How privacy activists are fighting on multiple fronts to strengthen EU privacy laws that will have a global impact

Posted on Nov 12, 2020 by Glyn Moody

This blog frequently covers the world of EU data protection because it is that region of the world that leads the way in regulating digital privacy, just as the US leads the way in terms of digital technology. And as technological developments in the US have major implications around the world, so too does the state of privacy law in the EU. The main pillar of data protection law there is the GDPR, with the new ePrivacy regulation, still being discussed, likely to take its place alongside it as the next most important legislation in this area. EU laws may provide the framework, but it is the tireless efforts of privacy activists that are helping to define what that means in practice.

The best known of these is the Austrian privacy expert Max Schrems, whose work has seen both the Safe Harbor and Privacy Shield frameworks for sending EU personal data to the US struck down as invalid, with major implications for data protection in the EU and US. One of Schrems’ continuing battles is with Facebook – and the Irish Data Protection Commission (DPC), which refuses to enforce the GDPR properly, he says. Rather than conclude its main investigation into Facebook, the DPC wants to start a completely new one, but Schrems has obtained a temporary legal stay to prevent that move.

Schrems isn’t the only privacy campaigner unhappy with DPC’s foot dragging. Johnny Ryan, currently Senior Fellow at the Irish Council for Civil Liberties, and Open Markets Institute, has been fighting against real-time bidding (RTB) for years, and sees the Irish DPC’s inaction as a big part of the problem. A similar battle is being waged in the UK. There, the Information Commissioner’s Office (ICO) is being sued by privacy campaigners at the Open Rights Group for failing to stop “unlawful practices” by the online ad industry – real-time bidding. This follows an initial complaint to the ICO in September 2018 by Johnny Ryan, Jim Killock, executive director of the Open Rights Group, and Michael Veale, a lecturer in digital rights and regulation at University College London.

Ireland and the UK aren’t the only countries whose data protection authority is evaluating RTB: there has been an important development in Belgium, too. As the Wall Street Journal reported, the real-time bidding process

constitutes an illegal data breach under Europe’s General Data Protection Regulation, investigators at the Belgian data-protection authority wrote in a new internal report viewed by The Wall Street Journal. The report focuses on the European arm of the Interactive Advertising Bureau, an online ad trade group that the investigators said is responsible for how its member companies buy, sell and use individuals’ data in digital ad transactions.

At the moment, this is just a report, which has been forwarded to the agency’s “litigation chamber”. The latter will consider the case and then issue its decision – a process that could take some time. The Belgian agency will also consult the other data protection agencies around the EU, since the ruling potentially would apply across the region. Ultimately, what will be needed is a consistent EU view on things like RTB; what we are seeing now are the first steps towards that, mostly thanks to prodding of the authorities by digital rights activists.

Meanwhile, the EU’s top court, the Court of Justice of the European Union (CJEU), has just issued a ruling that looks at a small but important aspect of privacy: pre-ticked boxes. These are often used online in order to obtain rapid and at times almost unconscious consent to allow the use of personal data. In a case concerning a telecom company, the CJEU found that:

a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her identity document for identification purposes is not such as to demonstrate that that person has validly given his or her consent to that collection and storage, where the box referring to that clause has been ticked by the data controller before the contract was signed

This is similar to a case that Privacy News Online wrote about last year, where the CJEU ruled that pre-ticked boxes for cookies are not valid for consent. Those judgments are potentially important for another Schrems case that was filed two years ago the minute – literally – that the GDPR came into operation. It concerns “forced consent“, a technique commonly employed by Web sites. These essentially offer two basic choices to users of an online service: agree to be tracked for the purposes of serving up ads, or be thrown off the service. That goes against the spirit of the GDPR, which is about empowering the user. If visitors to a Web site must consent to online tracking, then clearly the GDPR is ineffectual.

If Schrems wins this case, as seems quite likely, the impact on online advertising will be significant. But it will not be disastrous, despite what the publishing and advertising industries claim. It would simply require a pivot from intrusive micro-targeted advertising based on surveillance to a contextual approach that has in any case been successfully used by physical publications for a hundred years. If the CJEU does rule in favor of Schrems, it would be yet another example of EU – and probably global – privacy practices being strengthened thanks to the tireless efforts of privacy activists, often in the face of indifference by government agencies.

Featured image by G.dallorto.