Multiple threats from EU’s GDPR to today’s corporate surveillance and targeted advertising system

Posted on Dec 1, 2018 by Glyn Moody

Eighteen months ago, Privacy News Online wrote about how pervasive corporate surveillance is threatening the privacy of everyone who uses the Internet. Nearly every move people make online is being tracked and recorded. This is not in order to spy on the public directly, but to create vast databases about people’s interests and habits, which can then be sold to advertisers.

The depth of information held about everyone who uses the Internet means that the advertisements that we see on Web sites can now be targeted with great precision. Although that might be welcome in itself, the collateral damage is real and serious, as a new article on Motherboard entitled “Targeted Advertising Is Ruining the Internet and Breaking the World” warns:

targeted advertising and the algorithmic curation practices associated with it harms democracy itself. Advertising’s shift to digital has cannibalized the news media’s revenue, thus weakening the entire public sphere. And linking advertising to pageviews incentivizes media organizations to produce articles that perform well, sometimes at the expense of material that educates, entertains, or holds power-holders accountable.

The pushback against targeted advertising based on corporate surveillance is now gaining momentum. The main weapon being deployed is the EU’s relatively new General Data Protection Regulation (GDPR). The UK-based digital rights group Privacy International has filed GDPR complaints against data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.

Meanwhile, seven consumer organisations from across Europe have announced that they will file GDPR complaints against Google with their national data protection authorities. They accuse Google of “of using deceptive design and misleading information, which results in users accepting to be constantly tracked”:

When we carry our phones, Google is recording where we go, down to which floor we are on and how we are moving. This can be combined with other information about us, such as what we search for, and what websites we visit. Such information can in turn be used for things such as targeted advertising meant to affect us when we are receptive or vulnerable.

Both of those initiatives target the gathering, aggregation, and analysis of personal data. But there’s another line of attack that potentially threatens the entire online advertising industry. It involves the real-time bidding (RTB) system that this blog discussed a couple of months ago. As a subsequent post explained, a formal GDPR complaint has been submitted to the data protection authorities in the UK and in Ireland, asking them to investigate the use of real-time bidding systems by Google and other ad-tech companies.

Any of these complaints, if successful, could have a major impact on the way that advertising works online. However, at the moment, they are only complaints, which may lead nowhere. That’s what makes a recent development involving France’s data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL), so significant: it is a final ruling that will affect how all EU data protection bodies will operate, since they are all implementing the same law – the GDPR.

CNIL’s decision strikes at the root of real-time bidding, which works by sending out personal information to many potential advertisers, who then use automated systems to make bids to place advertisements on a Web page. The GDPR requires those targeted to consent to their personal data being shared in this way. That’s clearly difficult, since it is not known in advance which companies will be sent the data. To get around that, the ad industry employs what are sometimes known as “consent management platforms”. These are typically screens that are presented to visitors to a site, offering them the chance to specify which personal data can be sent to other companies. The idea is that people can pre-authorize the sharing of their personal data with many sites.

However, in a landmark ruling, CNIL has said that this does not satisfy the requirements of the GDPR. Instead, companies have to be able to show that they have checked they really do have permission from everyone whose data they receive as part of the real-time bidding process. What makes this particularly bad news for the advertising industry in the EU is that it seems to apply to a very widely-used framework for managing GDPR “consent flow” that has been created by the industry trade association and standards body, IAB Europe.

The European advertising industry is still digesting this new decision, so it is too early to say whether it will be possible to re-vamp the RTB system to make it compliant with the new GDPR ruling. However, it’s worth noting that this is just one of several challenges to today’s prevalent targeted advertising system that have appeared in just a few months: it’s likely that others will follow. It is therefore quite possible that the kind of micro-targeting of ads that is now commonplace will become impossible in the EU. Moreover, the global nature of the Internet means that this could have a major impact on advertising globally.

On the one hand, it may make it harder for companies engaging in corporate surveillance to build up huge databases of personal data, since it will be hard to exclude EU nationals in their data sweeps. The only solution would be for companies to try to block visitors from these regions completely, as is already happening for some Web sites. However, people can use VPNs to skirt around those obstacles, raising interesting legal issues about whether Web sites could still be held liable for failing to comply with the GDPR in this situation.

On the other hand, if highly-targeted advertising and real-time bidding effectively disappear in the EU as a result of the CNIL decision, it may encourage lawmakers in other jurisdictions to do the same. The GDPR is already causing politicians to take a fresh look at online privacy and its protection. Whether or not you approve of the GDPR’s particular approach in protecting data, that heightened global awareness of the importance of privacy has to be a good thing.

Featured image by BiljaST.

VPN Service