By Lou Mastria
Big Idea: EU’s GDPR is now enforceable. This panel explored how companies seek to comply with these new rules, investigate other oversight models, and help ensure responsible data use in digital advertising according to a respective country’s laws & regs.
“What are other jurisdictions doing in the realm of regulation, co-regulation, and self-regulation?” Shannon Yavorsky, partner at Venable LLP, posed the question to the panelists of “Reality Check: Does GDPR Make the Entire World Go Round?” during the Digital Advertising Alliance Summit18 - ADapt! The panel addressed the future of data-driven marketing in the wake of the European Union’s newly enforced General Data Protection Regulation (GDPR).
Julie Ford, executive director of the Digital Advertising Alliance of Canada (DAAC), described Canada’s federal privacy regulator as taking a more “proactive approach now instead of reactive.”
According to Ford, Canada is actively seeking an enforcement action against “egregious” list and data practice violations while releasing guidance documents regarding data practices and what constitutes meaningful consent. The nation also will implement federal breach requirements on November 1, 2018, in a bid to maintain its adequacy decision from the European Commission which permits the transfer of EU personal data to Canada in certain circumstances.
“[DAAC participants] have been actively involved in [the development of] those guidelines… Some member companies are here, us all being active together in advocating for industry in hopes that it doesn’t turn into an opt-in consent regime in Canada,” said Ford. “It’s still implied consent [for marketing use] right now.”
During the panel, Vatsal Asher, chief executive officer of DMAasia and DMAi [India], relayed that although India does not have its own specific privacy law, companies from the country search for innovative ways to utilize consumer data in accordance with global policies, ethics regimes and best practices.
“People are reading the systems and looking for new tools as to how they can increase conversations and engagement with consumers,” Asher said.
Photo: (left to right) Shannon Yavorsky, Partner, Venable LLP; Vatsal Asher, Chief Executive Officer, DMAasia and DMAi; Mary Teahan, President & Chief Executive Officer, Qendar, and Honorary President, AMDIA; Matthias Matthiesen, Director, Privacy & Public Policy, IAB Europe; Julie Ford, Executive Director, Digital Advertising Alliance of Canada; Andy Dale, General Counsel and Vice President, Global Privacy, SessionM; Chris Babel, Chief Executive Officer, TrustArc
GDPR’s One-Size-Fits-All is not a Fit for All Global Jurisdictions
Mary Teahan, president and CEO of Qendar and the honorary president of AMDIA, detailed GDPR’s impact on Argentina’s self-regulatory approach, and the nation’s support for innovation.
“[Argentina] took a more benevolent view of what data you could use for direct and digital marketing without consent… the GDPR plus the eventual new ePrivacy rules are really going to start to twist in the screws and I don’t think that is at all appropriate for developing countries,” she said.
In Teahan’s opinion, regulations in developing and least developed economies should be more flexible over issues of notification and consent.
TrustArc CEO Chris Babel, also questioned GDPR’s effect on developing countries. GDPR compliance requires time, effort, and energy, and many wonder if developing countries have enough resources to comply on the same level as established economies, he reported.
“How do you allow them to join the worldwide stage in a way that they aren’t severely impacted by required compliance tasks?” he said.
Unlike GDPR, Babel explained that the APEC [Asia Pacific Economic Cooperation] Privacy Framework is a more adaptable set of privacy guidance because its negotiators included representatives from a mix of economies (advanced and emerging). APEC inherently considers the sizes of countries and businesses in a way that GDPR does not.
“If you are APEC-certified, you have the EU Privacy Shield-equivalent of not needing to ask for consent to move data out of Japan and into the US,” Babel said, citing the Japanese example. “In a few years, it could rival the GDPR as a standard way of how companies deal with business” and data flows
The primary location of a company’s consumer base is another factor that can affect a business’s global data policy to comply with GDPR.
Asher reported that Indian companies which base most of their consumers and operations from the EU will “need to be compliant to the GDPR fully.” He then contrasted that with homegrown Indian companies which do not necessarily deal with the data of EU citizens as frequently. He said those might take “the best parts of GDPR and make it implementable.”
Photo: (left to right) Matthias Matthiesen, Director, Privacy & Public Policy, IAB Europe; Julie Ford, Executive Director, Digital Advertising Alliance of Canada; Andy Dale, General Counsel and Vice President, Global Privacy, SessionM; Chris Babel, Chief Executive Officer, TrustArc
The panel shifted focus toward the EU’s ePrivacy Regulation, which will eventually contour future data-driven practices. Although Matthias Matthiesen, director of privacy and public policy at IAB Europe, said he did not believe ePrivacy would shake up the world as much as GDPR, he expressed concerns.
“Are we going to be permitted to have a value exchange around data and do we get to restrict access to users who do not agree to that value exchange?” he said. “That is one thing that is under threat. That is a fundamental one.”
Matthiesen suggested that perhaps the ePrivacy Regulation will improve policies from the current ePrivacy Directive by instituting exceptions for consent regarding security and fraud prevention, among other purposes.
Privacy by Design Accrues Business Benefits, Too
Andy Dale, general counsel and vice president, global privacy, at SessionM, spoke of “privacy by design” as a necessary practice of data usage and developing marketing tools, given the new law in Europe. Speaking of GDPR, he said, “[Privacy] went from being an afterthought to being security designed by default into every single thing that the IT team did and thought about.”
According to Dale, privacy by design causes privacy professionals like himself to push for legal involvement when developing new features and products to avert potential violations. This manifests in team meetings to investigate, articulate and develop privacy impact assessments, which engages employees across companies within the interest-based advertising supply chain.
Matthiesen issued a warning: “If we don’t get it right this time around, the European Union is going to take a look and their knee-jerk reaction will be, ‘People aren’t following the law. We better make the law even stricter, or outlaw the business model altogether,” he said.
Babel, too, warned that there could be economic consequences if businesses fail to comply with the new data collection and usage policies of Europe.
“The worry is from all your business partners that are putting tremendous pressure on you,” Babel said. “You’re just not gonna get the ad buys in this space unless you can prove that you’re better than the competitor.”
Photo: (left to right) Vatsal Asher, Chief Executive Officer, DMAi; Mary Teahan, President & Chief Executive Officer, Qendar, and Honorary President, AMDIA; Matthias Matthiesen, Director, Privacy & Public Policy, IAB Europe; Julie Ford, Executive Director, Digital Advertising Alliance of Canada; Andy Dale, General Counsel and Vice President, Global Privacy, SessionM; Chris Babel, Chief Executive Officer, TrustArc
Not only are safe data practices economically relevant, but they are also critical within society, the panel agreed.
“The instability of the [digital] environment and the halo is not necessarily GDPR. It’s everything privacy,” stated Dale. “The halo is Cambridge Analytica, it’s Russia, it’s all the things that we’re seeing.”
In regard to a common global perspective, Dale said, “At this point, it would be naive to think that we’re not going to have an enhanced set of rights for data subjects all over the world.”
The key to this new age of global privacy online lies within strengthening the [digital] industry itself, in Ford’s opinion.
“Perhaps we can capitalize on [privacy news] by proving and showing and talking about the work that we all do, and differentiating ourselves from the bad actors by calling them out. This is going to be a very long journey, and we can all work together to find innovative ways to help each other comply.”