Many businesses in the Adtech sector have tried to minimise their data protection obligations by claiming that they do not process personal data at all, or do so only as data processors. With the advent of the General Data Protection Regulation ("GDPR"), such approaches seem increasingly untenable. Given the volume of data that is processed by Adtech businesses, and how central it is to their business model, it seems likely that the Adtech sector will face some of the toughest challenges in preparing for the GDPR.
The GDPR came into force on 24 May 2016 and will apply from 25 May 2018. It will introduce developments to a number of areas of EU data protection law that are likely to have a direct impact on the Adtech industry. The following are 5 key changes of particular relevance to the Adtech sector:
1. Personal Data
The recent Breyer case has indicated that under the existing EU data protection regime a dynamic IP address can be considered personal data (see our briefing here). However, the GDPR arguably goes even further than this as it specifically refers to the fact that individuals may be associated with online identifiers. The definition of personal data itself refers to whether a person "can be identified, directly or indirectly, in particular by reference to an identifier such as [...] an online identifier." An online identifier includes IP addresses, cookies, and other tracking technologies. It appears likely that
Adtech products that allow individual user targeting will be regarded as processing personal data, even where the name of the individual is not known to the service provider.
The requirement under the existing EU data protection regime to provide notices to data subjects is further strengthened under the GDPR, with an obligation to provide additional information. This means that even Adtech companies who are compliant with current requirements will need to update their notices, never mind Adtech companies who do not have such notices in place at present. Consideration will therefore need to be given to when and how such notices will be given to data subjects.
In addition to the above, as a separate obligation, data subjects must be notified of their rights to object to certain types of processing (eg profiling, processing for direct marketing purposes and to any processing justified under the "legitimate interests" basis). These rights must be "explicitly brought to the attention of the data subject" and "presented clearly and separately from any other information", at the latest at the time of first communication with the data subject. This raises the question of whether a targeted advert displayed to a data subject will be regarded as a communication, and if so, how will Adtech companies provide the relevant notice. One potential silver lining is that the GDPR envisages that icons may be developed to simplify compliance with notification obligations. Another is that the GDPR allows for the potential for data subjects to exercise their rights to object to processing using automated technical means. The development of such an automated means of objecting to processing might present an opportunity to build in a similar automated (and unobtrusive) means of providing the relevant notices.
3.Obligations for Data Processors and Joint Controllers
Adtech companies often construe themselves (rightly or wrongly) as data processors, as under the existing EU data protection regime the burden for regulatory compliance has fallen largely on data controllers. Under the GDPR such an analysis is less attractive, as data processors have specific regulatory obligations. It is therefore likely that Adtech companies will explore whether they should be regarded as data controllers in relation to the data they collect, or potentially joint data controllers with website publishers.
The Article 29 Working Party, a grouping of the data protection regulators from around Europe, has previously issued guidance that indicates that publishers of websites that transfer data to ad network providers may act as joint controllers in respect of some of that data. Although such joint controllership situations are possible under the existing EU data protection regime, the GDPR puts such relationships on a more formal basis and introduces a requirement
for joint controllers to put in place an agreement governing their processing of personal data. Such agreements will need to set out the data controllers' respective responsibilities for compliance with the GDPR, including who is responsible for providing information to data subjects and defining which activities are undertaken under joint controllership and which are not. Such agreements could be a useful tool for Adtech companies who wish to push certain obligations, such as in relation to notices, onto website publishers.
4. Security breaches
The GDPR will introduce a general mandatory notification regime in the event of personal data breaches. Data controllers will be required to report personal data breaches to their supervisory authority no later than 72 hours after becoming aware of such breach and, in some cases, will also be required to report such breaches to affected individuals (which would obviously be challenging for Adtech companies, and may instead require public announcements to be made). Adtech companies will need to ensure that they are in a position to identify and react to security breaches in a manner which complies with the requirements of the GDPR.
5.Updating Contracts Between Data Controllers and Data Processors
The GDPR introduces new requirements in relation to the provisions that must be included in contracts between data controllers and data processors. In particular, contracts will need to detail the personal data that is being processed by the data processor. As there are no grandfathering provisions that would make contracts that were compliant with the existing EU data protection regime compliant under the GDPR, a significant exercise may be required to update the data processing clauses in agreements between data controllers and data processors. In particular, Adtech companies who view themselves as operating as data processors will need to review their standard customer contracts and potentially roll out amendments to all of their customer base.