It’s been a year since the roll-out of the General Data Protection Regulation, yet big questions still linger around what the right consent strategy looks like, if legitimate interest is enough to cover a business and whether more fines are coming.

Digiday spoke to Giovanni Buttarelli, European data protection supervisor, to hear whether media and advertising businesses have done enough to comply.

Excepts lightly edited for clarity and flow.

One aim of GDPR was to redress the imbalance of power between big tech titans and consumers, and make them accountable for how they use data. In light of that, what do you make of Google’s and Facebook’s efforts to comply with GDPR?

I don’t believe they are orientated to introduce big changes in terms of a balance of power. In 2017 we received a lot of declarations from businesses including Google, saying they were ready to respect it [GDPR]. But last May, the tsunami of privacy notices sent, often in obscure language, were clearly orientated to protect data controllers, not citizens.

Last October, I invited the CEOs from Facebook, Google and Apple to Brussels for the worldwide conference of data protection commissioners spanning 81 countries and 1,046 delegates. Only Tim Cook came in person and gave a speech which was greatly appreciated. Mark Zuckerberg and Sundar Pichai only appeared via video link. Zuckerberg’s message was that Facebook is ethical and respects its users. But I didn’t notice any substance after this declaration. The implicit message from them both was: “We don’t need to do anything else, because we’re there [compliant] already,” which frankly is not the case. There is a lot of work to be done. Compliance is a continued working progress for everyone.

Information Commissioner Elizabeth Denham recently said that if Zuckerberg is serious about privacy and data protection, Facebook should drop its appeal against the £500,000 ($654,000) fine from the ICO for the Cambridge Analytica scandal. Do you agree?

My good colleague Elizabeth rightly said that if he is serious about it, he should drop the appeal. Yesterday, we had an important discussion within the European Data Protection Board — the network of all data protection authorities. We agreed to better synchronize our efforts around cross border [rulings]. Although Ireland is legal authority for Facebook and Google, we have decided to work on the basis of increased cooperation between the DPAs. So we will meet with the Irish DPA to synchronize efforts, and we’ll analyze the legal obligations to strict deadlines. Ten of the 15 current big ongoing investigations at the Irish DPA relate to Facebook including Instagram and WhatsApp. These investigations have a lot of ground. Synchronization of DPA fines is important.

French regulator CNIL has fined Google €50 million ($65 million). Now the Irish DPA is lead authority for Google’s European HQ, can other DPAs follow?

The Irish DPA will be the lead authority for most cases concerning Google since such cases have a cross-border impact. But other DPAs will in any case be involved as concerned authorities and one decision should be issued, in compliance with GDPR cooperation and consistency mechanisms.”



What is your view of the IAB Europe Transparency and Consent framework, which has stated it is acceptable under GDPR for ad tech companies to bundle consent?

It is too early to conclude. We have had an early debate around it, and I have taken note of the controversial analogies and positions that have been put forward on it. We appreciate that the IAB considers this framework acceptable under GDPR. But we must wait and see before having a consolidated, reliable position on it from all DPAs. It is under analysis.

Lots of requests for consent on websites don’t appear compliant. Many publishers still work on an opt-out basis, rather than default opt-in. Will there be consequences?

Of course, if they’re in the wrong, that goes without saying. It requires an active approach. Even ticking a box does not necessarily mean consent is freely given. Unambiguous consent means it must not only be explicit but meaningful, not a case of pre-ticked boxes or a case where you have no alternative but to continue through to a website. Perhaps the privacy policy is confined to a corner of a page you will never read. That is not the kind of privacy user-friendly approach we expected. If you start reading all privacy notices you receive, you will spend too much time reading these notices. On the other hand, if a person [ticks a box] “I accept and understand” but they don’t know what they’re consenting to, that is not acceptable either. A reasonable approach is in-between.

Will there be more fines?

The debate around whether to use the carrot or the stick is everywhere. But my mission is to persuade people to be more accountable. To marginalize data protection doesn’t help; in fact, it would be a disaster for businesses to do so. Better to embrace a new culture of data protection, which may require a short-term restriction of appetite to maximize revenues but, in the long term, will ensure trust and confidence among consumers and a business return.

Interpretation of the law has been broad. Can a business claim legitimate interest if their core reason for collecting data is for the purpose of ad targeting?

Yesterday and this morning, we had an important outcome of a long-term discussion about article 6.1B with particular regard to legitimate interest. There are some final changes to fully reflect the discussion because it is so complicated. It’s not so easy to say whether they can or cannot. Legitimate interest is one of the main areas where the industry is looking to discuss further for the ePrivacy Regulation. But there are many areas where there is an abuse of trying to apply legitimate interest versus consent. But we will have a firmer decision on this within the week.

Update: An earlier version of this article stated that Buttarelli was from the European Commission, which isn’t correct. He is head of the European Data Protection Supervisor, an independent data protection authority which monitors and ensures the protection of personal data and privacy when EU institutions and bodies — including the European Commission — process personal data of individuals.