Giovanni Buttarelli on state of GDPR adoption: ‘Even ticking a box does not necessarily mean consent is freely given’
It’s been a year since the roll-out of the General Data Protection Regulation, yet big questions still linger around what the right consent strategy looks like, if legitimate interest is enough to cover a business and whether more fines are coming.
Digiday spoke to Giovanni Buttarelli, European data protection supervisor, to hear whether media and advertising businesses have done enough to comply.
Excepts lightly edited for clarity and flow.
One aim of GDPR was to redress the imbalance of power between big tech titans and consumers, and make them accountable for how they use data. In light of that, what do you make of Google’s and Facebook’s efforts to comply with GDPR?
I don’t believe they are orientated to introduce big changes in terms of a balance of power. In 2017 we received a lot of declarations from businesses including Google, saying they were ready to respect it [GDPR]. But last May, the tsunami of privacy notices sent, often in obscure language, were clearly orientated to protect data controllers, not citizens.
Last October, I invited the CEOs from Facebook, Google and Apple to Brussels for the worldwide conference of data protection commissioners spanning 81 countries and 1,046 delegates. Only Tim Cook came in person and gave a speech which was greatly appreciated. Mark Zuckerberg and Sundar Pichai only appeared via video link. Zuckerberg’s message was that Facebook is ethical and respects its users. But I didn’t notice any substance after this declaration. The implicit message from them both was: “We don’t need to do anything else, because we’re there [compliant] already,” which frankly is not the case. There is a lot of work to be done. Compliance is a continued working progress for everyone.
Information Commissioner Elizabeth Denham recently said that if Zuckerberg is serious about privacy and data protection, Facebook should drop its appeal against the £500,000 ($654,000) fine from the ICO for the Cambridge Analytica scandal. Do you agree?
My good colleague Elizabeth rightly said that if he is serious about it, he should drop the appeal. Yesterday, we had an important discussion within the European Data Protection Board — the network of all data protection authorities. We agreed to better synchronize our efforts around cross border [rulings]. Although Ireland is legal authority for Facebook and Google, we have decided to work on the basis of increased cooperation between the DPAs. So we will meet with the Irish DPA to synchronize efforts, and we’ll analyze the legal obligations to strict deadlines. Ten of the 15 current big ongoing investigations at the Irish DPA relate to Facebook including Instagram and WhatsApp. These investigations have a lot of ground. Synchronization of DPA fines is important.
French regulator CNIL has fined Google €50 million ($65 million). Now the Irish DPA is lead authority for Google’s European HQ, can other DPAs follow?
The Irish DPA will be the lead authority for most cases concerning Google since such cases have a cross-border impact. But other DPAs will in any case be involved as concerned authorities and one decision should be issued, in compliance with GDPR cooperation and consistency mechanisms.”
What is your view of the IAB Europe Transparency and Consent framework, which has stated it is acceptable under GDPR for ad tech companies to bundle consent?
It is too early to conclude. We have had an early debate around it, and I have taken note of the controversial analogies and positions that have been put forward on it. We appreciate that the IAB considers this framework acceptable under GDPR. But we must wait and see before having a consolidated, reliable position on it from all DPAs. It is under analysis.
Lots of requests for consent on websites don’t appear compliant. Many publishers still work on an opt-out basis, rather than default opt-in. Will there be consequences?
Will there be more fines?
The debate around whether to use the carrot or the stick is everywhere. But my mission is to persuade people to be more accountable. To marginalize data protection doesn’t help; in fact, it would be a disaster for businesses to do so. Better to embrace a new culture of data protection, which may require a short-term restriction of appetite to maximize revenues but, in the long term, will ensure trust and confidence among consumers and a business return.
Interpretation of the law has been broad. Can a business claim legitimate interest if their core reason for collecting data is for the purpose of ad targeting?
Yesterday and this morning, we had an important outcome of a long-term discussion about article 6.1B with particular regard to legitimate interest. There are some final changes to fully reflect the discussion because it is so complicated. It’s not so easy to say whether they can or cannot. Legitimate interest is one of the main areas where the industry is looking to discuss further for the ePrivacy Regulation. But there are many areas where there is an abuse of trying to apply legitimate interest versus consent. But we will have a firmer decision on this within the week.
Update: An earlier version of this article stated that Buttarelli was from the European Commission, which isn’t correct. He is head of the European Data Protection Supervisor, an independent data protection authority which monitors and ensures the protection of personal data and privacy when EU institutions and bodies — including the European Commission — process personal data of individuals.
Six months in, News Corp’s ‘Knewz’ aggregator has big ambitions
Knewz had 1.7 million unique visitors in May, according to comScore. Noah Kotch, who is overseeing Knewz, has plans for it to become 'decent-sized competitor' to rival aggregators.
How The Atlantic is moving its biggest festival online
Not wanting to lose out on the content, audience or revenue, The Atlantic is following suit with many other publishers and turning its festival virtual.
Streaming advertising’s tipping point: Viewership has shifted and ad dollars are expected to follow
The leveling of the streaming playing field between TV networks and digital platforms will lead to streaming accounting for a larger slice of ad dollars.
SponsoredA new breed of marketers is reshaping user experience with open-source tools
By Dries Buytaert Brands have displayed rapid innovation over the past few years, building pop-up stores seemingly overnight to test new retail, product and marketing concepts. Now, as a result of COVID-19, something similar is happening digitally, with brands operating on compressed timelines to launch digital-first “pop-up” businesses — except unlike typical pop-ups these are […]
Slack is fueling media’s bottom-up revolution
Publishing bosses loved Slack as a productivity tool, but it's now being used as the central forum for the media's bottom-up revolt.
‘It’s like telling a reporter he can’t have a Twitter account’: Reporters are starting their own newsletters outside of their employer
Salaried reporters and editors see side hustle newsletters playing the same role that blogs once did more than a decade ago.