EDPS opinion puts targeted advertising in crosshairs

Wojciech Wiewiórowski, the European Data Protection Supervisor (EDPS), wrote that to ensure transparency and adequate data privacy, “additional safeguards” are needed to prevent possible harms from happening on online platforms. His critique comes in response to the European Commission’s Digital Services Act (DSA), a proposal published alongside the Digital Markets Act in December 2020.

In his opinion on the DSA, Wiewiórowski wrote: “Given the multitude of risks associated with online targeted advertising, the EDPS urges … additional rules going beyond transparency.” Such measures, he added, should include “a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking, as well as restrictions in relation to the categories of data that can be processed for targeting purposes and the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising.”

In addition to online advertising, other key areas the EDPS is particularly concerned about are recommender systems (where tracked data helps predict other content users might like) and content moderation (relating to how platforms determine whether user-generated content is harmful or illegal, for example).

The European Commission had hoped to get its digital services and markets legislation passed relatively simply, with an implementation date set for early 2022. Experts believe the EDPS’s intervention could push that timeline back, as well as open the battle lines for Big Tech and adtech firms to lobby hard against the changes.

Gabriel Voisin, privacy and data protection partner at law firm Bird & Bird, says the EDPS’s recommendations are “confusing.” He points out that while the EDPS wants an outright ban for online targeted advertising based on pervasive tracking, the EDPS also says EU states should ”restrict the categories of data that can be processed for such advertising methods,” which “suggests online targeted advertising is not problematic per se.”

To accommodate the EDPS’s concerns, the European Union would need to amend both the (delayed) ePrivacy Directive, which provides specific rules governing electronic communications, and the General Data Protection Regulation (GDPR)—a prospect that is unlikely, Voisin says.

Stewart Room, global head of data protection and cyber-security at law firm DWF, believes “it seems clear the EDPS is not calling for a total ban on targeted advertising” and says there appears to be room for discussion about what the term “pervasive tracking” actually means. “If the phrase relates to forms of tracking that must only be conducted with prior consent—for example, on an ‘opt-in’ basis—a ban would not add much to the state of the current law,” he says.

“The real priority for regulators should be a renewed focus on transparency and education in the sector to help companies continue to operate responsibly.”

Dr. Sachiko Scheuing, European Privacy Officer, Acxiom

More widely, lawyers say regulators and lawmakers are only considering the data privacy-related issues regarding targeted advertising, rather than how the technology drives modern business.

“When privacy campaigners describe marketing and advertising cookie tracking as ‘the biggest data breach in history,’ many people hear it as the ‘business prevention unit’ having a break from commercial reality,” says Camilla Winlo, director of consultancy services at privacy specialist DQM GRC.

“Small businesses, in particular, rely on the ability to target their advertising in order to stretch their budgets, and it’s difficult to see how any country would find popular support right now for a measure that may be seen as adding extra pressures onto business,” says Winlo.

Mark Hersey, associate at law firm Lewis Silkin, says the EDPS’s proposed outright ban on pervasive tracking may cause “significant competition considerations;” for example, by pushing advertising revenues to larger players that are able to leverage vast quantities of their own users’ data at the expense of smaller publishers that rely on revenue generated by third-party tracking technologies. As a result, he expects European data protection agencies (DPAs) to favor working with the adtech industry to achieve compliance rather than seek an outright ban.

Indeed, there are signs the industry is taking the issue more seriously. A planned Apple operating system update will require app developers to request explicit information from users to allow tracking them across other apps or Websites, thereby enabling targeted ads on an “opt-in” basis. Google is considering following suit with its Android devices.

Dr. Sachiko Scheuing, European privacy officer at data and tech communications firm Acxiom, says instead of imposing further legislation, “the real priority for regulators should be a renewed focus on transparency and education in the sector to help companies continue to operate responsibly.”

Research has shown people typically like the idea of targeted advertising—until they learn more about the processes involved. As such, moves to increase transparency and ensure user consent would be well served. In the United States, for example, the California Consumer Privacy Act includes specific requirements to allow individuals to opt-out of having their data shared, while the U.K.’s Information Commissioner’s Office’s Data Sharing Code of Practice includes stringent measures for commercial data sharing.

Another problem is monitoring compliance with the proposed changes will give DPAs a serious headache. “Enforcing any new measures will be difficult, thanks to the already-stretched-thin budgets of government regulatory agencies,” says Chris Hauk, consumer privacy champion at data protection organization Pixel Privacy. “This may be one of the reasons for a call for a blanket ban, as micro-targeting violations would require more manpower than might be available.”

Some believe the EDPS’s focus is off-target and argue that instead of trying to ban practices that are well-ingrained in how e-commerce works, it would be more constructive to engage with the industry to improve conduct—an approach typically favored by U.S. legislators.

“The EDPS would have more success at addressing the problems associated with targeted advertising if it took a more targeted approach itself” rather than making a polarized debate even worse, says Winlo.

“Regulators are at their most useful when they choose and clearly articulate a number of specific harms, transparently consult with the interested parties around those harms, set out the specific risks which need to be addressed, issue practical guidance on how different groups should work to address them, and then enforce rules that all parties understand,” she adds.

“To me, this is a ‘privacy-by-design’ issue, which means it is a practical issue and should be addressed as such.”