Belgian investigation said to find real-time-bidding ‘infringes” GDPR; refers for litigation follow up in 2021

Irish-based privacy advocate Johnny Ryan said this week that Belgian data-protection authority investigators think the programmatic  advertising ecosystem used by Google and sanctioned by the Interactive Advertising Bureau (IAB)  infringes the EU’s General Data Protection Regulation (GDPR).

He says the Belgian Data Protection Authority (APD-GBA) is referring its investigatory findings for litigation followup in early 2021. It’s findings, which Ryan selectively discloses — which he said are not yet public — concluded “IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects.”

Ryan works for the nonprofit Irish Council for Civil Liberties and he formerly was with Brave Inc., the U.S. web-browser maker.  The Belgian proceedings are the result of a complaint Brave brought in 2018.  It focuses on the practice called “Real Time Bidding,” as well as the “Transparency and Consent Framework” (TCF), devised by the IAB Europe

The Belgian DPA “concluded that the IAB Framework allows companies to swap sensitive information about people even when this has not been authorized,” Ryan writes in an Oct. 16 blog post headlined, “Data Protection Authority investigation finds that the IAB Transparency and Consent Framework infringes the GDPR.” 

IAB Europe responded in a statement that the investigatory finding “has no binding effect with regard to any breach of the law by IAB Europe.”  It called for “an opportunity for a constructive, good-faith dialogue on how the TCF can be improved . . . . “

TechCrunch’s Natasha Lomas picked up Ryan’s blog post and her story is headlined “IAB Europe’s ad-tracking consent framework found to fail GDPR standard.”  She writes: “A flagship framework for gathering Internet users’ consent for targeting with behavioral ads — which is designed by ad industry body, the IAB Europe — fails to meet the required legal standards of data protection, according to findings by its EU data supervisor.” She writes that the still-private report was “reviewed by TechCrunch.”

Both Ryan and Robin Berjon, a data-policy exec at The New York Times, Tweeted extensively about the Belgian investigators’ conclusions. Also commenting was Jason Kint, CEO of Digital Content Next, a U.S.-based quality-digital-publisher trade group.

Berjon called the Belgian action good for publishers. “Broadcasting personal data also means broadcasting audience data,” Berjon Tweeted about the RTB system. “In turn, this leads to devalued audiences and lower revenue since the adtech companies in the RTB system can target high-value news audiences without paying news outlets.”

EU PRIVACY 

• EU planning tougher regulation for ‘hit list’ of big tech firms – FT | Reuters Staff
• Ryan says Brexit Britain Is Failing EU’s Data-Privacy Test | Stephanie Bodini, Bloomberg Technology | Related story 
• Irish high court agrees to review stalled Schrems Facebook complaint | Natasha Lomas, TechCrunch.com |  Schrems’ version 
• EU data protection board adopts streamlined procedures | via IAPP Daily Dashboard | EDPB’s news release 
• German lawsuit accuses Amazon of breaking EU privacy law | Vincent Manancourt, Politico.eu
• A legal examination of Schrems II impact on data transfers | Vin Bange & Debbie Haywood, TaylorWessing Global Data Hub

ADVERTISING TECH / ID 

• Ad-tech group warns against use of  CCPA service-provider loophole | Wendy Davis, DigitalNewsDaily/MediaPost.com | Related blog post 
• Agencies, brands, publishers warned: Service provider approach risky | Leigh Freud, Network Advertising Initiative
• A plea to open ad-tech software in bid for transparency | Erick Fang, TechCrunch.com
• OPINION: An ad industry veteran likes Universal ID approach of TransUnion acquisition of Tru Optik | Bill Harvey, via MediaVillage.com
• Zeotap joins Prebit with ID+ universal ID; Publicis on board also | MarTechSeries.com
• Social contract for the digital age: Problems, solutions | Don Tapscott, Coindesk.com
• Digital identification must be designed for privacy and equity | Alexis Hancock, Electronic Frontier Foundation
• Vendor LoginRadios touts Federated SSO cloud servicer | LogInRadius Inc., via EINPressWire
• Google Analytics gets privacy upgrades ahead of third-party cookies halt | Allison Schiff, AdExchanger.com

BROWSERS AND PRIVACY CONTROL

• Why publishers are backing the sequel to ‘Do Not Track’ | Lara O’Reilly, DigiDay.com
• Global Privacy Control after DNT; will it work this time? | Scott Ikeda, CPOMagazine.com
• Privacy push could stop some annoying website pop-ups and online tracking | Stephen Shankland, CNet.com
• Global Privacy Control : Latest attempt to choose whether you want to be tracked | Thomas Claburn, TheRegister.com
• Global Privacy Control (GPC) explained in 500 words | Martin Brinkmann, GHacks.net
• Announcing Global Privacy Control in Privacy Badger | Bennett Cyphers, Electronic Frontier Foundation

Legal think tank suggests third-party “accountability agent” could certify and  jump start U.S. privacy rules

A trio of privacy lawyers has an idea for jump-starting a uniform privacy framework in the United States without waiting for Congress to act — form a nonprofit certification organization for creating and enforcing model privacy policies.  The idea appears to be similar in part to the work of the Information Trust Exchange Governing Association (ITEGA), publisher of this email blog.

The “Concept Proposal” is outlined by attorneys Markus Heyder, Sam Groga and Matthew Starr in an eight-page white paper published to the web on Sept. 26 without fanfare.  The three practice law at the Washington, D.C., office of Hunton Andrews Kurth LLP in what it calls its “Centre for Information Policy Leadership,” a corporate-member think tank.

“There is a lot of interest among our member companies,” Heyder told Privacy Beat this week. “We want to see if there is enough interest among federal government stakeholders and member companies to build a working group and develop this code.”

The nonprofit third-party organization would manage certifications “enabling enforcement or regulatory bodies with otherwise-limited investigative and enforcement resources to leverage certifying bodies’ review and monitoring of organizations’ compliance with the code.”  They term the third-party certifier an “accountability agent.”

Currently only California, Maine and Nevada have digital data-privacy laws in place, they say, and the European Union’s General Data Protection Regulation (GDPR) still lacks many implementing codes or certification requirements. The National Conference of State Legislatures tracks privacy proposals.

The lawyers  suggest a “multistate privacy interoperability code of conduct or certification” as a way small businesses coil more easily comply with diverse state privacy requirements. Emergence of and compliance with such a code could increase accountability, privacy protection and consumer trust, they write.

Noncompliance could ultimately be legislatively defined as an unfair or deceptive business practice and thus prosecuted by the U.S. Federal Trade Commission, they say.  They also suggest that fast development of such an interstate code could “mitigate the slow pace at which the GDPR codes and certifications are being developed” and serve as a model for them.

WASHINGTON WATCH

• Feds may target Google’s Chrome browser for breakup | Leah Nylen, Politico.com
• COLUMN: Congress Gets Ready to Smash Big Tech Monopolies | Matt Stoller, Substack.com
• FCC chairman says he will move to “clarify” application of Section 230  | Lauren Feiner, CNBC.com
• FCC chairman aims to regulate how websites handle users’ speech | Wendy Davis, MediaPost.com
• Scotus Thomas: Is Section 230 applied to broadly to platforms? | Zachary Evans, NationalReview.com/

STATEHOUSE BEAT 

• Vermont lawmakers approve ban on facial recognition tech | WCAX News Team
• Biometric privacy regulation eyed by Pennsylvania | Jeffrey Rosenthal & David Oberly, Law.com
• Washington Privacy Act: Re-introduced for a third time | Sarah Bruno & Matt Gluschankoff, Reed Smith law firm

WORLD PRIVACY 

• China state media touts first law on personal data protection | Cao Siqi & Chen Qingqing, Global Times (state-run media)
• Africa to harmonise laws for data protection, digital economy | Gloria Nwafor, Guardian.ng
• Singapore rolling out national digital ID amid privacy concerns | Scott Ikeda, CPO Magazine

Industry has until Oct. 28 to comment on latest CCPA rules easing “opt-out” for consumers; Prop 24 news

In an unexpected development, California Attorney General Xavier Becerra has proposed additional tweaks in language enforcing the California Consumer Privacy Act (CCPA) designed to make it harder for websites to fool or challenge consumers about exercising their privacy rights.  Comments on the proposed wording changes are due by Oct. 28.

Becerra’s regulations have already been revised twice since the law took effect in early 2020. Enforcement kicked in recently, but there have been no high-profile announcements by Becerra yet of any actions.

“Well done,” Tweeted Ashkan Soltani, one of the principal authors of language which became the CCPA and a proponent of Proposition 24, a second digital-privacy initiative on the Nov. 3 California state ballot. Soltani’s Tweet lists ways in which the right of consumers to “opt-out” of data sale or sharing can’t be manipulated.

Meanwhile, with just over two weeks before California voters consider Proposition 24, the California Privacy Rights Act, news organizations are stepping up coverage. By far the best summary of the politics and positioning on the proposed law is authored by reporter Sam Dean of the Los Angeles Times. A support/opponent fault line continues to be around whether websites, including publishers, should be allowed to financially or service-wise penalize a consumer for refusing to share their personal data.

CCPA ENFORCEMENT 

• CHART (above): Customer consultant creates pie chart of GDPR/CCPA overlaps | CompliancePoint.com blog
• Becerra regulations would outlaw wording buttons which hoodwink | Kieren McCarthy, TheRegister.com
• Newly Proposed CCPA Opt-Out Rules Would Ban Buried Links, Misleading Language | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Comments on CCPA regulation changes due by Oct. 28 | Brandon Robinson, Blog4Good/LexBlog.com
• Four regulatory mods proposed by Becerra for CCPA | Eric Rosenkoetteer, Maurice Wutscher LLP law firm
• Becerra proposes reg changes to off-line notice and request submissions | Bethany Gayle Lukitsch, McGuireWoods LLP law firm
• CCPA enforcement rules evolve in confusing fashion? | Philip N. Yannella & Katie Morehead, LexBlog.com
• New regs requires “easy” and “minimal steps” opt-outs | David Stauss, Husch Blackwell LLP law firm
• LINK TO MULTIPLE ADDITIONAL STORIES
• Why marketers must pay attention to CCPA | Rohail Abrahani, DataVersity.net/
• Businesses prepare for fall surge in data-subject requests | Stephanie Miles, StreetFightMag.com

PROP 24 COUNTDOWN

• With Prop. 24, Mactaggert hopes to plug “service provider” and “sharing” loopholes | Sam Dean, LATimes.com
• “Pay for privacy” description of Prop24 causes some opposition | Scott Kieda, CPO Magazine
• Privacy needs a reboot, and Prop24 might just provide it | Owen Thomas, SFChronicle.com ($$$)
• OPINION: Columnist for  92 California papers likes Prop24 | Thomas Elias, CaliforniaFocus.net
• California’s lieutenant governor endorses Prop 24 ahead of ballot | Eleni Kounalakis via Californians for Consumer Privacy
• Harvard author/expert’s op/ed: Prop24 regains privacy rights | Shoshana Zuboff, MercuryNews.com