Masters of Privacy

Have you spent the past three months isolated from the world? We are bringing you up to speed with a long list of updates and news at the intersection of marketing, data, privacy, and technology.  Visit this episode's blog post on Masters of Privacy for a long list of references and notes.

Nick Baskett is DPO at Holland & Barrett. He has a personal interest in ethics and philosophy, encryption and AI, and he once published a book on Data Protection Impact Assessments. He was also the founder of one of the early Cyber Security consultancies in the UK (Matta). With Nick we have discussed best practices around Data Protection Impact Assessments or Privacy Impact Assessments, including their management at scale in the context of privacy operations, as well as risk assessment efforts associated with Generative AI projects.   References: Nick Baskett on LinkedIn EDPB Guidelines on Data Protection Impact Assessments ICO: Data Protection Impact Assessments (guidelines and templates) ICO: Eight questions to ask ourselves in order to manage Generative AI  

Catherine King is a content creator, moderator, enabler and instructor in the fields of data ethics and also the broader data and analytics space. She is currently global head of brand engagement at Orbition.  Catherine was recently a speaker at the Ethics in eCommerce Summit in London (put together by the Ethical Commerce Alliance) in which we coincided.  With her we have explored a more controversial and practical approach to data ethics, under the acceptance that morals reflect a particular stance in a wide range of really important social issues, rather than a universal truth applicable to all.  References: Orbition Group Catherine King on LinkedIn Ethical Commerce Alliance Courtnie Abercrombie: AI Truth and books Decoding Data Ethics to inspire concrete business decisions (Sergio Maldonado)

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ Notes: A more comprehensive coverage of all relevant updates can be found on our blog. The topics below have been specifically addressed during this recording: GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union.   LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018. The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios). TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024. The EU Commission announced that it would stress-test Twitter’s ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct. Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France’s CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario - in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available.  CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website’s consent banner.  FTC enforcement actions involving the use website/app user data for digital marketing purposes (healthcare, children): GoodRx, Betterhelp, Edmodo, Premom. The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421 EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions: 68% of French internet users consider that the information provided by the advertising ecosystem is insufficient or non-existent 39% are now rejecting all cookies, with 49% actively managing their consent preferences (analytics-related cookies are normally favored). The share of sites serving more than 6 third-party cookies dropped to 12% from 24%,  with 29% of all websites not serving any third-party cookies at all (vs. 20%) The IAB released TCF 2.2 on May 16th, finally removing the extremely confusing legitimate interest selectors for advertising and content personalization, replacing purposes and feature descriptions with a more user-friendly language, standardizing information about vendors, and providing a path for end users to withdraw their consent. CMPs are due to implement these changes by September 30th 2023. Following the TCF 2.2 announcement, Google has started reviewing and certifying Consent Management Platforms introducing new requirements under its Additional Consent Mode specification (important to remember that Consent Mode’s Ghost call is still considered in breach of ePrivacy unless consent is specifically requested).

Adam Klee has an impressive resume in the AdTech world, having worked at Disney, Google, NBC, Twitter, Polar, or Spotify. He is the founder of Licorice, a platform that “gives consumers the privacy they want and publishers the data they need”. Adam’s passion for solving this problem comes from both his years developing new ways to help drive better yield for publishers, and his experience as a consumer, where he thinks privacy should come standard. We are covering: Why email-based identity solutions (as an alternative to cookies) are flawed What consumers expect in the media monetization trade-off (ad blockers!) Different degrees of control and convenience, and how consent banners are the opposite of both A formula to rely on other legal bases (such as the GDPR’s legitimate interest) when no individual deduplication is involved. References: Adam Klee on LinkedIn Licorice  Licorice featured on AdExchanger: Programmatic Vets Are Behind A Wave Of New Startups Built For A Privacy-First Web Topics API (Chrome Privacy Sandbox)  

Eve-Christie Vermynck is a dual-admitted lawyer (civil law, common law) working at Skadden, Arps, Slate, Meagher & Flom. She advises clients on Cybersecurity, Privacy, IT/IP, blockchain and related topics. She is also a member of the Data Law Committee at The City of London Law Society. With Eve-Christie we are going to discuss the specific practical steps when it comes to dealing with personal data breaches in the UK or the EU. References: Eve-Christie Vermynck on LinkedIn Eve-Christie Vermynck’s full profile (Skadden) Twitter’s 2023 data breach Aftermath of the Royal Mail’s cyber-attack ICO’s guidance on personal data breaches 

As a lawyer turned entrepreneur, Dr. Mattia Fosci combines privacy and AdTech expertise. He is the founder and CEO of Anonymised, an advertising platform that helps publishers understand and monetise their audiences at scale across all browsers and devices, using only anonymous data. We have covered or touched on: The many limitations of contextual advertising and why it will not solve the most pressing issues  How ID-based alternatives are worse than cookies The manner in which browsers are exercising greater control over the open web The deafening noise in the AdTech market when it comes to cookieless solutions, and how overwhelming this is for publishers with limited technical resources The competitive issues arising from cross-site interest-based cohorts (à la Topics API in the Google Privacy Sandbox) How to get advertisers and their media agencies to dare turn their backs on a highly defective status quo - thus allowing publishers to move away from their own mouse wheel.  References: Mattia Fosci on LinkedIn  Mattia Fosci on Twitter Anonymised  

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ This was a pretty active season in terms of regulatory updates and decisions or guidelines coming out of supervisory bodies:  Spain’s AEPD issued a decision on the use of Google Analytics by the Royal Academy of Spanish Language (“RAE”), becoming the first EU Data Protection Agency to see the glass half full in the use of the widespread digital data collection service (having been considered high-risk in Denmark, Italy, France, the Netherlands and Austria). It must however be noted that the RAE was only using the most basic version of the tool, without any AdTech integrations or individual user profiling - and in this regard aligned with the CNIL’s long-standing guidelines for the valid use of the tool. At EU level, the Artificial Intelligence Act (which we have covered this quarter in a couple of Masters of Privacy interviews) made fast progress with the Council adopting its final position. At the same time, new common rules on cybersecurity became a reality with the approval of the NS2 Directive (or v2 of the Network and Information Security Directive) on November 28th. The updated framework covers incident response, supply chain security and encryption among other things, leaving less wiggle room for Member States to get creative when it comes to “essential sectors” (such as energy, banking, health, or digital infrastructure). Across the Channel, the UK’s Data Protection Agency (ICO) issued brand new guidelines on international data transfers, providing a practical tool for businesses to properly carry out Transfer Risk Assessments and making it clear that either such tool or the guidelines provided by the European Data Protection Board will be considered valid.  Already into the new year, the European Data Protection Board (EDPB) issued two important reports, on valid consent in the context of cookie banners (in the hope to agree on a common approach in the face of multiple NOYB complaints across the EU) and the use of cloud-based services by the public sector. The former concluded that the vast majority of DPAs (Supervisory Authorities) did not accept hiding the “Reject All” button in a second layer - which most notably leaves Spain’s AEPD as the odd one out. They did all agree on the non-conformity of: a) pre-ticked consent checkboxes on second layer; b) a reliance on legitimate interest; c) the use of dark patterns in link design or deceptive button colors/contrast; and d) the inaccurate classification of essential cookies. The latter concluded that public bodies across the EU may find it hard to provide supplementary measures when sending personal data to a US-based cloud (as per Schrems II requirements) in the context of some Software as a Service (SaaS) implementations, suggesting that switching to an EEA-sovereign Cloud Service Provider (CSP) would solve the problem and getting many to wonder whether it also refers to US-owned CSPs, which would leave few options on the table and none able to compete at many levels in terms of features or scale.  All of which can easily lead us to the latest update on the EU-US Data Privacy Framework: The EDPB released its non-binding opinion on the status of the EU-US Data Privacy Framework (voicing concerns about proportionality, the data protection review court and bulk data collection by national security agencies). The EU Commission will now proceed to ask EU Member States to approve it with the hope of issuing an adequacy decision by July 2023. This would do away with all the headaches derived from the Schrems II ECJ decision (including growing pressure to store personal data in EU-based data centers), were it not for the general impression that a Schrems III challenge looms in the horizon. In the United States, long-awaited new privacy rules in California (CPRA) and Virginia (CDPA) entered into force on January 1st. Although both provide a set of rights in terms of ensuring individual control over personal data being collected across the Internet (opt-out, access, deletion, correction, portability…), California’s creates a private right of action that could pave the way for a new avalanche of privacy-related lawsuits.In any case, only companies meeting a minimum threshold in terms of revenue or the amount of consumers affected by their data collection practices (both of them varying across the two states) will have to comply with the new rules. Lastly, Privacy by Design will become ISO standard 31700 on February 8th, finally introducing an auditable process to conform to the seven principles originally laid out by Anne Cavoukian as Ontario(Canada)’s former Data Protection Commissioner.    Enforcement updates It’s been interesting to see how continental Data Protection Agencies (“DPAs”) keep milking the cow of the ePrivacy Directive’s lack of a one-stop-shop for US or China-based Big Tech giants. The long-awaited ePrivacy Regulation never arrived to keep this framework in sync with the GDPR (which does have a one-stop-shop), and this leaves an opening for any DPA to avoid referring large enforcement cases involving such players to the Irish Data Protection Commissioner (“DPC”) whenever cookie consent is involved. This criterion has been further strengthened by the recent conclusions of EPDB cookie banner task force. Microsoft was the last major victim of this particular gap (following Meta and Google), receiving a 60-million euro fine from France’s DPA (CNIL), which shortly after honored TikTok with a 5m euro fine (once again, due to the absence of a “Reject All” button on its first layer - or “not being as easy to reject cookies as it is to accept them”) and, not having had enough, went on to give Apple an 8m euro fine for collecting unique device identifiers of visitors to its App Store without prior consent or notice, in order to serve its own ads (which is akin to a cookie or local storage system when it comes to article 5.3 of the ePrivacy Directive).  The CNIL ePrivacy-related enforcement spree did not stop short at Big Tech. Voodoo, a leader in hyper-casual mobile games, was also a target, receiving a 3 million euro fine for lack of proper consent when serving an IDFV (unique identifier “for vendors”, which Apples does allow app publishers to set when IDFA or cross-app identifiers have been declined via the App Tracking Transparency prompt).  Putting the ePrivacy Directive aside, and well into pure GDPR domain, Discord received a 800k euro fine (again, at the hands of CNIL) on the basis of: a) a failure to properly determine and enforce a concrete data retention period; b) a failure to consider Privacy by Design requirements in the development of its products; c) accepting very low security levels for user-created passwords; and d) failing to carry out a Data Protection Impact Assessment (given the volume of data it processed and the fact that the tool has become popular among minors).  And yet, one particular piece of news outshined mostly everything else in this category: Ireland’s DPC imposed a 390 euro fine on Meta following considerable pressure from the EDPB for relying on the contractual legal basis in order to serve personalized advertising - itself the core business model of both social networks. We had a debate on the matter with Tim Walters (English) and Alonso Hurtado (Spanish) on Masters of Privacy, and published an opinion piece on our blog.  This last affair is a good segue into Twitter’s latest troubles. Its new owner, Elon Musk, not content with having fired key senior executives in charge of EU privacy compliance (including its Chief Privacy Officer and DPO), has suggested that he will oblige its non-paying users to consent to personalized advertising. The Irish DPC (once again, in charge of its supervision under the one-stop-shop rule) asked Twitter for a meeting in the hope to draw a few red lines.  Meanwhile, the Spanish AEPD, still breaking all records in terms of monthly fines, sanctioned UPS (70,000 euros) for handing out a MediaMarkt (consumer electronics) delivery to a neighbor, thus breaching confidentiality duties. This will have a serious impact on the regular practices of courier services in the country.  Back in the United States, Epic Games and the FTC agreed to a $520m fine for directly targeting children under the age of 13 with its Fortnite game (a default setting that allows them to engage in voice and text communications with strangers has made it worse), as well for using for “dark patterns” in in-game purchases. Separately, in what we believe it is a first case of its kind, even in the EU (with the ECJ FashionID case possibly being the closest we have been to it). Betterhelp has received an FTC $7,8m fine for using the Facebook Lookalike Audiences feature (and alternative offerings in the programmatic advertising space, including those of Criteo, Snapchat or Pinterest) to find potential customers on the basis of their similarity with the online mental health service’s current user base. This involved sensitive data and follows repetitive disclaimers by Betterhelp that data would in no case be shared with third parties.   On the private lawsuits front (especially important in the US), Meta agreed to pay $725m after a class action was brought in California against Facebook on the back of the ever-present Cambridge Analytica scandal. Also, the Illinois Biometric Information Privacy Act (BIPA) kept putting money into the pockets of claimants and class action lawyers, in this case forcing Whole Foods (an upscale organic food supermarket chain owned by Amazon) to settle for $300.000 - we have previously previous cases against TikTok, Facebook or Snapchat, albeit it was the monitoring, via “voiceprints”, of its own employees (rather than its customers) that triggered this particular lawsuit. Legitimate Interest strikes back  To finish with this section, very recent developments justify turning our eyes back to the UK and the EU as there is growing momentum for the acceptance of the legitimate interest as a legal basis for purely commercial or direct marketing purposes:  While the CJEU decides on a question posed by a Dutch court in January, in which the DPA issued a fine to a tennis association for relying on legitimate interest to share member details with its sponsors (who then sent commercial offers to them), a UK court (First-Tier Tribunal) has ruled against the ICO (UK DPA) and in favor of Experian (a well-known data broker) for collecting data about 5.3m people from publicly available sources, including the electorate register, to build customer profiles and subsequently selling them to advertisers. Experian has relied on legitimate interest and found it too burdensome to properly inform every single individual (this being the ICO’s main point of contention). The decision does appear to indicate that using legitimate interest would not be possible if the original data collection had been based on consent, but even this is not entirely clear. So, just to make it even more clear and simple, the UK Government presented a new draft of a new UK Data Protection Bill on March 8th that includes a pre-built shortcut to using legitimate interest without need for the so-called three part test (purpose, necessity, balancing). Data controllers can now go ahead with this legal basis if they find their purpose in a non-exhaustive list provided - which includes direct marketing.  Competition and Digital Markets Google was sued by the Department of Justice for anti-competitive behavior in its dominance of the AdTech stack across the open market (or the ads that are shown across the web and beyond its own “walled gardens”), using its dominance of the publisher ad server market (supply side) to further strengthen its stranglehold of the demand side (advertisers, many of them already glued to its Google Ads or DV360 platforms in order to invest in search keywords or YouTube inventory) and, worse, artificially manipulating its own ad exchange to favor publishers at the expense of advertisers - thereby reinforcing the flywheel, as digital media publishers found themselves with even less incentives to work with competing ad servers.  Zero-Party Data and Future of Media (The piece of news below obliges us to combine both categories this season) The BBC has rolled out its own version of SOLID pods to allow its own customers to leverage their own data (exported from Netflix, Spotify, and the BBC) in order to obtain relevant recommendations while staying in full control of such data. Perhaps a little step towards individual agency, but a giant one for a digital media ecosystem mostly butchered by the untenable notice-and-consent approach derived from the current legal framework - which takes us back full circle to Elizabeth Renieris’ new book.  

Nicola Newitt is a UK qualified lawyer who trained in private practice and worked at Slaughter and May before moving in-house to start her privacy career in Bupa’s international health insurance business. She is now Senior Privacy and Product Counsel at InfoSum, a leading Data Clean Room. With Nicola we have covered a very hot topic for anyone in the Marketing Technology or AdTech spaces. Our discussion included the following questions: Who’s the controller and who’s the processor in a Data Clean Room scenario? Do we have a joint controllership when for instance a publisher or a retailer partners with a consumer brand? Which legal basis do we rely on for each of its three main use cases? Can different options at data activation level alter our legal approach or safeguards? How does an independent Data Clean Room compare to a Walled Garden Clean Room from a privacy point of view? References: InfoSum documentation FashionID case EDPB Guidelines on targeting of social media users EDPB Guidelines on the concept of controller and processor Experian vs. Information Commissioner’s Office  

Joana is Partner at Cuatrecasas, where she leads the Technology, Media and Telecom team. She has also worked for 3 years at ANACOM, Portugal's telecom and media regulator and one of the two supervisory authorities when it comes to the ePrivacy Directive in Portugal, the other being the Portuguese Data Protection Authority. Besides being fully versed in the opportunities presented by blockchain technologies, and having advised startups in the crypto space, Joana is co-author of the chapters on Portugal in The Privacy, Data Protection and Cybersecurity Law Review, 7th Edition (2020) as well as other relevant publications and I was happy to find out that she is also a Queen Mary’s University alumni (as I am myself).  With Joana we will cover: Challenges of decentralized technologies in the management of personal information The web3 opportunity for increased individual agency and control Specific issues: right to be forgotten, international data transfers, roles (who is a data controller?), data breaches The European Digital Identity References: Joana Mota Agostinho on LinkedIn Chris Topalis (2021): Web3 & DAOs, What are they? Elizabeth Renieris (2019): Forget erasure. Why blockchain is really incompatible with the GDPR Introduction to the European Digital Identity initiative