Giovanni Buttarelli on state of GDPR adoption: ‘Even ticking a box does not necessarily mean consent is freely given’
It’s been a year since the roll-out of the General Data Protection Regulation, yet big questions still linger around what the right consent strategy looks like, if legitimate interest is enough to cover a business and whether more fines are coming.
Digiday spoke to Giovanni Buttarelli, European data protection supervisor, to hear whether media and advertising businesses have done enough to comply.
Excepts lightly edited for clarity and flow.
One aim of GDPR was to redress the imbalance of power between big tech titans and consumers, and make them accountable for how they use data. In light of that, what do you make of Google’s and Facebook’s efforts to comply with GDPR?
I don’t believe they are orientated to introduce big changes in terms of a balance of power. In 2017 we received a lot of declarations from businesses including Google, saying they were ready to respect it [GDPR]. But last May, the tsunami of privacy notices sent, often in obscure language, were clearly orientated to protect data controllers, not citizens.
Last October, I invited the CEOs from Facebook, Google and Apple to Brussels for the worldwide conference of data protection commissioners spanning 81 countries and 1,046 delegates. Only Tim Cook came in person and gave a speech which was greatly appreciated. Mark Zuckerberg and Sundar Pichai only appeared via video link. Zuckerberg’s message was that Facebook is ethical and respects its users. But I didn’t notice any substance after this declaration. The implicit message from them both was: “We don’t need to do anything else, because we’re there [compliant] already,” which frankly is not the case. There is a lot of work to be done. Compliance is a continued working progress for everyone.
Information Commissioner Elizabeth Denham recently said that if Zuckerberg is serious about privacy and data protection, Facebook should drop its appeal against the £500,000 ($654,000) fine from the ICO for the Cambridge Analytica scandal. Do you agree?
My good colleague Elizabeth rightly said that if he is serious about it, he should drop the appeal. Yesterday, we had an important discussion within the European Data Protection Board — the network of all data protection authorities. We agreed to better synchronize our efforts around cross border [rulings]. Although Ireland is legal authority for Facebook and Google, we have decided to work on the basis of increased cooperation between the DPAs. So we will meet with the Irish DPA to synchronize efforts, and we’ll analyze the legal obligations to strict deadlines. Ten of the 15 current big ongoing investigations at the Irish DPA relate to Facebook including Instagram and WhatsApp. These investigations have a lot of ground. Synchronization of DPA fines is important.
French regulator CNIL has fined Google €50 million ($65 million). Now the Irish DPA is lead authority for Google’s European HQ, can other DPAs follow?
The Irish DPA will be the lead authority for most cases concerning Google since such cases have a cross-border impact. But other DPAs will in any case be involved as concerned authorities and one decision should be issued, in compliance with GDPR cooperation and consistency mechanisms.”
What is your view of the IAB Europe Transparency and Consent framework, which has stated it is acceptable under GDPR for ad tech companies to bundle consent?
It is too early to conclude. We have had an early debate around it, and I have taken note of the controversial analogies and positions that have been put forward on it. We appreciate that the IAB considers this framework acceptable under GDPR. But we must wait and see before having a consolidated, reliable position on it from all DPAs. It is under analysis.
Lots of requests for consent on websites don’t appear compliant. Many publishers still work on an opt-out basis, rather than default opt-in. Will there be consequences?
Will there be more fines?
The debate around whether to use the carrot or the stick is everywhere. But my mission is to persuade people to be more accountable. To marginalize data protection doesn’t help; in fact, it would be a disaster for businesses to do so. Better to embrace a new culture of data protection, which may require a short-term restriction of appetite to maximize revenues but, in the long term, will ensure trust and confidence among consumers and a business return.
Interpretation of the law has been broad. Can a business claim legitimate interest if their core reason for collecting data is for the purpose of ad targeting?
Yesterday and this morning, we had an important outcome of a long-term discussion about article 6.1B with particular regard to legitimate interest. There are some final changes to fully reflect the discussion because it is so complicated. It’s not so easy to say whether they can or cannot. Legitimate interest is one of the main areas where the industry is looking to discuss further for the ePrivacy Regulation. But there are many areas where there is an abuse of trying to apply legitimate interest versus consent. But we will have a firmer decision on this within the week.
Update: An earlier version of this article stated that Buttarelli was from the European Commission, which isn’t correct. He is head of the European Data Protection Supervisor, an independent data protection authority which monitors and ensures the protection of personal data and privacy when EU institutions and bodies — including the European Commission — process personal data of individuals.
‘Everything was done in stages’: How Covid-19 impacted DoorDash’s first Super Bowl spot
DoorDash had to pivot amid the pandemic to film its first Super Bowl spot that will be part of the eight-year-old apps rebranding.
Publishers push plans to reopen offices until summer, but employees expect delays until 2022
Publishers are pushing back targets for reopening offices this year, and employees are skeptical about returning to their desks soon.
Media Briefing: The media industry’s top trends at the moment
To kick off the inaugural Digiday Media Briefing, the Digiday media team has compiled what we see as some of the top trends in the media industry today.
SponsoredWhat a content hub can do for marketing teams
In a truly effective marketing team, each team member is aligned, using shared tools and processes to efficiently create, collaborate and connect with their customers. With a content hub, marketers can break down the silos that have traditionally held them back, increasing collaboration in the crucial planning and workflow stages. Implementing this technology will make […]
Member ExclusiveDigiday Research: The coronavirus pandemic left marks on publishers’ 2021 revenue plans
While publishers remain focused on direct-sold ads and subscriptions, they seem less focused on diversifying revenue in 2021.
‘We had to take full ownership of data’: Why Denmark’s biggest news site cut reliance on Google’s tech
Denmark’s biggest news site Ekstra Bladet pushes ahead with its investment in first-party data with a homegrown sub for Google Analytics.