Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a training by Matthias Matthiesen, Director Public Policy & Privacy and Chris Hartsuiker, Public Policy Officer, IAB Europe. Which provisions in the General Data Protection Regulation are the most relevant to digital publishers and advertisers? What is the guidance of the European Data Protection Board (former Article 29 Working party) on these topics? This training session, provided by IAB Europe will provide insight into applying the GDPR to the digital advertising supply chain.
Interact 2018 - GDPR for digital publishers, digital agencies and advertisers
1. GDPR for Digital Publishers,
Digital Agencies, and
Advertisers
Matthias Matthiesen
Director, Privacy & Public Policy
Chris Hartsuiker
Manager, Privacy & Public Policy
May 23rd, INTERACT 2018 Milan
2. • You are a controller or processor in
the EU: The GDPR applies to you.
• You are a controller outside of the
EU: GDPR applies if you if
• you monitor the behavior of people in
Europe, or
• you offer goods and services to
people in Europe.
Territorial Applicability
3. Even if the GDPR technically doesn’t
apply to YOU…
• Partners might be in scope; they will have to know if it’s safe for
them to send data to your company.
• Countries outside of the EU of the GDPR are ‘third countries’ –
transferring data to those companies is an ‘international data
transfer’, which is only allowed if there is a transfer mechanism.
6. Personal Data
If an individual can be singled out by data, that data is
personal data (unique cookie ID or AAID/IDFA)
7. Personal Data
IP
94.225.47.200
Internet Service
Provider
Matthias
Matthiesen
on Friday, 22 April
2016, 9:15 AM
IP
94.225.47.200
Online Service
Legal Means
(Court Order)
Internet Service
Provider
Matthias
Matthiesen
on Friday, 22 April
2016, 9:15 AM
If data can be re-identified by the controller, or another
entity, that data is personal data.
8. Personal Data
• Information related to an
identified or identifiable
natural person.
• Identifiers, such as a name,
number, location, online ID, or
one or more factors specific to a
natural person.
• IP address, cookie ID, RFID
tag, especially when combined
with profiles.
10. This far-reaching effect is completely
intentional.
• The GDPR is the latest and
potentially greatest example of what
is known as the “Brussels effect”.
Illustration by Sara Gironi Carnevale
for POLITICO Europe
12. ePrivacy Directive
• Storing information, such as
cookies, or accessing
information stored on a user
device generally requires
consent.
• Unless “strictly” technically
necessary for provision of
the service requested by a
user, e.g. shopping cart
cookies.
NB: The ePrivacy Directive is a law from
2009, not to be confused with its proposed
update, the ePrivacy Regulation.
14. ePrivacy rules after GDPR
ePrivacy
Consent
Requirement
GET CONSENT AS DEFINED BY
GDPR
15. Hierarchy ePrivacy and GDPR
Processing
personal data
Storing/accessing
Personaldataondevice
Consent GDPR Legal Basis
ePrivacy GDPR
Consent
• Collection of data over the
internet generally requires
consent because of
ePrivacy
• Processing of personal data
requires a GDPR legal
basis e.g. consent, or
legitimate interest.
• Where both apply at the
same time the more specific
consent rule of the
ePrivacy prevails.
Storing/accessing
data on device
16. Consent
• Consent is a statement or clear affirmative action signifying
agreement to the processing of personal data. It must be
• freely given, specific, informed
• Controllers must be able to demonstrate that the data subject has
consented to the processing of their personal data.
• Consent must be revocable at any time. Revoking consent must be
as easy as granting consent.
17. Consent
• Consent ≠ silence/inactivity
• Consent ≠ freely given if inappropriately bundled.
• Consent ≠ freely given if inappropriately a condition
• Consent ≠ freely given in situations of “power imbalance”
• Which affirmative actions can convey consent?
• Choosing technical settings (which)?
• Further browsing?
• Clicking a link?
• Highlighting text?
• Informed = purpose & controller disclosed
22. Quick Recap:
• GDPR applies based on territory
(everywhere is Europe).
• Personal data covers a huge amount
of types of data (when in doubt: it’s
personal data).
• Processing personal data is only
lawful with a legal basis (consent,
legitimate interest).
24. Data Subject Rights
Data subject rights
• The right to access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decisions, including profiling,
with legal or significant effects
25. Profiling & Automated Decision Making
• Profiling is automated processing, analyzing, or predicting a
person’s preferences, interests, behavior, etc.
• It must be justified through one of the legal justifications, e.g. consent
or the legitimate interests of the controller.
• Where an automated decision, including profiling, has legal
effects or similarly significantly affects a user, it is regulated
more strictly.
• It can only be justified through the explicit consent of the user.
26. Profiling & Automated Decision Making
Automated review of credit
applications
Automated recruitment
practices, e.g. candidate
selection through algorithm
27. So what can I do if I’m not ready for
GDPR day on Friday?
28. So what can I do if I’m not ready for
GDPR day on Friday?
1.Determine whether GDPR applies.
2.Take stock of all data processing activities.
3.Conduct impact assessments.
4.Create a compliance roadmap.
5.Appoint a DPO.
6.Get help, engage with industry, stay informed.
7.Help others.