The Law, the ‘Outlaws’ and Ad Tech’s O.K. Corral

The first shots have already been fired. The French sheriff, CNIL, went in guns blazing last year, in quick succession taking out Teemo, Fidzup, Singlespot and (most famously, because it involved the IAB’s Transparency and Consent Framework which many ‘outlaws’ are banking on to turn them into ‘honest’ men) Vectaury – four French ad tech companies which provide ad targeting based on geolocation data.

CNIL also wrestled a six-shooter from its counterparts in other EU states for the chance to put Google in its post-GDPR enforcement crosshairs. The French sheriff landed a shot, causing the Silicon Valley giant to bleed 50 million pieces of European copper and zinc for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation. More than a flesh wound perhaps, but the fine certainly won’t be fatal.

The UK’s ICO has taken a different tack. After months spent recceing Tombstone, engaging in bilateral talks with stakeholders, surveying the public and convening an ad tech fact-finding forum to deepen her Office’s understanding, sheriff Denham has just released her update report into ad tech and real time bidding which sets out her Office’s findings so far. In a sentence (her words): “the adtech industry appears immature in its understanding of data protection requirements”.

Whilst a definitive view is yet to be reached, sheriff Denham has “general, systemic concerns around the level of compliance of RTB”. She has therefore prioritised two areas for further analysis and exploration: processing special category data without explicit consent, and the complexity of the data supply chain. Next steps involve targeted information-gathering activities, continued engagement with key stakeholders (including a further fact-finding forum in the autumn), cooperation with other data protection authorities, and a possible industry sweep. In the meantime, she expects ad tech data controllers to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem.”

Despite reports of cattle-rustling taking place under her watch, the Irish DPC’s perceived inactivity during her tenure has prompted some to suggest – unfairly perhaps – that sheriff Dixon is a soft touch. But, doubtless encouraged by the French sheriff landing a shot, sheriff Dixon has recently put up her own wanted poster for Google, announcing a statutory inquiry into its Irish affiliate’s online ad exchange. Rumour has it that more posters will follow, featuring other familiar faces from the Valley. Let’s see what prices she puts on their heads.

And what of the ‘vigilantes’ who, tired of inertia, are starting to take the law into their own hands? Max Schrems’ association ‘None Of Your Business’, and the 10,000-strong ‘La Quadrature du Net’, prompted CNIL to take on Google. Dr Johnny Ryan put on a ‘Brave’ face, and is behind various complaints about online behavioural advertising to sheriffs in the UK and Ireland – prompting others to follow suit across the EU. In one such complaint, Dr Ryan is seeking to challenge IAB Europe’s ‘cookie wall’, ‘cookie notice’ and guidance on cookies. Sheriff Dixon even cited him as a catalyst for her statutory inquiry into Google Ireland. Privacy International is bringing up the rear with its own complaints against data brokers, ad tech companies, and credit referencing agencies in the UK, Ireland and France.

Part of the trouble is that, as a matter of law, there’s been much uncertainty even as to which ‘outlaws’ are in control, and which ones are just doing what they’re told. The maroon-robed justices of Europe’s highest court have been slow to offer much guidance. But we’ve at least now got the Facebook Fan Pages and Jehovah’s Witnesses cases on the concept of controllership, with the promise of more to follow. Separately, on cookie consents, Advocate General Szpunar’s opinion on the Planet49 case has also now been delivered.

The GDPR has been a catalyst for this shootout, in particular by raising the bar on consent. No surprise then that the e-Privacy Regulation – which was due to ride into town with the GDPR last May – saw the chaos that had been unleashed, got cold feet and turned around, then galloped off into the sunset. It may or may not return any time soon.

The gunfight at the O.K. Corral was said to symbolise a change in the United States, as its Western frontier disappeared and the rapidly industrialising nation evolved from a farming economy. As we now advance rapidly into a digital economy, confrontations between privacy and innovation are becoming the norm in the EU. No sector is immune – not least advertising. But privacy is not, and must not be, a zero-sum game. So in the shootout, whilst some casualties are likely, we need to make sure that privacy doesn’t kill off the very innovation that is helping to drive that change.