Back to top

Blog

Brussels, Beer, and Better European Privacy Regulations

Greetings from Brussels, the land of French fries and beer, and now the epicenter of fierce efforts to achieve compliance with the historic European privacy regulation, the General Data Protection Regulation (GDPR).

I had the privilege of representing NAI members at two major privacy events in Brussels: the in-person meeting for the IAB Europe’s GDPR Implementation Working Group and the IAPP Data Protection Congress (DPC) 2017.

First on the agenda was the third in-person meeting of the IAB Europe's GDPR Implementation Working Group (GIG).  It was a great privilege to be able to participate in the GIG, which is comprised of IAB Europe member company representatives (many of whom are also NAI members).  The GIG is committed to helping the digital advertising technology industry create and implement meaningful business and technology solutions to comply with the new privacy requirements of the GDPR and, eventually, the new ePrivacy Regulation.  No small feat!

Here are some take-aways from our meeting:

  • The IAB Europe has provided timely, thoughtful, and visionary leadership in helping companies prepare for the GDPR, as well as tireless efforts to advocate for its members before European institutions. They definitely deserve a round of applause, and maybe one of those tasty Belgian beers! (Click on the link for a recap of IAB’s thought leadership materials on privacy and data protection.)
     
  • The GIG and its members have done an incredible amount of work in a short time with the goal of enabling digital advertising technology companies to comply with the requirements of the GDPR without infringing on either European citizens' fundamental right to privacy and data protection or advertising companies’ capability to deliver the services and products that are so essential to a free and thriving internet economy.
     
  • The IAB Europe, as an active leader in the broader advertising industry comprising, publishers, agencies, and marketers, has been working hard to build consensus across the entire European digital advertising industry for an industry-built and supported technology mechanism that will facilitate consumer consent when needed as a legal basis for processing data. Here are some key features of the consent solution, the details of which will be announced soon:
    • The solution will work on both mobile and desktop devices;
    • First parties will be able to dynamically disclose third party advertising partners and the purposes for which they collect and process data, and transmit user consent choices to such third party partners;
    • Consent can be obtained through the tool for either “global” or “service-specific” affirmative consent, and such consent can be updated or withdrawn;
    • Solution participants will have the ability to enable the creation of consent records and an audit trail, creating increased accountability;
    • The consent solution will be deployed before the date of application of the GDPR.
  • The official IAB Europe announcement about the consent solution was released yesterday and includes additional details.

From the GIG meeting, I headed to the IAPP Data Protection Congress 2017. Here are some of my impressions from the DPC:

  • The conference was completely sold out.  The number of attendees and the diversity of the organizations and companies present indicate the seriousness with which the industry is approaching this groundbreaking privacy regulation.
     
  • If real estate is all about "location, location, location,” then DPC this year was all about "GDPR, GDPR, GDPR." The vast majority of the panels and keynote presentations addressed GDPR readiness and compliance, and the implications for privacy programs - and privacy professionals - across the globe.  Even the vendors at the DPC were focused on GDPR, promoting comprehensive suites of GDPR compliance and management solutions, from internal data mapping and privacy impact assessment tools, to reporting and compliance demonstration solutions.
     
  • Of course, GDPR isn't the only privacy regulation that will affect digital ad tech companies.  There is great urgency in the halls of the European Parliament to draft and debate an ePrivacy Regulation to replace the current ePrivacy Directive. In a panel addressing the "perfect storm" of the GDPR and ePrivacy Regulation, several policymakers offered guidance for companies.  The EU Commission's Rosa Barcelo and Karolina Mojzesowicz along with Ralf Bendrath, policy advisor to MEP Jan Phillipp Albrecht, said that companies should be mindful of the ePrivacy Directive while waiting for the ePrivacy Regulation.  While the original May timeline for ePrivacy Regulation implementation is no longer realistic, they said, companies should continue to comply with the ePrivacy Directive which requires consent for data processing for digital advertising. In the words of Mr. Bendrath, "online tracking is already illegal [under the e-Privacy Directive].”
     
  • The conference ended on a controversial note.  German MEP Birgit Sippel, in what was her first public keynote address as the European Parliament's Special Rapporteur for the proposed ePrivacy Regulation, announced, "What we are aiming at is to abolish surveillance-driven advertising."  In response to industry arguments that ePrivacy Regulation restrictions will create consent fatigue and limit online content due to revenue drops, Ms. Sippel responded that businesses are innovative and should be capable of creating meaningful consent without causing consumer fatigue.

The NAI team has also recently arrived back home from a very productive and energetic Q4 NAI Board meeting in San Francisco. We enjoyed our Thanksgiving holiday at home and are soon headed back across the pond to EDAA’s 2017 Summit in London.  No rest for the weary! See you on the other side…of the next postcard.