Summit Snapshot: GDPR Policy Imperatives, Just the Facts

August 2, 2017

Big Idea: On the policy front, European digital advertising organizations are formulating plans to address the fast-approaching GDPR, a European Union law that will alter how advertisers and marketers conduct business in Europe -- and possibly elsewhere.

This blog is Part I of II. Part II discusses how some parts of the interest-based advertising ecosystem are preparing for GDPR adherence.  No information imparted in this blog series should be construed as legal counsel. Rather this post is strictly for information purposes only.

The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, leaving affected organizations less than a year to come up with compliance strategies for what will be a significant change in European data regulation.

When GDPR was adopted last April, press coverage focused on its firm penalties for non-compliers: fines equaling 20 million Euros or four percent of annual global turnover -- whichever is more.  Stifling.

Those in the digital advertising industry are more focused on solutions. At last month’s “Digital Advertising Accountability Workshop” held at the Digital Advertising Alliance’s Summit 2017, three experts in European data privacy who are committed to finding the best strategies for compliance -- Shannon Yavorsky, partner at Venable LLP; Matthias Matthiesen, senior manager of privacy and public policy at IAB [Interactive Advertising Bureau] Europe; and Mathilde Fiquet, vice chair of the European Interactive Digital Advertising Alliance (EDAA) and EU affairs manager for the Federation of European Direct and Interactive Marketing (FEDMA) -- gathered on a panel to explain the regulation, as it is currently understood with more promulgation to come, and to discuss its many implications for marketing organizations that engage in responsible data collection for advertising purposes.

The scope of the regulation alone begs appreciation, the panel reported. Whereas the EU’s previous Data Protection Directive affected organizations with offices, branches or equipment in the EU region, the GDPR will apply to any organization that offers goods or services in Europe -- thus, it is an “extraterritorial” regulation. Likewise the new regulation is not a new directive that requires the implementation of separate national laws but rather a single law that covers all EU members. No enabling legislation of individual EU member states is required for the regulation to take effect… on May 25, 2018, and counting down.

The GDPR is the “biggest overhaul of European data protection law in the last 20 years,” Yavorsky put it simply.

Photo: (From left to right) Matthias Matthiesen, senior manager of privacy and public policy at IAB (Interactive Advertising Bureau) Europe; Shannon Yavorsky, partner at Venable LLP; and Mathilde Fiquet, vice chair of the European Interactive Digital Advertising Alliance (EDAA) and EU affairs manager for the Federation of European Direct and Interactive Marketing (FEDMA)

Likewise, a draft of a second EU privacy initiative, the e-Privacy Regulation, which was released in January and is still being reviewed by European lawmakers, in many ways complements the GDPR, also expanding on the EU Data Protection Directive -- which technically remains law until May 25 next year. Whether or not EU regulators decide to co-install the ePrivacy Regulation alongside GDPR in May 2018 is not yet decided, the panelists stated.

As Fiquet explained, while the proposed e-Privacy Regulation targets the electronic communication sector, it goes further by invoking Article 7 of the EU’s Charter of Fundamental Rights, which guarantees respect for private and family life.

Photo: Mathilde Fiquet, vice chair of the European Interactive Digital Advertising Alliance (EDAA) and EU affairs manager for the Federation of European Direct and Interactive Marketing (FEDMA)

A key feature of the GDPR surrounds the meaning of consent, provided by consumers to the processing of their personal data. Most notably under the Regulation, companies who choose to, or must, ask for consent to justify personal data processing have to obtain a “clear affirmative act” of consent from consumers, which must always be revocable.

Under the existing e-Privacy Directive, better known as the “Cookie Directive” companies collecting data must ask for consent, but until now EU member states interpreted this term differently. As Matthiesen said, “we used to have this understanding that you could consent by failing to say no, this implied-consent notion.” The GPDR defines consent as strictly active permission, i.e., users must “opt in” after notice and a choice mechanism are provided.  This could be similar to the current-day practice in Europe of providing consumers advance notice of sites that place “cookies” on would-be site visitors, and giving an opportunity for visitors to exit a site before such a cookie or other unique identifier is used.

In light of this change in the acceptable means of obtaining “consent,” Matthiesen suggested that the industry look to existing models for inspiration, pointing to some EU members who already require opt-in mechanisms under the Data Protection Directive. For example, in the Netherlands, consumers must provide active consent before any user data is touched, an obligation Dutch sites comply with by installing so-called consent walls. Less clarity exists on how required consent records should be created and passed on to relevant parties in the ecosystem.

Some questions also persist about what will happen in the United Kingdom as it leaves the European Union. The GDPR will take effect before “Brexit” officially takes place up to two years later, and, according to Yavorsky and Fiquet, the UK will likely keep the regulation anyway or replace it with something very similar -- in a bid to protect “reciprocity,” where British law is deemed by the EU to have at least equal data protection to EU citizens as those protections within the EU itself. Thus, the panel stated, not much anomaly should be expected in Britain.

Currently, American corporations may elect to participate in “Privacy Shield” -- a U.S. Department of Commerce program that is a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. There are other means for transferring data outside of the EU as well under the current regime, such as model contract clauses, binding corporate rules or direct agreements with EU data protection authorities.

While the GDPR institutes unambiguous changes in data law, privacy teams have struggled to interpret the sweeping regulation into concrete plans, and European regulators have not yet divulged clear paths to compliance. 

“Solutions will come within the industry,” Matthiesen assured, noting the reticence of EU policymakers in this conversation.

After an explanation of the regulation, Yavorsky led the panel to address perhaps the most pressing question: “In the next year, what should the industry be doing to prepare for the GDPR?”

Firstly, businesses should evaluate the challenges they will face and how exactly the GDPR will affect them.

“Know your data,” Matthiesen advised, “do a mapping of all your data processing.” IAB Europe has published a compliance primer to help businesses take on this process.

Above all else, though, the panel stressed the need for industry collaboration.

“It is impossible for any single company embedded in an ecosystem to become compliant completely by themselves, this has to be a cooperative effort [...] the only way for us to figure this out in a form that should give enough confidence to industry participants is together,” Matthiesen emphasized.

Fiquet reaffirmed this point, “the industry needs to develop a solution as a whole.” Organizations such as IAB Europe, EDAA and FEDMA are spearheading such efforts, working toward critical industry-wide frameworks and codes of conduct. Likewise, these groups need support from the industry in their work.

“We are the ones telling your story to the regulators,” Fiquet said on behalf of trade associations, “ensuring that they get it.”

Part II regarding DAA Summit 2017 and GDPR -- GDPR in practice -- will appear shortly.

Thank you to Charlie Tomb for his editorial support toward our Summit Snapshot 2017 blog series.

Back to Top