Google And IAB Europe Are Losing Data Privacy Lawsuits In The EU, But What Does It Mean? – AdExchanger

Legal and court losses are piling up across Europe for American ad tech companies and for Google.

Turns out navigating the GDPR and last years Schrems II decision, which invalidated Privacy Shield, the former data-sharing agreement between the US and the EU, is far from straightforward.

In January, the Austrian data protection authority (DPA) ruled that sites cant use Google Analytics if the service shuttles data back to US servers. Which Google does.

The French DPA, called the CNIL, released its own judgement last week agreeing with the Austrian DPA. One decision in Austria might be considered an outlier. But with the French CNIL the bellwether of European data regulators backing up Austrias ruling, this is starting to look like a consensus among European DPAs and a full-on siege of Google Analytics.

The Belgian DPA, meanwhile, ruled last week that IAB Europes Transparency & Consent Framework (TCF), the online advertising industrys mechanism for conveying a persons consent status to use data for advertising, is illegal under GDPR. The DPA gave IAB Europe six months to rework the framework so that the IDs can be audited.

IAB Europe has appealed another part of the ruling classifying it as a data controller for the TCF, which would effectively make the trade group legally responsible for how any publisher or ad tech company uses the framework to target ads.

If the ruling stands, IAB Europe would face a huge increase in costs and legal liability.

Google Analytics under fire

Google Analytics and other web infrastructure services collect data, namely IP addresses, that are considered personal information in the EU.

But the problem in this case isnt GDPR, because the data isnt being used for targeting ads, at least per the allegation. The issue, rather, is that the data of European citizens could be transferred to American systems and thats not okay as a result of the Schrems II ruling.

The Schrems II suit was against Facebook, but not anything to do with Cambridge Analytica or other ad targeting issues. Facebook lost the case because of Edward Snowdens NSA leaks, which revealed that the US government collects user-level information from internet services. Individuals have no idea if and when their data is collected and have no legal redress regardless.

Although someone browsing an Austrian news site may not fall under NSA surveillance, in theory, it could happen and that means the data cant be transferred at all, even if its innocuous and collected legally under GDPR.

None of Your Business, Schremss advocacy group, brought both of the cases against Google Analytics decided by the Austrian and French DPAs. Schrems has parallel suits in practically every European country so more dominos are likely to fall.

Theres clearly a coordinated effort by regulators to settle on an interpretation of the law, rather than have a hodgepodge of different inter-EU standards, said Wayne Matus, co-founder and general counsel of SafeGuard Privacy, a data privacy compliance startup.

The most straightforward solution for Google Analytics is to localize data in Europe, Matus said.

But thats not the only consideration. If Alphabet localizes in response to DPA rulings it could set a tough new precedent, since Google might be able to derive greater economic benefits from globally consolidating data. There may also be technical difficulties that prevent setting up local data systems.

Even if Google Analytics kept data in Europe, however, theres still a Microsoft case from 2018 to contend with, when the company was ordered via FBI warrant to hand over email data stored in Ireland, Matus said. The lower courts disagreed, and by the time the case was argued before the Supreme Court, President Trump had signed a new law granting investigators powers to compel such extraterritorial data. The previous decision which favored Microsoft was rendered moot.

In other words, even if Google Analytics set up local data services that never transferred to the US, the data could still be compelled by warrant.

Matus said Google would still have options, like establishing an independent business in Europe that couldnt be compelled by the FBI that trick only works on US companies.

A likelier solution is geopolitical. The problem could be resolved by a new US and EU data-sharing agreement. (The previous two, Safe Harbor and Privacy Shield, were both overturned in cases brought by Schrems.)

Consent on the ropes

IAB Europes TCF is now working against a six-month deadline to prepare an alternative that meets the Belgian DPAs stipulations.

For one, the framework may not collect data based on legitimate interest (whereby data can be collected without a users explicit approval, such as for fraud detection, cyber security and web infrastructure services like logging traffic). Also, TCF ID strings need to be audited for use in programmatic.

Moving away from legitimate interest is the (relatively) easy part. Publishers, consent management platforms (CMPs) and ad tech companies can simply be forthright about exactly how data will be used, rather than popping up broad cookie opt-in notices that dont explain much of anything, Matus said. Legitimate interest doesnt mean data cant be collected, just that it cant be used in any ways an individual would not have expected when they provided consent.

A more intractable problem is auditability of the TCF. After all, TCF strings are visible to any DSP bidding on any programmatic inventory within the framework, and whether theres consent to use data for targeting determines how much DSPs bid.

A rogue employee at a publisher or CMP could falsify consent data with no easy way to identify the violation in the fraction of a second before an ad is served, or even retrospectively.

Auditing the TCF seems like an impossibility.

Let me stop you right there, Matus said. It is 100% possible.

Its just not practical to audit OpenRTB impressions in real time, Matus said.

But the Belgian and other DPAs could still get behind the framework if supply-chain vendors CMPs, ad tech companies and data providers agree to audits by the IAB Europe and by advertisers within the context of a campaign. An agency or brand marketer, for example, could insist that vendors agree to transparent auditing as a prerequisite before buying through them.

The DPA wouldnt offer a six-month window and agree to work on an updated version with IAB Europe if it didnt expect to resolve the issue, Matus said. If the regulator thought it wasnt feasible, the TCF would have been ruled flat-out illegal with appeal as the only recourse.

What happens next?

Its difficult to predict how GDPR and European data privacy case law will play out.

Google is lobbying in the EU and US to allow for basic global data transfers. IAB Europe is appealing the Belgian DPAs classification of the trade group as a data controller and working with the same regulator on a potential TCF fix. Until then the framework is a bit like a cat in Schrodingers box we dont know if its alive or dead, but well find out in six months.

One irony of these various EU suits is the different ways in which they affect the competitive digital advertising market.

For example, in addition to harmonizing European data protection laws, the GDPR was meant to empower European tech companies and publishers, which have been beholden to US tech giants. But the GDPR suits targeting the TCF are a major boon to Google. If the TCF crashes, Googles AdBuyers protocol is the only way to programmatically target ads using consent information.

And whereas the purpose of the Schrems II decision is to target US government surveillance, not crack down on anticompetitive big tech practices, its Schrems II that could deal a major blow to Google. If Google Analytics is severely hampered in Europe, the only apparent solution will be to find a local data server system.

But European regulators are hard at work trying to get Google to change its business practices, Matus said. And if that doesnt work, theyll target Google customers. For instance, also last week, a German court levied a token fine of 100 Euros against a news publisher because Googles web-hosting service transferred IP addresses outside of the EU.

It will start small and theyll crank up the fines, Matus said. But this isnt stopping until the behavior stops.

View post:

Google And IAB Europe Are Losing Data Privacy Lawsuits In The EU, But What Does It Mean? - AdExchanger