Summit Snapshot ‘18: Top Policymakers Discuss Global Data Flows for Advertising & Privacy Regulation on Different Borders

July 11, 2018

Big Idea: Two leading policymakers spoke to DAA Summit18 participants on global data flows and consumer trust, and public- and private-sector efforts to enable and bolster both objectives.

“In many ways, it feels like we’re at a data ethics tipping point in respect to the public’s trust,” said Elizabeth Denham, information commissioner of the United Kingdom’s Information Commissioner’s Office (ICO). She was featured in a video address during the DAA Summit18’s keynote policy conversation titled, “A Worldwide Marketplace for Digital Advertising Data | A Middle Road for Trade?”

Denham recognized that digital advertising funds content and services on the web relied upon by consumers, but also she noted that marketers, and regulators, have to address continued public privacy and security concerns. “It can be difficult for consumers to understand what data is being collected, who it’s being shared with, the implications this may have, and how the technology used in the digital advertising industry works,” she said.

She then clarified, “the ICO does not regulate online advertising itself; however, we do regulate data protection. So, wherever personal data is collected, measured or shared, including for advertising purposes, we have a role to play.”

DAA Summit18 - Policymaker Discussion - Photo 1

Photo: Elizabeth Denham, Information Commissioner, Information Commissioner’s Office - U.K. addressing Summit18 attendees via video from United Kingdom.

Denham: DAA’s Privacy Support Role is ‘Complementary’ to Regulatory Concerns

“The DAA has a long history of tackling cutting-edge privacy issues in ad tech and encourages industry to address consumer and stakeholder concerns,” Denham said. “Its role is complementary to that of regulators, and we turn to industry groups like the DAA to help us understand evolving business models and to take a first swing at solutions to new issues,”

GDPR, which took enforcement effect on May 25, creates new regulatory standards for handling the personal data of EU residents.

Since the law encompasses U.S. digital advertisers who touch European Union citizen data, Milo Cividanes, partner at Venable LLP and moderator of the conversation, voiced the concerns of many: how might the Federal Trade Commission (FTC) respond in light of GDPR, including its governance of “Privacy Shield,” an EU-US agreement that enables cross-border data flows between the two jurisdictions in which thousands of U.S. companies participate?

Stevenson: FTC Could Investigate Privacy Claims Made by U.S. Companies Related to GDPR Compliance

“We at the FTC do not enforce GDPR. We don’t enforce European law,” said discussant Hugh Stevenson, deputy director of the Office of International Affairs at the FTC. “When we enforce ‘Privacy Shield,’ we are not enforcing European law; we are enforcing the deal that companies make in signing up... privacy promises."  He noted that a company making specific claims related to its GDPR compliance might on the other hand face FTC liability for those claims.

Stevenson cited the ongoing assessment of the Privacy Shield Framework as an example of how the FTC will react to GDPR implementation. Providing his own opinion, Stevenson assured that the FTC will continue to secure company compliance to existing privacy promises they have made regarding U.S. citizens, rather than penalizing individuals for alleged GDPR infractions.

DAA Summit18 - Policymaker Discussion - Photo 2

Photo: (left to right) Moderator Milo Cividanes, Partner, Venable LLP; Hugh Stevenson, Deputy Director, Office of International Affairs, U.S. Federal Trade Commission.

The FTC also recognizes that self-regulation complements consumer data protection laws and protections stateside. For instance, the Council of Better Business Bureaus (CBBB) and the Data & Marketing Association (DMA) oversee independent enforcement of DAA Principles to address any privacy practice violations of DAA Principles.

“My colleague Maneesha Mithal...referred to self-regulation with teeth as being a good thing, and I think that’s a really good way of capturing it,” Stevenson said. “Through the CBBB and DMA, the self-regulatory advertising industry in the U.S. has ‘teeth’ to make regulatory principles enforceable.

“The best argument for self-regulation,” Stevenson said, “is good self-regulation... where you can point to an effective mechanism.”

The keynote conversation then addressed approaches that other U.S. trading partners are taking, and how differences in policy (self-regulation, co-regulation, regulation) affect cross-border privacy rules and data transfers.

As an example, Stevenson highlighted increasing interest in the Asia-Pacific Economic Cooperation (APEC) Privacy Framework which has taken some effect in recent years -- though he noted some economies -- and businesses -- are waiting to see the attention that the framework commands. He explained that APEC acts as a practical implementation to enable cross-border data transfers.

“If you think of Privacy Shield as a sort of one-way highway from Europe to the United States, enabling those cross-border transfers,” he explained, “APEC involves multi-point transfers between various economies.”

According to Stevenson, “we need to figure out how to get effective cross border transfers and, at the same time, effective privacy protection.” He asserted that regulators are critical in solving this dilemma through cooperative work with policymakers.

DAA Summit18 - Policymaker Discussion Photo 3

Photo: (left to right) Moderator Milo Cividanes, Partner, Venable LLP; Hugh Stevenson, Deputy Director, Office of International Affairs, U.S. Federal Trade Commission

Both Stevenson and Denham encouraged conversation between advertisers, regulators and lawmakers to help solve data, privacy, and policy issues.

Stevenson emphasized that “we [the FTC] welcome the kind of input on the kinds of issues that we are handling... I know there are many experts in the room, and we would really benefit from that kind of input.”

Denham noted how she thinks future privacy policy conversations can benefit:

“Even if we don’t always agree, we need to have a respectful, constructive and informed dialogue,” she said. “We need your assistance and expertise in ferreting out new challenges and resolving ever-pressing issues. My door is open.”

Tags:  DAA Principles, Transparency and Notice, Control and Choice, Accountability, Policymaking, Consumer Trust

The Digital Advertising Alliance acknowledges the editorial support of Jamie Monaco for this post.

Back to Top