Legal and court losses are piling up across Europe for American ad tech companies – and for Google.
Turns out navigating the GDPR and last year’s Schrems II decision, which invalidated Privacy Shield, the former data-sharing agreement between the US and the EU, is far from straightforward.
In January, the Austrian data protection authority (DPA) ruled that sites can’t use Google Analytics if the service shuttles data back to US servers. Which Google does.
The French DPA, called the CNIL, released its own judgement last week agreeing with the Austrian DPA. One decision in Austria might be considered an outlier. But with the French CNIL – the bellwether of European data regulators – backing up Austria’s ruling, this is starting to look like a consensus among European DPAs and a full-on siege of Google Analytics.
The Belgian DPA, meanwhile, ruled last week that IAB Europe’s Transparency & Consent Framework (TCF), the online advertising industry’s mechanism for conveying a person’s consent status to use data for advertising, is illegal under GDPR. The DPA gave IAB Europe six months to rework the framework so that the IDs can be audited.
IAB Europe has appealed another part of the ruling classifying it as a data controller for the TCF, which would effectively make the trade group legally responsible for how any publisher or ad tech company uses the framework to target ads.
If the ruling stands, IAB Europe would face a huge increase in costs and legal liability.
Google Analytics under fire
Google Analytics and other web infrastructure services collect data, namely IP addresses, that are considered personal information in the EU.
But the problem in this case isn’t GDPR, because the data isn’t being used for targeting ads, at least per the allegation. The issue, rather, is that the data of European citizens could be transferred to American systems – and that’s not okay as a result of the Schrems II ruling.
The Schrems II suit was against Facebook, but not anything to do with Cambridge Analytica or other ad targeting issues. Facebook lost the case because of Edward Snowden’s NSA leaks, which revealed that the US government collects user-level information from internet services. Individuals have no idea if and when their data is collected and have no legal redress regardless.
Although someone browsing an Austrian news site may not fall under NSA surveillance, in theory, it could happen – and that means the data can’t be transferred at all, even if it’s innocuous and collected legally under GDPR.
None of Your Business, Schrems’s advocacy group, brought both of the cases against Google Analytics decided by the Austrian and French DPAs. Schrems has parallel suits in practically every European country – so more dominos are likely to fall.
There’s clearly a “coordinated effort” by regulators to settle on an interpretation of the law, rather than have a hodgepodge of different inter-EU standards, said Wayne Matus, co-founder and general counsel of SafeGuard Privacy, a data privacy compliance startup.
The most straightforward solution for Google Analytics is to localize data in Europe, Matus said.
But that’s not the only consideration. If Alphabet localizes in response to DPA rulings it could set a tough new precedent, since Google might be able to derive greater economic benefits from globally consolidating data. There may also be technical difficulties that prevent setting up local data systems.
Even if Google Analytics kept data in Europe, however, there’s still a Microsoft case from 2018 to contend with, when the company was ordered via FBI warrant to hand over email data stored in Ireland, Matus said. The lower courts disagreed, and by the time the case was argued before the Supreme Court, President Trump had signed a new law granting investigators powers to compel such extraterritorial data. The previous decision – which favored Microsoft – was rendered moot.
In other words, even if Google Analytics set up local data services that never transferred to the US, the data could still be compelled by warrant.
Matus said Google would still have options, like establishing an independent business in Europe that couldn’t be compelled by the FBI – that trick only works on US companies.
A likelier solution is geopolitical. The problem could be resolved by a new US and EU data-sharing agreement. (The previous two, Safe Harbor and Privacy Shield, were both overturned in cases brought by Schrems.)
Consent on the ropes
IAB Europe’s TCF is now working against a six-month deadline to prepare an alternative that meets the Belgian DPA’s stipulations.
For one, the framework may not collect data based on legitimate interest (whereby data can be collected without a user’s explicit approval, such as for fraud detection, cyber security and web infrastructure services like logging traffic). Also, TCF ID strings need to be audited for use in programmatic.
Moving away from legitimate interest is the (relatively) easy part. Publishers, consent management platforms (CMPs) and ad tech companies can simply be forthright about exactly how data will be used, rather than popping up broad cookie opt-in notices that don’t explain much of anything, Matus said. Legitimate interest doesn’t mean data can’t be collected, just that it can’t be used in any ways an individual would not have expected when they provided consent.
A more intractable problem is auditability of the TCF. After all, TCF strings are visible to any DSP bidding on any programmatic inventory within the framework, and whether there’s consent to use data for targeting determines how much DSPs bid.
A rogue employee at a publisher or CMP could falsify consent data with no easy way to identify the violation in the fraction of a second before an ad is served, or even retrospectively.
Auditing the TCF seems like an impossibility.
“Let me stop you right there,” Matus said. “It is 100% possible.”
It’s just not practical to audit OpenRTB impressions in real time, Matus said.
But the Belgian and other DPAs could still get behind the framework if supply-chain vendors – CMPs, ad tech companies and data providers – agree to audits by the IAB Europe and by advertisers within the context of a campaign. An agency or brand marketer, for example, could insist that vendors agree to transparent auditing as a prerequisite before buying through them.
The DPA wouldn’t offer a six-month window and agree to work on an updated version with IAB Europe if it didn’t expect to resolve the issue, Matus said. If the regulator thought it wasn’t feasible, the TCF would have been ruled flat-out illegal with appeal as the only recourse.
What happens next?
It’s difficult to predict how GDPR and European data privacy case law will play out.
Google is lobbying in the EU and US to allow for basic global data transfers. IAB Europe is appealing the Belgian DPA’s classification of the trade group as a data controller and working with the same regulator on a potential TCF fix. Until then the framework is a bit like a cat in Schrodinger’s box – we don’t know if it’s alive or dead, but we’ll find out in six months.
One irony of these various EU suits is the different ways in which they affect the competitive digital advertising market.
For example, in addition to harmonizing European data protection laws, the GDPR was meant to empower European tech companies and publishers, which have been beholden to US tech giants. But the GDPR suits targeting the TCF are a major boon to Google. If the TCF crashes, Google’s AdBuyers protocol is the only way to programmatically target ads using consent information.
And whereas the purpose of the Schrems II decision is to target US government surveillance, not crack down on anticompetitive big tech practices, it’s Schrems II that could deal a major blow to Google. If Google Analytics is severely hampered in Europe, the only apparent solution will be to find a local data server system.
But European regulators are hard at work trying to get Google to change its business practices, Matus said. And if that doesn’t work, they’ll target Google customers. For instance, also last week, a German court levied a token fine of 100 Euros against a news publisher because Google’s web-hosting service transferred IP addresses outside of the EU.
“It will start small and they’ll crank up the fines,” Matus said. “But this isn’t stopping until the behavior stops.”
