With countries around the world enforcing “stay at home” legislation and varying levels of lockdown due to the coronavirus (COVID-19) pandemic, attention is understandably focused on health and safety now and for the foreseeable future.
However, it is also true to say that concerns around how the global economy will recover from the impact of COVID-19 are not far behind on the political and social agenda. With lockdown measures in place, many more people are purchasing groceries and other essential items online. Amidst all of this, the ongoing availability of online direct marketing and AdTech is at risk - industries that play a surprisingly large role in the economy in terms of GDP generation and employment.
Regulators are understandably concerned with issues around privacy, but at a time when consumers are focused on other priorities, being able to quickly find relevant products is potentially more important than many may believe. From this perspective, professionals in the AdTech and direct marketing industries are experiencing a significant regulatory challenge at exactly the wrong time.
This regulatory threat could have wide-ranging repercussions, with many in the AdTech and direct marketing industries fearing that extensive regulatory initiatives will hinder wider innovation and ultimately have a negative impact on consumers.
On this point, a recent webinar joined by over 700 senior privacy and data innovation professionals from around the world brought to light four main takeaways that illustrate the industry concerns:
Consent, contract and anonymisation are no longer reliable for legally processing personal data under the GDPR. This makes it hard for data to be processed with complex algorithms, such as those in the AdTech space used to target particular consumer groups.
Instead of consent, contract and anonymisation, companies must consider Legitimate Interests as a lawful basis for processing. This requires new technical controls that protect data when in use.
SOS Alert: Direct marketing to customers is being challenged, and innovative data uses are at risk.
No one wants to be left behind: immediate action is required.
The problem for regulators is that the solutions for facilitating privacy-respectful and lawful direct marketing have been outpaced by the advancements in profiling and tracking individual consumers. Not only do few companies have the appropriate technical controls implemented, many regulators are sceptical about whether such controls even exist yet.
In addition to this, the impact of widely publicised incidents such as the Cambridge Analytica and Facebook data scandals naturally results in regulators erring on the side of caution and seeking to implement stricter privacy measures.
Currently, the AdTech and direct marketing industries are particularly concerned that in the UK the Information Commissioner’s Office (ICO) is trying to do away with Legitimate Interests as a lawful basis for direct marketing. This fear has arisen due to the way that this topic has been discussed in the ICO’s Draft Code for Direct Marketing.
In a similar vein, a recent Dutch Data Protection Authority (AP) decision has been widely reported as holding that commercial interests can never support Legitimate Interests as a lawful basis for data processing
So how can the industry move forward in the shadow of these regulatory interpretations? The GDPR itself sets out that “[the] right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
In other words, this means that the balance between rights can and does frequently shift. While regulators may have historically been sceptical about the AdTech industry’s ability to protect the privacy of consumers, new technologies also bring new considerations, and shift the balance as a result.
The reality is that today there are new technologies available that are GDPR-compliant and support privacy-respectful and lawful direct marketing. One example of this is a term newly defined at the EU level in the GDPR, with a heightened standard relative to past practice: Pseudonymisation. It is critical to realise that this is NOT Pseudonymisation as you know it.
Pseudonymisation - as newly defined in the GDPR - is repeatedly mentioned within the GDPR as not only a recommended safeguard, but also explicitly linked to express statutory benefits enabling greater data use in more than a dozen places.
For example, GDPR Article 25(1) identifies Pseudonymisation as an “appropriate technical and organisational measure” for establishing data protection by design and default, as set out in Article 25(2). This section requires controllers to “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” Data protection by design and default is a requirement under the GDPR for lawful data protection.
In addition, the benefits of properly Pseudonymised data are highlighted in other GDPR articles, including Articles 32, 33 and 34 as a privacy protection measure helping to make data breaches “unlikely to result in a risk to the rights and freedoms of natural persons”. This then allows the data controller to not notify data subjects in the event of a breach (because the data subject cannot be identified if Pseudonymisation has been used).
GDPR-compliant Pseudonymisation embeds privacy policies in use-case-specific, privacy-enhanced versions of data to satisfy the statutory and contractual requirements necessary for lawful commerce to continue. Essentially, this means that privacy-respectful and lawful direct marketing can co-exist alongside business and industry interests through the appropriate use of Pseudonymisation as defined under the GDPR.
When you consider that a forecast made earlier this year predicted that the AdTech industry would lose $32-$39 billion in ad revenue due to the elimination of digital marketing personalisation, the need to act has never been more pressing. By implementing technical and organisational safeguards such as GDPR-compliant Pseudonymisation, organisations will be able to ensure demonstrable and technically-enforced accountability. This in turn will mean that lawful commerce through direct marketing and AdTech remains possible.
Gary LaFever, CEO & General Counsel, Anonos