This year, the General Data Protection Regulation (GDPR), the EU’s flagship data protection law, celebrates its fourth anniversary. Few will pop open the champagne. For the many businesses actually trying to make sense and use of the law, it will be a somber affair. The GDPR remains mired in confusion and contradiction, creating uncertainty and restrictions as they navigate a European digital economy increasingly weighed down by onerous rules.
Consider two recent headlines. First, the Belgian Data Protection Authority (DPA) issued a ruling that the Interactive Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. This ruling makes online advertising in the EU significantly more complicated, as publishers, advertisers, and technology vendors now need to scramble to find a solution that meets the demands of regulators. The irony is that IAB Europe developed the TCF with input from regulators and data protection agencies in order to ensure compliance with the GDPR and ePrivacy Directive.
The bone of contention is whether IAB Europe is a controller of the data supplied within the TCF (as defined by the GDPR), and as such, must abide by various requirements imposed by the GDPR on data controllers. Belgium’s data regulator believes that by creating a “voluntary standard” for obtaining consent and determining how user data flows en route to the bidding networks that end up showing ads, IAB Europe meets the criteria for data controllership. The implication is that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol. At stake is the flagship consent framework used by multiple advertisers for gathering user preferences on personal data. Banning it deals an enormous blow to websites and publishers that want to implement GDPR-compliant processes without having to build their own framework, which is prohibitively complicated for all but the largest organizations. The finding further raises GDPR’s regulatory costs and builds barriers to entry in e-commerce. The end result will be to strengthen incumbents and reduce competition—the very trends the EU is trying to combat with measures like the Digital Markets Act.
In other recent news, Austria’s Data Protection Authority recently found that a website using Google Analytics, a popular tool to monitor and understand site traffic, violates GDPR. In yet another blow for proponents of pragmatic enforcement, the regulator ruled that, despite the inability to track or profile Internet users through Google Analytics, websites using the tool fall afoul of the GDPR because the data could theoretically be accessed by U.S. law enforcement agencies. Google transfers data out of the EU only under the conditions set out by the European Court of Justice. Nevertheless, the DPA ruled that since Google Analytics communicates with U.S.-based servers, this constitutes an illegal data transfer out of the EU. The implications for European businesses are significant. As Max Schrems, the initiator of the case, puts it, “Companies can’t use U.S. cloud services in Europe anymore.” GDPR therefore creates de facto data localization rules that amount to digital protectionism. Google Analytics is one of the world’s most popular free tools for website operators. Banning its use in the EU is a setback for the millions of European websites that rely on Google Analytics to optimize their sites by understanding how users interact with them.
The EU intended the GDPR to provide clear rules around the permissible collection and processing of user data. Instead, it has created a legal nightmare by making almost any data collection, however innocent its intent may be, suspect. A small e-commerce provider that uses IAB Europe’s TCF to obtain consent from users for online ads, and relies on Google Analytics to measure how its website works, risks fines from European regulators. This state of affairs is untenable for European firms that want to use the Internet to support their business. Regulators interpret the GDPR so capriciously that there is little businesses can do to ensure compliance, aside from avoiding the use of data—hardly a reasonable expectation. When regulators find fault with even some of the most extensively developed frameworks like the TCF or products like Google Analytics, which have certainly benefited from the expertise of countless lawyers and compliance consultants, it signals that almost any business that runs Internet-enabled services in the EU could be found to have broken the law.
As technology commentator Benedict Evans observes, there is a “strand of European tech regulation that believes in principle that the Internet should work like television—a broadcast signal where creators know nothing about ‘audience’—and does not accept the implications of packet-switched networks.” Without fundamental reform, the GDPR will continue to chip away at the very tenets of how the Internet facilitates data flows and communication. Legitimate aims, like creating common rules for collecting and processing data in Europe, are swept away by anti-data zealotry that threatens to render the Internet unusable for commercial purposes in the EU.
Image credit: Unsplash