It’s been a year since the roll-out of the General Data Protection Regulation, yet big questions still linger around what the right consent strategy looks like, if legitimate interest is enough to cover a business and whether more fines are coming.
Digiday spoke to Giovanni Buttarelli, European data protection supervisor, to hear whether media and advertising businesses have done enough to comply.
Excepts lightly edited for clarity and flow.
One aim of GDPR was to redress the imbalance of power between big tech titans and consumers, and make them accountable for how they use data. In light of that, what do you make of Google’s and Facebook’s efforts to comply with GDPR?
I don’t believe they are orientated to introduce big changes in terms of a balance of power. In 2017 we received a lot of declarations from businesses including Google, saying they were ready to respect it [GDPR]. But last May, the tsunami of privacy notices sent, often in obscure language, were clearly orientated to protect data controllers, not citizens.
Last October, I invited the CEOs from Facebook, Google and Apple to Brussels for the worldwide conference of data protection commissioners spanning 81 countries and 1,046 delegates. Only Tim Cook came in person and gave a speech which was greatly appreciated. Mark Zuckerberg and Sundar Pichai only appeared via video link. Zuckerberg’s message was that Facebook is ethical and respects its users. But I didn’t notice any substance after this declaration. The implicit message from them both was: “We don’t need to do anything else, because we’re there [compliant] already,” which frankly is not the case. There is a lot of work to be done. Compliance is a continued working progress for everyone.
Information Commissioner Elizabeth Denham recently said that if Zuckerberg is serious about privacy and data protection, Facebook should drop its appeal against the£500,000 ($654,000) fine from the ICO for the Cambridge Analytica scandal. Do you agree?
My good colleague Elizabeth rightly said that if he is serious about it, he should drop the appeal. Yesterday, we had an important discussion within the European Data Protection Board — the network of all data protection authorities. We agreed to better synchronize our efforts around cross border [rulings]. Although Ireland is legal authority for Facebook and Google, we have decided to work on the basis of increased cooperation between the DPAs. So we will meet with the Irish DPA to synchronize efforts, and we’ll analyze the legal obligations to strict deadlines. Ten of the 15 current big ongoing investigations at the Irish DPA relate to Facebook including Instagram and WhatsApp. These investigations have a lot of ground. Synchronization of DPA fines is important.
French regulator CNIL has fined Google €50 million ($65 million). Now the Irish DPA is lead authority for Google’s European HQ, can other DPAs follow?
The Irish DPA will be the lead authority for most cases concerning Google since such cases have a cross-border impact. But other DPAs will in any case be involved as concerned authorities and one decision should be issued, in compliance with GDPR cooperation and consistency mechanisms.”
What is your view of the IAB Europe Transparency and Consent framework, which has stated it is acceptable under GDPR for ad tech companies to bundle consent?
It is too early to conclude. We have had an early debate around it, and I have taken note of the controversial analogies and positions that have been put forward on it. We appreciate that the IAB considers this framework acceptable under GDPR. But we must wait and see before having a consolidated, reliable position on it from all DPAs. It is under analysis.