by Herwin Roerdink
The intentions were admirable: a new ePrivacy Regulation that would apply on the same day as the newly introduced General Data Protection Regulation (GDPR). When the European Commission published its first proposal in January 2017, this still seemed to be the idea. But this turned out to be completely different. There was great division in the European Parliament, the negotiations in the Council were stuck. The Council did publish a compromised version late September for discussion, but so far, there is no final text yet. The bottlenecks are mainly in the area of cookies (Article 8 of the proposal) and direct marketing (Article 16 of the proposal). A final proposal is still a long way off. With a possible transition period of 1 to 2 years, the new ePrivacy Regulation will probably come into force in 2023 or 2024 at the earliest. This is unfortunate on several points, to put it mildly, all the more so because developments in the online marketing industry and the enforcement by data protection regulators do not wait for the completion of the legislative process. I will discuss a number of these developments below, all of which have an impact on the practice of ePrivacy and direct marketing for European advertisers and the companies involved in the AdTech industry.
“The bottlenecks are mainly in the area of cookies and direct marketing.”
In the past two years the courts in the Netherlands have frequently dealt with lawsuits about the GDPR, more than 300 times in the Netherlands alone. In practice, the often casuistic rulings give little guidance for the interpretation of the GDPR. We are waiting for more principled judgments of the Supreme Court and the European Court of Justice. Last year the ECJ has finally ruled for the first time – 17 years after the introduction of the ePrivacy Directive – in a case about direct marketing and obtaining permission for cookies. The (disappointing) conclusion of the ECJ was that consent cannot be obtained on the basis of pre-ticked boxes, which wasn’t new. Unfortunately, more practically relevant questions were not answered. Questions such as: is it allowed to require consent to receive direct marketing in the case of a lead generation website? Can you obtain permission for cookies by means of the statement ‘if you continue to use this website you give permission’? Hopefully the ECJ will soon rule on the interpretation of the ePrivacy Directive or addresses questions relevant to online marketing under the GDPR. With the exception of one case in which preliminary questions are being asked about the concept of email from the ePrivacy Directive (more specifically, whether advertising, which appears in specific advertising windows in the inbox of users of a free email service, can be regarded as email), there doesn’t seem to be any relevant cases pending about the ePrivacy Directive.
“It is to be expected that other ‘safe’ countries will suffer the same fate as the United States.”
Because European parties very often rely on the services of software suppliers and data brokers from the United States for their marketing and advertising needs, the ruling of the European Court of Justice in the second Schrems case is also very relevant. Not only did the ECJ declare the Privacy Shield mechanism (a form of self-certification that allowed the transfer of personal data to the United States) invalid, the ECJ also sharpened the most obvious second option (that of Standard Contractual Clauses) considerably. In order to enable the transfer of personal data on that basis, a European data exporter will have to implement (often very difficult if not impossible) additional safeguards in order to offer some protection against U.S. government surveillance. It is to be expected that other ‘safe’ countries will suffer the same fate as the United States. The same applies to the other mechanism for the transfer of personal data, the binding corporate rules. After all, all these mechanisms – without additional measures – will not prevent U.S. authorities from gaining access to personal data of European data subjects. The data protection authority of Baden-Württemberg very recently issued the first guidance on international data transfers. However, the guidance does not really address the challenges that global companies would face in practice and additional guidance from either the European institutions or other data protection authorities is very much welcome.
Following the Schrems II judgment, NOYB – the European Center for Digital Rights led by Max Schrems – submitted 101 complaints to the privacy supervisors of 30 member states of the European Union and the EEA. NOYB (“none of your business”) complains about the fact that many companies are still using Google Analytics or Facebook Connect despite the Schrems II judgment, while both Google and Facebook are still subject to U.S. supervisory legislation and are therefore acting contrary to the judgment. In principle, each supervisor will be obliged to deal with the complaints filed and will have to enforce it if needed. Only three complaints have been withdrawn in the meantime, because the parties concerned (all based in Liechtenstein) were able to demonstrate that they had removed the code elements of Google and Facebook. The EDPB in the meantime has created a taskforce to look into these complaints filed by NOYB.
Of particular interest to the AdTech industry is the class action instituted by the Dutch foundation The Privacy Collective against Oracle and Salesforce. In this case, the phenomenon of real-time bidding ad auctions (RTB) is denounced: a system in which, based on profiles of millions of internet users, personalized online advertisements are auctioned and displayed within milliseconds and personal data is made available to countless commercial parties, which, according to The Privacy Collective, violates the GDPR. Allegedly, based on the brand new possibility to file mass claims in the Netherlands, this would lead to a possible compensation of no less than €10 billion. A similar case is expected in the United Kingdom. The entire AdTech industry will look at this case with interest, all the more so because RTB is being used on an enormous scale.
Considering the above, while there is little or no movement in the legislative process of the ePrivacy Regulation, the legal reality is one of enormous movement in that area. Although it seems that a final text of the ePrivacy Regulation is still some way off, in practice the developments within the online marketing industry and the enforcement activities of regulators emerge quickly. It is to be hoped that the legislative process can keep pace with these new developments and the final ePrivacy Regulation will meet the widely supported desire of the legislator to make it future-proof.
About the author
Herwin Roerdink is partner at Vondst Advocaten and head of the Data Protection team. He advises a large range of (data driven) clients on a strategic level and assists clients in enforcement procedures initiated by the DDPA and ACM. He also lectures on e-privacy law at the renowned Grotius Academy.