Privacy and how the personal data of individuals is collected, stored, manipulated and shared is governed by GDPR. However, some high-profile data compliance breaches have thrown into doubt the effectiveness of the regulation. And as the Open Web comes under attack once more, can privacy and the ideals of an Open Web every be fully reconciled?
An investigation into the Interactive Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF), a flagship program designed to collate internet users’ consent for targeting with behavioural ads, found it fell below the standards stipulated by the General Data Protection Regulation (GDPR). The investigation was conducted by the Belgian Data Protection Authority (DPA) following complaints relating to the use of personal data used to serve digital adverts over electronic auctions.
To gain an insight into how these findings could impact GDRP in the future, and whether privacy is under attack, Silicon UK spoke exclusively to Rotem Dar, Director of Media Operations at eyeo – an Open Source software development company and began by asking, in light of the Belgian DPA’s investigation is reported to have revealed that TCF does not, in fact, comply with GDPR principles on transparency, fairness and accountability, where does this leave GDPR?
“I believe that the question should better be, “where does it leave TCF?” Rotem responded. “Although it doesn’t always seem that the legislation is being followed, GDPR is an implemented regulation within the EU and GB.
“TCF was the first shot of the Adtech industry, but potentially it would need to dramatically evolve, or to be replaced with another system that reflects the spirit of the law. With that said, and despite the APD’s very reasonable arguments, it is important to state that the APD Litigation Chamber has still not ruled TCF out.”
Digital advertising clearly needs to evolve and change. What kind of changes do you see must be made to maintain a level playing field for consumers and advertisers alike?
“There are few, but I would like to highlight one aspect in particular. GDPR has reaffirmed and strengthened users’ right to be forgotten. That also entails the ability to ask for data deletion at some point from collecting parties. Despite this principle, TCF at its typical setting doesn’t enable the user at this point to verify the final destination of their data, just the vendors that transact it.
“I don’t want to over-simplify this process, there are attempts to pass this information securely and mostly anonymised, but these efforts still fall short. A new technologic solution that would eventually take the current infrastructure’s place, should address this issue and allow users to track the journey of their data until it becomes anonymised. That is also related to enhanced transparency, users nowadays are not granted with adequate visibility of their data flow and therefore don’t trust the handling of it.”
Are we entering an era where consumers become more aware of the value their data has?
“Yes, not by all, but there’s a growing awareness for sure. By majority, our personal data is used relatively fairly, or at least not in a way that harms our well-being significantly. However, as humans, we would rather not have our data manipulated. There are various examples of how innocent usage of platforms had led to the sharing of data in a way that exceeded reasonable users’ expectations, and the counter-effect of it is this growing awareness.
“Of course, there are also more extreme cases, where certain individuals would like to prevent the sharing of their personal information to protect their well-being, but I wouldn’t say that at the moment this is a widespread issue in Europe. I hope it will never be.”
Is it not a double-edged sword: we want access to services at a reasonable price, yet also want high levels of privacy across the Open Web. Is it ever possible to reconcile these two desires?
“Indeed, the market lacks this facilitation that would draw the line between individuals’ legitimate interests and the public’s common good, or in other words, fair compensation for the generation of content. Advertisement can’t exist without some level of measurement and attribution, while users wouldn’t like to pay directly for every consumed content. It is also for the benefit of the user that adverts will provide some value to them if displayed.
“I think that the end-game is that all parties would have to progress towards each other: advertisers would have to be satisfied with more modest requirements, while users would have to determine whether they are willing to leave some non-traceable data, or otherwise pay for the content they consume directly. I definitely find the former more sustainable. The missing link is a product or service that can facilitate that, but it’s just a matter of time until it appears and changes the way we see this sort of user-website-marketer engagement.”
Transparency with data collection, management and usage would be ideal, but will the gatekeepers (Google and Facebook in particular) ever allow this level of transparency?
“Assuming that the legislation will not change, all companies are supposed to follow it, even Google and Facebook, but this is not just a European topic. Google announced that they would walk the privacy path too by 2022.
“I am not naive, I understand that some level of vagueness serves monetary incentives of platforms, and that there are many ways to achieve this vagueness, but I also see a trend here. More and more states pass privacy legislation, most recently California, which its voters have just approved CPRA to close some CCPA loopholes. I also recognise enhanced firmness in authorities’ enforcement actions, and growing users’ motivation to stand for their privacy rights. We’re at a middle of a crossroad, but if all of the above would add up together, it may have an effect.”
Ensuring the Web remains open has been the subject of much debate over the last decade. Could GDPRs drive to deliver more control over personal data mean an end to the open Web as we know it?
“It’s a risk, but as I mentioned, I think that there will be a middle way. I am not a fan of this dogmatic approach of “either privacy or the Open Web”. Privacy law is not the only legal field that plays a role here. Antitrust law should also play a significant role in shaping the power play of the Web. Yes, there will be users who would prefer to pay for content and avoid ads and tracking, but there is a minority of users who can afford it, and a minority of websites that can justify that with their content. I do, however, see this trend aligned with Apple’s approach, to some extent.
“Eventually, the most important advertising use cases will be redesigned in a way that would serve both sides of the value chain better, too many companies in the field are trying to find a solution for this topic. It reminds me a bit of the race to COVID-19 vaccine. There’s a good chance that being purposefully innovative will also be very rewarding.”
Rotem Dar has been an integral member of the eyeo team for the last five years and currently operates as the Director of Media Operations. During his time at eyeo, Rotem has played a vital role in ensuring eyeo achieves its goal of building products that help develop and sustain a fair and open web, while also providing users are in control.
Poto by cottonbro from Pexels.