Global developments to watch in 2022

2021 saw a number of changes (and proposed changes) to privacy legislation and regulations around the world.

In Australia, 2021 rounded up with the Government consultation on the Exposure Draft of the Online Privacy Bill.  Read ADMA’s submission to this consultation. At the same time, the Attorney-General’s Department released their Review of the Privacy Act 1988 Discussion Paper. View ADMA’s full submission in response to the Discussion Paper and the summary can be found here.

Here in Australia, the data-driven marketing and advertising industry will need to stay on top of what compliance and best practice looks like in a constantly changing environment. It is likely that developments internationally will have some impact, whether direct or indirect on that.

From tech trends to global policy-making and legislative developments, 2022 promises to be a fascinating – and complicated – year for privacy and data protection. New laws, enforcement actions, litigation, and self regulatory initiatives look like companies will be kept busy. There has been so much motion...and it's only still just the beginning of February.

Around the globe

Here is a topline summary of a few global developments that data-driven marketing and advertising industry should be across.

February 2022: BELGIAN DPA FINDS IAB EUROPE TRANSPARENCY AND CONSENT FRAMEWORK BREACHES GDPR

The Litigation Chamber of the Belgian Data Protection Authority (“Belgian DPA”) found that the Transparency and consent Framework (“TCF”) developed by the Interactive Advertising Bureau Europe (“IAB Europe”), fails to comply with a number of provisions of the GDPR. The Belgian DPA has imposed a  €250,000 fine against the  IAB Europe and given them two months to present an action plan to bring its activities into compliance.

Context

Since 2019, the Belgian DPA received a series of complaints targeting IAB Europe. The complaints challenged the conformity of the Transparency & Consent Framework with the GDPR.

Main findings of the case

IAB Europe Argued: In the context of the Belgians DPA’s investigation, IAB Europe asserted that it does not act as a data controller for its collection of users consents, objects and preferences through the TCF on the grounds that the ad tech vendors following the Open RTB protocol (“the participating organisations”) determine the purposes of processing without IAB Europe’s intervention.

The Belgian DPA rejected this argument and found that the IAB Europe is acting as a data controller with respect to the registration of individual user’s consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String which is linked to an identifiable user. This means that IAB Europe can be held responsible for possible violations of the GDPR.

Key GDPR infringements the Belgians DPA outlined in its decision

Lawfulness: The Belgian DPA found that:

• the IAB Europe does not have a legal basis for the processing of personal data through the TCF

• the legal grounds offered by the TCF for the sharing and subsequent processing of the data by the participating organisations (adtech vendors) are inadequate.

Transparency and information of others: The Belgian DPA also held that IAB Europe does not meet the GDPR’s transparency standards because the information IAB Europe provides through the consent management tool is too generic and vague, particularly given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data;

Accountability, Security, and Data Protection by Design and By Default: According to the Belgian DPA, IAB Europe failed to demonstrate that appropriate technical and organizational measures in accordance with the principle of data protection by design and by default, are in place to ensure the effective exercise of website and app users’ rights, to monitor the validity and integrity of the users’ choices.
Other obligations pertaining to a controller processing personal data on a large scale The Belgian DPA’s investigation also revealed that IAB Europe allegedly failed to maintain a register of its data processing activities (in line with Article 30 of the GDPR), to appoint a data protection officer and to conduct a data protection impact assessment with respect to the TCF.

Sanction

The Belgian DPA imposed an administrative fine of €250,000 on IAB Europe. In doing so, the Belgian DPA considered that the TCF may result in large groups of individuals losing control over their personal data. In addition to a monetary fine, the Belgian DPA required IAB Europe to undertake a series of corrective measures aimed at bringing the current version of the TCF into compliance with GDPR. These measures include, among other things:

• Establish a valid legal basis for the processing and sharing of website and app users’ preferences in the context of the TCF;

• Prohibit participating organizations from relying on the legitimate interests legal basis for their data processing activities;

• Permanently delete personal data already processed in the context of the TCF from all its systems and its processors’ systems; and

• Audit participating organizations to ensure they comply with the GDPR.

IAB Europe has two months to present the Belgian DPA with an action plan to implement these corrective measures.

The decision can be appealed.

Why this decision is important in Australia

The Australian Privacy laws are currently being reviewed by the Government. Some of the proposed privacy reforms here in Australia look to either mirror or go beyond that of the GDPR. 

Therefore, it is important that the data-driven marketing and advertising industry considers the impact that the above decision could have on its own operations and whether or not there could be questions (either now or in the future) around compliance.

JANUARY 2022: (USA) PROPOSED FEDERAL LEGISLATION SEEKS TO BAN TARGETED ADVERTISING

Three Democratic lawmakers introduced The Banning Surveillance Advertising Act. If passed, the bill could disrupt the digital advertising industry in the USA (and beyond).

The new bill seeks to significantly restrict targeted advertising practices and thereby reshape the online advertising landscape to the detriment of companies like Facebook, Google and data brokers that leverage deep stores of personal information to make money from targeted ads.

The proposed legislation prohibits “advertising facilitators” (defined as entities who receive consideration for disseminating ads and collect or process personal information in connection with such dissemination) from targeting ads to individuals based on their personal information.

In addition, the bill prohibits advertisers from targeting, or using an advertising facilitator to target ads based on personal information that the advertiser obtained from a third party (i.e., anyone other than the individual to whom such information pertains), or that identifies a person as a member of a protected class (such as such as race, gender and religion).

These restrictions also apply to practices that target groups of individuals and groups of connected devices, in addition to an individual person or connected device.

This would dramatically limit the ways that tech companies serve ads to their users  - banning the use of personal data altogether.

The bill makes an exception for “contextual advertising” and target advertising based on general location data at the city or state level  (geography as defined by the US Census Bureau) More precise location-based targeting is prohibited.

The bill would give the Federal Trade Commission powers to enforce against any entity found to be breaking it, and would also allow individual citizens to bring civil action against any entity they believe to be breaking the act.

Interestingly the legislative title calls it “surveillance” advertising, but the actual definitions in the text default more to ‘targeted’ advertising. If the Bill were to come to pass, it would impact a lot of the current privacy-protection solutions being developed by the industry.

Why this decision is important in Australia

While many commentators believe the Bill is unlikely to become law, it is yet another sign of the growing movement to protect consumer privacy and curtail the monetisation of personal information. As Australia goes through its own overhaul of the Privacy Act, the data-driven advertising and marketing industry hopes that when considering regulation around targeted advertising - the privacy harms must remain the sole focus without obliterating responsible activity that provides consumer benefit. While it might not be an easy balance to find - it is critical.

JANUARY 2022: WHERE THE FLoC DID ‘TOPICS’ COME FROM? GOOGLE’S UPDATE TO ITS PRIVACY SANDBOX

To replace third party tracking cookies, Google was until recently working on its a cohort-based advertising solution named FLoC – the Federated Learning of Cohorts. FLoCs objective was to put individuals in a crowd and keep people’s web history ‘private’ to their browser.

However late January, Google announced that it has shelved FLoC and replaced it with an interest-based advertising initiative called “Topics”. To be honest, this is not coming as a huge surprise. Ever since it announced FLoC to the world Google has faced questions as to whether it was compatible with Europe’s General Data Protection Regulation (GDPR). Google also made commitments to the UK’s Competition and Markets Authority (CMA) to ensure that its proposals are developed to work for the entire ecosystem.

With Topics, your browser determines a handful of topics that represent a user’s tops interests based on their week’s browser history. Topics are kept for only three weeks and old topics are deleted. Furthermore, Topics are selected entirely on the users device (Google says no external servers are involved – included their own). When an individual visits a participating site, Topics picks three topics, one topic from each of the past three weeks and shares this with the site and its advertising partners.

It’s definitely a case of watch this space.

JANUARY 2022: EUROPE: DATA REGULATORS TARGET ON GOOGLE ANALYTICS

In a recent ruling, the Austrian Data Protection Authority  – Datenschutzbehörde  - stated that the use of Google Analytics on Austrian website ‘NetDoktor’ breached the European Union’s General Data Protection Regulation (GDPR). It stated that the data being sent to the US was not properly protected against potential access by US Intelligence agencies. The Austrian DPA determined that supplementary measures implemented by Google, including government access, transparency reports and encryption of data, were insufficient. This recent decision could have “far-reaching implications”. “In the absence of a breakthrough in Privacy Shield negotiations, data transfers – and consequently international trade- between the Eu and US face an uncertain future.

A few days before the Austrian DPA’s decision, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR on its COVID test booking website. The website was found to be using cookies associated with Google Analytics and the payment provider Strip (both US companies) had failed to demonstrate measures to safeguard associated data transfers to the USA.

Other DPAs in the European Economic Area (EEA) have already responded to the Austrian DPA’s decision:

The Norwegian DPA has published a statement on its website (in Norwegian) which outlines that it has been dealing with two pending cases concerning the use of Google Analytics and that its final decisions will be influenced by the European practice on this topic. Furthermore, the Norwegian DPA recommends that companies explore alternatives to Google Analytics, while also stating that similar issues exist with other tools that transfer personal data to the US.

In its statement (in Danish), the Danish DPA has emphasized that it is essential for DPAs to have a consistent interpretation of the data privacy rules. The Danish DPA itself intends to provide its own guidance to Danish companies on the use of Google Analytics based on the Decision of the Austrian DOA

IMPORTANT NOTE: The Austrian DPA's Decision does not prohibit the use of Google Analytics across the EU from a legal standpoint. The Austrian DPA's competence is generally limited to the territory of Austria under the GDPR. Furthermore, the Decision of the Austrian DPA is based on the specific set of facts of the case at hand and is not final. It can still be appealed.

Why this decision is important in Australia

Google Analytics could be implemented differently to a certain extent and this may impact Australian users as well. In any event the use of the current version of Google Analytics in the EEA is likely to come with legal risks.

Businesses in Australia with a connection to the EEA should keep their eyes on these regulatory outcomes as they may have an effect on how Google Analytics is to be used by your business. There is also a chance that Agreements your business has for data transfers across borders may need to have standard contractual clauses inserted or amended to ensure better compliance with GDPR. Speak to your compliance teams, they are sure to know what your business should so as these developments continue throughout 2022.

UPDATE INDIA’S PERSONAL DATA PROTECTION BILL

At the end of 2021, India, itself a top-10 global economy, tabled its long awaited privacy bill. India’s Privacy Bill has its own flavour of data localisation and transfer restrictions. India’s Joint Parliamentary Committee has also introduced several novel concepts, including protections for non personal data. Read a summary of some of the proposed changes.

Experts expect Lok Sabha, India’s parliament, to pass the law in 2022.

Why this is important in Australia

This is a one to watch as it will start yet another cycle of implementation for the numerous global and Australian businesses that have activities in the subcontinent, including major call centres and outsourcing operations.

IMPLEMENTION OF CHINA’S PIPL

In November 2021, China joined the list of countries that have adopted the very strict data-privacy laws.

China’s Personal Information Protection Law (PIPL) like the EU’s GDPR, the PIPL has extraterritorial effects, triggering multinational companies in tech, retail, luxury goods, automotive, finance and additional sectors to launch comprehensive compliance programs.
The PIPL should be viewed in the broader context of tech regulation in China. Over the past few years, multiple regulatory agencies in China, including the Cyberspace Administration of China (CAC), which is charged with enforcing PIPL, have introduced new rules on data security, data transfers, artificial intelligence, and more. In addition, the government launched enforcement actions against companies ranging from small app developers to major household names in Chinese tech. This reflects their desire to hold businesses of all sizes accountable to their compliance responsibilities. For global businesses, one of the main challenges will be compliance with many rules on cross border data transfers. Chinese law imposes data localization requirements on certain sectors – and categories of data, while other companies can export data from China but only under certain conditions such as conducting a security assessment and filing it with the CAC.

Why this is important in Australia

Given China’s desirability as both a market for, and a source of data, companies worldwide have started making early efforts to mitigate the impact of these new requirements on their businesses.

If your business has dealings with China, it is a good time to speak to your legal and compliance teams and review all your data processing activities to decide whether PIPL applies.

Digital marketing in 2022

The architecture in the Digital Marketing environment seems to be constantly in motion, with platforms such as Apple and Google phasing out or having phased out browser and device side tracking and measurement tools. While talk about the demise of the third party cookie feels like old news; the alternates available in market are still being fine-tuned by the platforms and are constantly developing to reflect cases faced internationally.  Marketing teams need to be aware of the changes as they are announced so they can adjust to the new ecosystem anchored in walled gardens and server side technologies.

This trend will continue in 2022. The ad tech ecosystem will continue to work towards better understanding  Apple’s ATT and SKAdNetwork and Google’s change from FLoC to TOPICS as well as its developments in FLEDGE proposals.  At the same time around the world digital marketing regulations will continue to change. Whether it is the ongoing development of the more well-known data privacy regulatory regimes such as Europe’s GDPR, e-privacy regulation and Digital Services Act and California’s CCPA and CPRA or the lesser known but equally important changes to data privacy regulations in jurisdictions where privacy laws are both being introduced and/or reviewed.

The impact on how Australian businesses operate in, and engage with those jurisdictions will be significant. Back home here in Australia our own Review of the Privacy Act and the outcome of the consultation on the Exposure draft of the Online Privacy Bill will mean that businesses locally will need to ensure that their compliance programs are up to date.

There is a lot happening and to keep up, the industry will have to come up with new models for ad targeting, measurement and attribution and keep testing and shifting as the environment requires them to.