PART 2 – EU, UK
This PART 2 of our client privacy newsletter is filled with information to help our MediaMath clients prepare for multiple changes coming in global privacy laws in 2023. Part 1 was with a focus now on preparation for compliance with 5 new US State Laws, some of which are in force from 1 January 2023. This Part 2 is focused on EU GDPR requirements and most importantly international data transfer requirements.
EU
GDPR & E-Privacy
Relatively stable however what we are now seeing are privacy activists testing the boundaries of the legislation, successfully claiming against “Big Tech”. This naturally percolates through the industry.
IAB EU TCF: At MediaMath, we have been at the forefront of integrating privacy into our technology. As an example, we were an author of initial specs to the IAB’s TCF (The Consent Framework), which is key to standardizing how a legal basis, such as consent for personalized ads, could be conveyed to all parties.
Proceedings between the IAB and the Belgian Data Protection Authority (APD) have been heard by the Market Court (which is part of the Brussels Court of Appeal). For background on the origins of these proceedings please refer to our blog post here. On 7 September 2022 an interim ruling was handed down referring preliminary questions to the Court of Justice of the European Union (CJEU). The exam questions – how the concept of data controllership in the GDPR is to be interpreted in this case (are the IAB an independent controller) and whether the TC string (the string of code containing user preferences) is, in and of itself, “personal data”. No trifling matters there!
There are positive and negatives from this interim ruling. Proceedings are unlikely to be concluded until late 2023 or even in to 2024 – creating a limbo period. IAB are clarifying that the hiatus in Market Court proceedings also means a stay on enforcement of the APD’s decision until the appeal is concluded. MediaMath assumes so. The key benefit as we see it is that views will be taken from all European regulators as well as the involved parties. That should result in consensus on the fundamental questions at stake, much like the CJEU’s determination on IP address as personal data. Expect much discussion over the next 12 months but be assured we will keep you up to date.
You can read the IAB’s update on the ongoing proceedings here.
UK GDPR
Following the UK’s exit from the European Union, the UK Government has transposed the GDPR into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made a number of technical changes to the GDPR in order account for its status as a national law of the United Kingdom.
The changes set out in the Data Protection and Digital Information Bill, July 2022 range from relatively minor adjustments to significant legal changes. The intent seems clear – create separation from previous and future EU interpretation of laws and regulations, putting the interests of the UK first. The resulting legislative framework for UK citizens is the Data Protection Act 2018 and a slimmed down GDPR. The separation may also result in data protection adequacy status being revoked by the EU. We will see.
We could dedicate an entire newsletter to the UK GDPR v EU GDPR analysis but we shall resist the temptation: instead, it is worth focussing on two aspects which may have an impact in industry.
The Purpose Limitation Principle has been broadened, with legal tests to determine compatibility with new uses of data collected. Furthermore, legitimate interest is very much at the forefront (which is interesting in the light of the APD’s view on legitimate interest in AdTech, shared by many EU regulators). Certain data processing activities have been deemed to meet the legitimate interest balancing test meaning no requirement for a legitimate interest assessment. In summary the changes aim to facilitate business, putting UK interests first. Noble causes, but at odds with European counterparts.
Read More: U.K: Some nice training videos and materials for businesses to use from the ICO UK here.
EU SCCs vs Privacy Shield
MediaMath certifies to Privacy Shield but does not use this as a transfer mechanism for the time being.
Standard Contractual Clauses (SCCs)/UK International Data Transfer Agreement
It is no longer possible to simply ”paper” a data transfer: before any transfer is carried out, transfer impact assessments are required. You, as our clients, have a right to expect these are done when we act as custodians of your consumers’ personal data and we take that responsibility seriously. We welcome the changes that came out of the Schrems II case, as it is absolutely right that data exporters consider not just the recipient of data but the destination of that transfer.
In the UK, the EU’s (perceived) restrictive data transfer position has been replaced by a more flexible approach. Data exporters can pick n mix from Adequacy Regulations, UK SCCs, UK Binding Corporate Rules, or derogations for special situations. UK SCCs are likely to be the preferred method (they are for MediaMath), and both the guidance and templates issued by the ICO are very user friendly – bravo ICO. You can take a look for yourselves here.
“Direct Marketing” gets some consideration under the Privacy and Electronic Communications (EC Directive} Regulations – referred to as PECR. The use of cookies without consent has broadened, which yet again is at odds with the European disposition. Marketeers may rejoice: however, the complexity of dealing with jurisdictional differences for global businesses is significant and at the forefront of MediaMath’s privacy team given our position as a leading global DSP. We believe that to be a strong USP for our clients and partners.
WHATS NEXT? MediaMath Legal & Compliance will be reaching out and following up with further information on the new contractual requirements as a result of data transfer requirements of the EU and UK.
WHAT ABOUT COOKIES VS IDENTITY SOLUTIONS?
This privacy laws briefing is focused on upcoming privacy laws and contractual and technical solutions. The information is generally applicable to all data defined as “personal data” or “personally identifiable information” that governs the collection, processing and transfer of existing identifiers such as cookies and MAIDs and also of new ID solutions, both probabilistic and deterministic, and we do not discuss the pros and cons of any of these technologies in this article.
Watch This Space
Much of what happens in the privacy space in industry is reactive in response to legislation, but it is also worth keeping an eye on the more innovative aspects on the horizon. One such area is the meeting of the G7 on ‘Data Free Flows with Trust”. As a global business we are very much for alignment cross jurisdiction, especially where initiatives have trust and transparency at their core. MediaMath will certainly follow this one closely and keep you updated as things progress. You can dive into the detail here.
The EU courts have backed the antitrust fine against Google, albeit at a lower amount (that amount still being in excess of 4.1Bn Euro). This could pave the way for class action claims, and with the Digital Markets Act soon coming in to force it is clear that there are increasing market restrictions on how Big Tech operates.
MediaMath will focus on the APAC region in further updates but just to show that the focus on Big Tech is not just in Europe, worth noting that South Korea’s DOA has fined Google and Meta a combined 100Bn won ($72m) for tracking consumers’ online behaviour without consent and using their personal data for targeted advertising. An appeal is likely, Watch This Space. Read more about the fines here.
DISCLAIMER: Please note this article is for informational purposes only and does not constitute legal advice. Clients should consult their own legal advisors about their specific compliance requirements.