Overview of the Court’s ruling

The key question referred to the European Court of Justice was whether “an entity should be held liable in its capacity as administrator of a fan page on a social network … because it has chosen to make use of that social network to distribute the information it offers”.[5] The Court observed:

“The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.”[6]

Therefore, the Court ruled that:

“the administrator of a fan page hosted on Facebook … must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page. The administrator must therefore be categorized, in the present case, as a controller[7] responsible for that processing within the European Union, jointly with Facebook Ireland…”[8]

The marketer is therefore not only responsible in a general way for the marketing campaigns that he or she pays for, but is specifically accountable as a “joint controller”, and therefore is subject to the full risk set out in Article 82 of the GDPR.[9]

Implications for programmatic advertising

For marketers, this is a momentous ruling. Its significance goes far beyond Facebook, and should frame how marketers view online advertising from now on. To understand why, consider three aspects of the Court’s ruling.

1. Directly or indirectly, it is a marketer who causes the data processing to occur.

The Court found that the marketer in question bore responsibility for Facebook’s processing of personal data because its decision to use a Facebook fan page as a marketing channel had caused the processing to happen. By using a Facebook fan page, a company “gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.”[10] The Court ruled that this is particularly significant when considering users that would not otherwise have been tracked by Facebook in this way:

“It must be emphasized, moreover, that fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on that social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data.”[11]

There is a direct parallel with programmatic advertising. By paying the online programmatic advertising system, marketers provide a reason for the adtech industry to process the personal data of every visitor to virtually every major website in every developed country. Every single time a person loads a page on a website that uses programmatic advertising, supply side platforms (SSPs) or ad exchanges send personal data about that person to tens – or hundreds – of companies to solicit bids from demand side platforms (DSPs). The DSPs act on behalf of marketers who might want to show an ad to that person.

This broadcast of personal data to multiple companies is known as an “RTB bid request”. Bid requests include the URL the user is loading, the user’s IP address (from which geographical position may be inferred) details of the user’s browser and device, and unique IDs (that may be used to build longer term profiles of that user).[12] There is no control over what happens to these personal data[13] once a website makes this data leaking “bid request”.

In other words, details about each page that every person visits on the Web, and details of their device, are shared with a large number of companies, constantly, on virtually every single website. Programmatic advertising is a vast and ongoing data breach,[14] although one that goes unreported to regulators or data subjects – itself an infringement of Article 33[15] and Article 34[16] of the GDPR. This €10.6 billion[17]($12.3 dollar) system would not operate if marketers did not pay for it. The Court’s ruling means that they have to take responsibility for this problem.

2. The marketer requests targeting

The Court observed that marketers using Facebook fan pages define the target audience that they want to reach. This “has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page”.[18] Marketers using Facebook fan pages can “ask for — and thereby request the processing of — demographic data relating to its target audience”.[19] These include:

“trends in terms of age, sex, relationship and occupation, information on the lifestyles and centers of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organize events, and more generally enable it to target best the information it offers.”[20]

This is precisely what programmatic adtech vendors promise their agency and brand clients, as a visit to an adtech vendor’s website will show.[21] As the Court observed, by “designat[ing] the categories of persons whose personal data is to be made use of by Facebook … the administrator of a fan page hosted on Facebook contributes to the processing of the personal data of visitors to its page.”[22] The same applies to any marketer who uses similar services.

3. The marketer requests reporting

The vendor (Facebook) processes personal data to enable companies using fan pages “to obtain statistics produced by Facebook from the visits to the page”.[23] Even though the marketer may receive only anonymous audience statistics from Facebook,

“it remains the case that the production of those statistics is based on the prior collection, by means of cookies installed by Facebook on the computers or other devices of visitors to that page, and the processing of the personal data of those visitors for such statistical purposes”.[24]

Again, this has a clear parallel in programmatic advertising.

Risk for marketers

The ruling clarifies that marketers are actually “joint controllers”, accountable for the data leakage problems in the programmatic advertising system.[25] As the Court noted, marketers are jointly responsible controllers, even though they may never touch the personal data themselves.[26]

The Court noted that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”.[27] Even so, the GDPR provides that “each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject”.[28] These court actions can be taken by people whose data have been misused,[29] or by their representatives in some member states.[30] Article 82 of the GDPR says that when a company has paid full compensation, it can then attempt to claim back proportionate compensation from the other parties involved.[31]

In addition to this, and to the fines that can be imposed by data protection authorities, it is also worth noting that the Member States may also provide for a claw back of all revenue generated through infringement of the Regulation.[32]

To avoid these risks, a marketer must be able to prove that all vendors that it has commissioned, or caused to be commissioned, are processing personal data in a fair, proportionate, and transparent manner.[33] But this is impossible for marketers to do. Nor is it possible for a marketer to prove where the vendors working for it have got their data from, or to account for what happens to personal data once it is sent to large numbers of companies in RTB bid requests. The programmatic system was built to widely spread personal data, not to protect it. It is a data protection free zone.

This infringes many articles of the GDPR, most particularly Article 24,[34] which concerns the responsibility of the controller, and Article 32,[35] which requires security of processing. It also appears to infringe so many other articles of the Regulation that they are listed here in the footnotes.[36]

In addition, marketer accountability also means that the consent system designed by IAB Europe, an adtech trade body, puts marketers in further jeopardy. Where consent is unlawful, a data protection authority can impose the maximum penalty (4% of global annual turnover).[37] The problem for marketers, as elaborated in more detail in a previous note[38], is that the IAB Europe “transparency & consent” framework appears to be a serious and willful infringement of Article 5, Article 6, Article 8, Article 12, and Article 13 of the Regulation.

The IAB Europe approach conflates multiple data processing purposes, which the Article 29 Working Party has warned will render consent invalid. Article 5 of the GDPR requires that consent be requested in a granular manner for “specified, explicit” purposes.[39] Instead, IAB Europe’s proposed design – and the various implementations of it live on the Web today – bundles together a host of separate data processing purposes under a single opt-in. For example, a large array of separate ad tech consent requests[40] are bundled together in a single “advertising personalization” opt-in.[41] This is despite European regulators having explicitly warned that conflating purposes in this way would render consent invalid.[42]

The IAB Europe descriptive text for the “advertising personalization” opt-in, for example, appears to severely infringe of Article 6,[43] Article 12,[44] and Article 13[45] of the GDPR: in a single 49 word sentence, the text conflates several distinct processing purposes, and provides virtually no indication of what will be done with a reader’s personal data.[46] In addition, some implementations of this consent approach prevent users from withholding their consent for non-essential processing of their data, which appears to severely infringe Article 7 of the GDPR.[47] Even so, this approach to consent may be becoming a de facto standard for the programmatic advertising industry.[48]

Conclusion

Marketers are clients of a programmatic online advertising system that routinely shares personal data about the behavior of website visitors among large numbers of companies without any those data being protected. This data protection free zone now exposes marketers to liability. Therefore, so long as personal data are broadcast among hundreds of companies, marketers should exercise extreme caution about programmatic advertising.

Author Dr Johnny Ryan.

Thanks to Luke Mulks, Brendan Eich.

Notes

[1] Judgement of the Court (Grand Chamber), in case C‑210/16, REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesverwaltungsgericht (Federal Administrative Court, Germany), made by decision of 25 February 2016, received at the Court on 14 April 2016, in the proceedings Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, 5 June 2018.

[2] The Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), the data protection authority for the German state of Schleswig-Holstein.

[3] Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16, paragraph 16.

[4] ibid., paragraph 17.

[5] ibid., paragraph 25. This is the Court’s summary of the first and second questions referred to it by the Bundesverwaltungsgericht. See the original questions in paragraph 24 of the judgement.

[6] ibid., paragraph 40.

[7] A controller is a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), Article 2, paragraph d. This is the same definition that appears in Article 4 of the GDPR.

[8] Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16, paragraph 39.

[9] The GDPR, Article 82.

[10] Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16, paragraph 35.

[11] ibid., paragraph 41.

[12] See “Open RTB API Specification version 2.3.1”, IAB TechLab, revised June 2015, pp 16-22 (URL: https://www.iab.com/wp-content/uploads/2015/05/OpenRTB_API_Specification_Version_2_3_1.pdf); see also updates proposed in OpenRTB 3.0 Framework (draft for public comment), IAB TechLab, September 2017, pp 30-1. (URL: https://iabtechlab.com/wp-content/uploads/2017/09/OpenRTB-3.0-Draft-Framework-for-Public-Comment.pdf). See an example of a bid request at https://docs.openx.com/Content/demandpartners/openrtb_bidrequest_sample.html; see also Brian O’Kelley, “Request for Comments: Trusted Data Partners”, BOKonads.com, 23 February 2017 (URL: https://bokonads.com/request-for-comments-trusted-data-partners/).

[13] Johnny Ryan, “Risks in IAB Europe’s proposed consent mechanism”, PageFair Insider, March 2018 (URL: https://blockthrough.com//).

[14] The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 4, paragraph 12.

[15] The GDPR, Article 33.

[16] The GDPR, Article 34.

[17] According to a study commissioned by IAB Europe. “The economic value of behavioral targeting in digital advertising”, IHS Market, September 2017, p.2.

[18] Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16, paragraph 36.

[19] ibid., paragraph 37.

[20] ibid., paragraph 37.

[21] See for example a case study of Krux (a data broker now owned by Salesforce) and its work for an advertising client: “ConAgra Foods Sees Dramatic Jump in Brand Lift After Using Data to Run Targeted Campaign”, SalesForce/Krux (URL: www.salesforce.com/customer-success-stories/conagra/, last accessed 26 June 2018). There are many such examples, and the guides and marketing material on adtech company websites are also revealing, such as “Importance of target audiences”, Lotame, 12 October 2016 (URL: www.lotame.com/importance-target-audiences/, last accessed 26 June 2018); “A Comprehensive Data Management Platform Powers 360° Analytics”, Oracle, 2014 (URL: www.oracle.com/partners/en/most-popular-resources/whitepaper-dmp-analytics-2627471.pdf, last accessed 26 June 2018).

[22] Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16, paragraph 36.

[23] ibid., paragraph 34.

[24] ibid., paragraph 38.

[25] The GDPR, Article 5, paragraph 2.

[26] Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16., paragraph 38.

[27] ibid., paragraph 43.

[28] The GDPR, Article 82, paragraph 4.

[29] ibid,, Article 82.

[30] The GDPR, Article 80, paragraph 1 and 2.

[31] ibid, Article 82, paragraph 5.

[32] ibd., Recital 149.

[33] These terms refer to principles of data protection, set out in Article 5 of ibid.

[34] ibid., Article 24, paragraph 1 and paragraph 2.

[35] ibid., Article 32, paragraph 1, paragraph 2, and paragraph 4.

[36] It also likely to infringe the following articles: Article 5, Article 6, Article 9, Article 14, Article 15, Article 16, Article 17, Article 18, Article 19, Article 20, Article 21, Article 22, Article 24, Article 25, Article 29, Article 30, Article 32, Article 33, Article 34, Article 35, Article 36; and is probably an infringement of Article 44.

[37] ibid. Article 83, paragraph 5, a.

[38] Johnny Ryan, “Risks in IAB Europe’s proposed consent mechanism”, PageFair, March 2018 (URL: pagefair.com/blog/2018/iab-europe-consent-problems/).

[39] The GDPR, Article 5, paragraph 1, b. Note the reference to the principle of “purpose limitation”. See also Recital 43. For more on the purpose limitation principle see “Opinion 03/2013 on purpose limitation”, Article 29 Working Party, 2 April 2013.

[40] See discussion of data processing purposes in online behavioural advertising, and the degree of granularity required in consent, in “GDPR consent design: how granular must adtech opt-ins be?”, PageFair Insider, January 2018 (URL: https://pagefair.com/blog/2018/granular-gdpr-consent/).

[41] “Transparency & Consent Framework FAQ”, IAB Europe, 8 March 2018, p. 18.

[42] “Guidelines on consent under Regulation 2016/679”, WP259, Article 29 Working Party, 28 November 2017, p. 11.

[43] The GDPR, Article 6, paragraph 1, a.

[44] ibid., Article 12, paragraph 1.

[45] ibid., Article 13, paragraph 2, f, and Recital 60.

[46] “Transparency & Consent Framework FAQ”, IAB Europe, 8 March 2018, p. 18.

[47] The GDPR, Article 7, paragraph 4. See also Johnny Ryan, “Can websites use “tracking walls” to force consent under GDPR?”, PageFair Insider, November 2017 (URL: https://pagefair.com/blog/2017/tracking-walls/).

[48] It is being integrated into the next “OpenRTB” specification, which governs all programmatic advertising.