obligations it is required to adhere to under the GDPR.  Again, in his earlier piece on the GDPR, Eduardo Ustaran provides a comprehensive overview of these rights and accountability obligations. In the digital advertising context, highlights include the right not to be subject to profiling, as well as the likely need for mandatory data protection officers.

The GDPR has put a lot of attention on the notion of ‘profiling’ and its effects on individuals. The definition put forward by the new rules arguably captures many of the activities prevalent in the digital advertising industry; and particularly comes into play when profiling activities lead to so-called ‘legal effects’ or ‘similarly significantly affects’ to the individual. In such cases, the GDPR calls for the ‘explicit’ consent from the individual. Therefore, the issue for the industry is that we are, once again, facing uncertainty over what exactly those legal (or similar) effects are.

The need to designate a mandatory Data Protection Officer (DPO) in those cases where processing requires ‘regular and systematic monitoring of data subjects on a large scale’ will likely be an area in which many companies in the digital advertising industry will face an increase in compliance costs. Intended to ensure compliance with the GDPR, the DPO will enjoy special protections and must report into the highest level of management. They can be recruited from within, as long as they have the expertise to perform their duties and may also fulfill another role as long as it does not result in a conflict of interest.

The Compliance Journey (3): The cost of non-compliance

There is no doubt that the announcement of new fines for data protection breaches has been a true GDPR headline-grabber. And for good reason. Under existing rules, the level of fines is regulated nationally, resulting in fines of up to £500,000 that the Information Commissioner’s Office (ICO) can issue in the UK. The GDPR will give data protection authorities across the continent the power to charge fines of 4% of global annual turnover, or €20 million, whichever is higher. It is a true game changer.

Therefore, there is a clear case for long-term investment in data protection compliance for companies operating in the digital advertising industry. Making the investment in the short term will almost certainly save money in the long run. Agreeing new data protection rules for Europe has been a long and arduous effort. The many open questions the industry is left with makes the implementation of the rules no less difficult. The IAB is here to help advertising businesses navigate this on the path towards compliance. But, in the meantime, any time spent on understanding the GDPR is certainly no time wasted.