Might European data protection regulators be gearing up for serious action on AdTech in the early New Year?
In June 2019, the Information Commissioner’s Office (ICO) published its interim report on real-time bidding (RTB), an online advertising method which works by tracking browsing information and serving up adverts based on browsing history, via a complex auction process potentially involving numerous actors. The ICO identified multiple issues with RTB, and, in so many words, stated that in its current iteration those involved with it appeared to be failing to comply with their obligations under the General Data Protection Regulation (GDPR), and, in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (PECR). Prominent among the actors involved in RTB in the UK is Google.
A few months previously, the ICO's French equivalent, the CNIL, fined Google France €50m for failing to obtain data subjects' consent validly for the purpose of delivering personalised advertising. Ominously for Google, and perhaps more significantly than the fine itself, CNIL observed that "the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement."
CNIL had also, prior to taking action against Google, discussed with other European data protection authorities, in particular the Irish Data Protection Commissioner (DPC), as to whether it (CNIL) had jurisdiction to take action. These discussions were centred on the application (or not) of the GDPR "one-stop shop" mechanism, in Article 56 GDPR, under which one lead supervisory authority will investigate a complaint in respect of where the investigated entity has its main establishment. For entities engaging in cross-border processing (such as Google), the one-stop shop mechanism can potentially be very beneficial, allowing them to deal with only one regulator. Where the mechanism does not apply, however, they potentially face investigations in any of the European countries in which they have establishments. The decision by CNIL, after discussions with its peers, that it does have jurisdiction (albeit that Google are said to be appealing the fine), opened the door to the possibility of regulatory investigations into Google across Europe, from a multitude of regulators.
Concurrently, the Irish DPC has also been investigating (partly at the instigation of civil society groups), Google Ireland, among others.
So, what has happened while those investigations have been running their course? Although ICO does not appear to have issued any further formal updates as yet, Simon McDougall, its Executive Director for Technology and Innovation has – to his credit - been very visible on the conference and AdTech industry circuits, saying, for instance, only recently, "Let me be clear: Changes have to be made. This complex system lacks data protection maturity in its current form and it must change to ensure that it is compliant with the law".
On 19 November, ICO held a "fact finding forum" about AdTech, reports from which have suggested that the ICO will be "forming a view on enforcement" on 20 December. Concurrently, the BBC recently ran a piece which suggested a "crucial" decision was coming from the ICO "early next year". In France, meanwhile, CNIL has said that it will publish a recommendation on the AdTech ecosystem "by the end of 2019 or, at the latest, at the beginning of 2020", with inspections to follow. And in Ireland, the DPC's statutory inquiry will be likely to be reaching its close (although the Commissioner herself has stressed that her office "cannot take any shortcuts").
And what, exactly, might those imminent decisions consist of? GDPR provides for fines (to a maximum of €20m or 4% of global annual turnover, whichever is higher), but it also makes other sanctions available to regulators, including enforcement powers to require persons to cease processing, or to bring operations into compliance, within specified periods (on pain, if necessary, of further financial sanctions). In certain circumstances, such measures might be imposed (pursuant to Article 66) under GDPR's urgency procedure, to which an analogy with competition law's "interim measures" might be drawn. However, that procedure will only apply where one country's supervisory authority feels urgent action is needed, and the measures can only be valid for three months. In normal circumstances GDPR's consistency mechanism, under which supervisory authorities must cooperate with each other (even where there is no lead supervisory authority), will apply.
Given the ubiquity of RTB, given that it inevitably involves cross-border processing, and given that supervisory authorities have, between them, been looking at it ever since GDPR came into effect, one wonders – are Europe's supervisory authorities about to take coordinated action against those involved, including, in Google, probably its biggest player? And might that action take the form not of a fine, but of an enforcement notice, requiring them to cease processing, and bring it into compliance with the law?