Following the implementation of GDPR in May 2018, data protection authorities have turned their focus on the digital economy and the exploitation of personal data. In June 2019, the UK Information Commissioner’s Office published its update report into adtech and real-time bidding. One month later, the UK Competition & Markets Authority launched its digital markets study in the context of concerns in the UK and globally, about the market power of the big platforms and their ability to extract large volumes of data from consumers to entrench that power. These studies have presented opportunities to work with regulators and industry, to review business practices, to analyse the impact of regulation on those practices and to find solutions which properly balance the fundamental human rights of privacy, with the freedoms to conduct business and freedom of expression.
The opportunity to work with regulators and industry as mentioned above, to help shape the future of data processing and the protection of privacy whilst maintaining a robust digital economy.
I take inspiration from those with whom I am work on the IAB Transparency and Consent Framework. They possess a deep understanding of business, technology, privacy rights and work with regulators to seek to ensure that regulation is proportionate and will support the digital economy.
I had expected that, in the digital economy, the expansion of the definition of personal data to include personal identifiers would have the most severe impact. I also expected to see the EU’s new e-Privacy regulations to continue to be debated and delayed, while regulators try to gain an understanding of the complexity of the ecosystem. And, this is indeed exactly what happened in 2019.
The enforcement challenges faced by regulators trying to control the abuse of data privacy in a complex ecosystem, may result in the interpretation of regulation in a manner which would hugely detrimental to smaller companies. This could leave only the large platforms, with the industry reach, the vertical business structure and the financial and technical resources able to comply, thereby increasing their market power. Regulators must be cautious so as not to further distort the market in favour of these big platforms.
Industry and trade bodies across UK, Europe and US, are working to find collaborative industry solutions to address the privacy concerns of individuals and regulators, such as the DMA, IAB and AOP. Industry codes of practice are likely to be developed.
There needs to be more consumer education about the good and bad of data processing online, better facilitation for individuals to be able to control the use of their own personal data and a better understanding that not all data processing online is bad, eg, content personalisation to improve user experience, fraud prevention and brand protection.
Current technology needs to process personal data to deliver the digital services: users’ unique identifier, IP addresses, cookie IDs, browser and device type, location and language etc. The same information can be used for other purposes, such as targeted advertising (which may not be proportionate), as well as brand protection and fraud prevention (which is beneficial and proportionate).
It is extremely difficult to prevent and segregate appropriate use of specific personal data from inappropriate use of the same personal data in the wider ecosystem. A generally accepted industry framework, voluntary code or ISO standard is required.