On 6 March 2019, the UK data protection regulator, the Information Commissioner’s Office (ICO) convened an adtech fact-finding forum of industry stakeholders, aimed at developing its understanding of the adtech ecosystem (with a particular focus on programmatic advertising and real-time bidding) and exploring key themes raised by adtech from a data protection perspective.
It is clear that the structure of the adtech ecosystem and in particular the large number of intermediaries and service providers interspersed between advertisers and publishers gives rise to a number of compliance challenges in the context of the General Data Protection Regulation (2016/679) (GDPR) and somewhat inevitably, the ICO and other regulators have received a number of complaints alleging that organizations are in breach.
From its initial conversations with representatives across the industry, the ICO identified three key areas of interest:
- (i) Security. The ICO is interested in how the firms operating in this space have confidence and provide assurances that onward transfers of personal data between them in the context of programmatic advertising are secure, bearing in mind the speed and scale of the sharing of that data.
- (ii) Transparency. The GDPR sets out various transparency and notice requirements with which data controllers are required to comply in order to ensure that data subjects understand, amongst other things, the nature and purposes of the processing of their personal data. Bearing in mind both the number of players involved and the complexity of the processing activities carried out in this context, the ICO is interested in how and what data subjects are told about the processing of their personal data for online advertising purposes, including how accurate the information provided actually is.
- (iii) Lawful basis for processing. In order for processing to be lawful, personal data must be processed on the basis of one of six lawful bases set out in Article 6 of the GDPR, including (among others) data subject consent and the legitimate interests of the data controller. There are, however, many diverging views as to which lawful bases are appropriate (or indeed attainable) in the context of online advertising and the ICO is interested in why these differences exist.
Following the forum, Simon McDougall, Executive Director for Technology Policy and Innovation at the ICO noted “There were clearly distinct views on specific aspects. How much personal data, if any, is necessary for the system to function effectively? Could consumers ever be given enough information to understand what’s happening to their data? Is there a lawful basis for processing data that can be consistently applied across the whole ecosystem? These are complex issues, and it is unlikely that there are straightforward answers.” There was, however, “consensus in the need for improvements” and “Discussions included improvements already in train as well as more sweeping changes that could follow further down the line”.
It is clear that guidance in this area is needed both to ensure that the rights and freedoms of data subjects are protected and to provide regulatory certainty for operators in this area. Watch this space.