On 22 March, 2018, a mere two months before the GDPR is enforced, Google announced on its blog that it would be updating its EU consent policy, requiring publishers to take extra steps in achieving consent from their users. As part of its commitment to comply, Google has designated itself as a data controller under GDPR, rather than a data processor, as many in the industry would have expected, based on their understanding of the GDPR, and Google's role within the advertising ecosystem. Google is calling itself a controller, because the company regularly makes data decisions to deliver and improve ad products, rather than merely processing that data, based on the decisions of the publisher. Under the label of 'controller', Google is taking a hard line on obtaining user consent, rather than claiming legitimate interest. A reassuring stance for the advertiser, as it means Google is taking on additional responsibility for how data is processed. However, it's pretty damning news for the publisher; and it has sent the publisher community into somewhat of a tailspin.
International publisher trade bodies have joined forces to pen an open letter to Google CEO Sundar Pichai voicing the strong publisher concerns about what Google classing itself as a data controller will mean for their ongoing efforts to become GDPR-compliant, as well as putting a number of questions forward, to which publishers require immediate answers. The letter, signed by CEO of Digital Content Next, Jason Kint; Angela Mills Wade, executive director of the European Publishers Council; David Chavern, president and CEO, News Media Alliance; and David Newell, CEO, News Media Association, highlights a number of concerns with Google's self-categorisation as a data controller, and the onus this now places on publishers, so close to the GDPR enforcement deadline.
"As the major provider of digital advertising services to publishers", the letter states, referring to Google, "we find it especially troubling that you would wait until the last minute before the GDPR comes into force to announce these terms, as publishers now have little time to assess the legality or fairness of your proposal, and how best to consider its impact on their own GDPR-compliance plans, which have been under way for a long time."
The open letter acknowledges that all companies need to work out for themselves how to achieve compliance under GDPR, and that there is no one-size-fits-all solution, but accuses Google of being completely self-serving, arguing that its proposal, "severely falls short on many levels", with the framework seemingly only focused on, "protecting [Google's] existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law".
The letter maintains that, according to the framework outlined by Google, the company will rely on publishers to obtain legally valid consent on its behalf, so that Google can then process this personal data to its own gain, without providing details about how that data will be used. Basically, Google has offered publishers Hobson's choice: comply or leave with nothing.
Publishers are taking great issue with the fact that Google will dictate how they gain consent, and threaten to stop showing ads on publisher sites if the method, otherwise known as the consent mechanism, isn't up to scratch. The trade bodies are calling the behaviour anti-competitive: "If Google dictates how that mechanism would look and prescribes the number of companies a publisher can work with, this would limit the choice of companies that any one publisher can gather consent for, or integrate with, to a very small number defined by Google."
The trade bodies believe Google designating itself as an independent controller; and shifting liability of obtaining consent onto the publishers' shoulders, is concerning for three key reasons.
Google should not be considered as a controller over data received from publishers, or collected on publisher pages, in connection with advertising services provided to publishers, and full disclosure should be provided, as to what Google intends to do with that data: "Claiming such broad rights over all data in the ecosystem, without full disclosure, and without providing publishers the option for Google to act as a processor for certain types of data, appears to be an intentional abuse of [Google's] market power."
Google states it will need "affirmative, express consent" as its legal basis to process European citizens' data. To understand what this means, it's important to clarify the definition of 'legal basis'. To process data lawfully, the data controller (in this case, both Google and the publisher) must have a 'legal basis' for the particular processing activity taking place. This means the controller can use that data for one particular purpose, but it would be unlawful to use that same data in a different context. With Google choosing consent as its legal basis, rather than legitimate interest, it will require all users to physically agree to their data being processed, and the methods with which it will be processed. But Google wants the publishers to obtain this consent on its behalf, specifically for "collection, sharing, and use of personal data for personalisation of ads or other services". The problem with this, as outlined in the letter to Google, is that the publishers will be given no specific information as to how Google plans to collect, share, and use this data. How can a publisher compliantly gain user consent under GDPR, if it has no idea what is going to happen to the data the user has provided consent for?
Furthermore, Google forcing publishers to gain consent as the legal basis essentially blocks the publishers from processing data under the alternative legal basis of legitimate interest, something they may want to do outside of the purposes of digital advertising.
The letter highlights the concern for Google's attempt to transfer liability for consent to the publisher. Google refuses to provide specific detail to publishers about its intended practices, with regard to the processing of user data, but in spite of this it will make the publisher bear the full burden of the responsibility, and potentially enormous fines, should it fail to get "affirmative, express consent" on Google's behalf. There are many contracts in place between Google and publishers, by which the publisher agrees to compensate Google for any loss it may incur. The latest terms outlining the framework for GDPR compliance are actually referred to in these existing contracts, meaning the publisher has no fallback and could be ruined. The letter is pushing for mutual indemnification, with limitations on the level of liability against the publisher.
The trade bodies want answers, and are imploring Google to make clear its intentions as a data controller under GDPR. Google's 'take it or leave it' approach is leaving the publishers high and dry, and the clock is ticking.