European Data Protection authorities speak up on targeted advertisement

 Dear readers, 

this is a teaching-intensive autumn across European universities - with all the excitement, uncertainty and overall strains of being mostly back in class after over a year of mostly living room lecturing. 

This, however, should not mean that we let crucial developments go unnoticed: last week, in fact, the European Data Protection Board (EDPB) has issued its most resolved opinion yet on the matter of privacy and behavioural tracking. Cookies, in other words - a staple not only of many people's secret kitchen stashes but also of equally elusive locations on our devices. 

The occasion for issuing this opinion is commenting on the Commission's Digital Services Act, which according to the Board should be brought more clearly in line with data protection rules. Couched among guidelines and standpoints on a number of highly salient issues - from counterterrorism to face recognition AI - the EDBP has called for 

1) considering a phase-out of targeted ads based on "pervasive tracking";

2) in any event, prohibiting targeted ads addressed at children.   

The opinion does not expand on the reasons for such standpoint, but mainly refers to previous positions  contained in comments on the DSA by the European Data Protection Supervisor (EDPS) and the European Parliament. In fact, criticism of the current rules' focus on informed consent has been around at least for the better part of the past decade (see for a classic Frederik Borgesius). 

The European data protection board is composed of representatives from the national data protection authorities. As a collective body mirroring positions in the Member States, its position can perhaps have more sway than the occasionally more principled stances of the EDPS. 

More bad news for Google on the data protection front: Polish NGO files a complaint

Last week we reported about a decision of the French Data Protection Authority - the CNIL - imposing a €50 million fine on Google for alleged infringement of the European data protection rules. This, however, does not seem to be the end of Google's headaches. Earlier this week, a Polish NGO - Panoptykon - filed a complaint against the company with the President of the national Personal Data Protection Office.

Besides the complaints' addressee the two cases do not seem to have much in common. As a matter of fact, Google is not the only entity against which Panoptykon complained. A separate complaint was lodged against IAB Europe, an industry association in the field of interactive marketing. Both complaints concern the functioning of the market for online behavioural advertising, in which, according to Panoptykon, IAB and Google are key players.

The developments in Poland are a direct follow-up to the two complaints lodged last September in Ireland and the UK by Brave ("a privacy-focused web browser" set up by Mozilla's co-founder Brendan Eich) and Open Rights Group. Their focus remains on the real-time bidding (RTB) system used in the advertising market, which the applicants believe to infringe General Data Protection Regulation on at least several counts (for a rough explanation of the system see a video uploaded by... the IAB itself; further reference can be made to a report by Johnny Ryan of Brave). Key arguments of the complaining organisations concern the lack of a valid legal basis, including for the processing of sensitive data, failure to ensure data security, and the lack of appropriate control tools for data subjects (e.g. to verify and correct their marketing profiles).

Not surprisingly, Panoptykon's campaign has met with animated reactions. The President of IAB Poland drew a parallel to complaining against "a car producer for [producing cars] having technical abilities of breaking traffic rules, like exceeding speed limits or parking in restricted areas". He recalled the Transparency & Consent Framework created by the association with the aim to "help the businesses [involved in the ecosystem] to comply with applicable law". He also insisted that the RTB system is by no means "directed" by IAB Europe. Panoptykon, on the other hand, described the association as a "standard-setter" who, sticking to the traffic metaphor, "laid down the rules to be followed on its private roads in a way that makes it impossible to drive safely". 

All eyes are now on the Polish DPO, who is widely regarded as an expert in the field. Panoptykon encourages the authority to engage in a joint operation with its British and Irish counterparts based on Article 62 of the GDPR. Thus, similarly to the French proceedings, the commented case seems like an important test for the GDPR's procedural framework.

€50m fine imposed on Google by the French DPA

Just several days ago we reported about two opinions of Advocate-General Szpunar in cases involving the French data protection authority - Commission for Information Technology and Civil Liberties (CNIL) and the US digital giant Google. We mentioned that both cases concerned the interpretation of the Data Protection Directive, the predecessor of the currently applicable General Data Protection Regulation. Earlier today the CNIL issued yet another decision, once again directed against Google, this time blazing the trail for the application of new data protection rules.

The decision, imposing a 50 million euro fine on GOOGLE LLC, is bound to raise both substantive and procedural questions. Unlike previous cases, which primarily focused on the right to be forgotten, the decision issued today concerns the alleged "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization". Indeed, the GDPR has further specified the data controllers' transparency obligations, the requirements for a valid consent and the data subjects' information rights and has backed them by effective sanctions. The emerging case practice clearly illustrates the growing importance of data protection law for the protection of consumer interests in the digital age. The GDPR-based complaint filed by several European consumer organizations concerning Google's practices of location tracking, on which we reported last November, further exemplifies this trend.

On the procedural side, the question may arise whether the French DPA was at all competent to deal with the case considering the "one-stop-shop mechanism" introduced by the GDPR. The CNIL seems to argue that the mechanism was not applicable in the present case due to the lack of Google's main establishment in the EU. Considering the growing interests in the company's data processing practices across the European jurisdictions, Google's appeal against this finding would be anything but surprising (update: an appeal has in the meantime been confirmed). Incidentally, in the 'location data' case, the respective complaint had been lodged with the Norwegian DPA, highlighting the relevance of the matter for the whole EEA.

Full text of today's CNIL decision (in French) can be consulted here.