Interesting times ahead for marketers and privacy professionals part 2

Global privacy regulations such as the GDPR, CCPA and ePrivacy, as well as updated guidelines from the DPC, ICO and CNIL will have a profound effect on marketing activities. Faced with the legal and financial ramifications of ignoring a consumer’s right to privacy, marketers must rethink their data collection, use, and retention methods.

Arekibo recently hosted a webinar on that topic with Efrain Castaneda, Privacy Counsel at OneTrust. Efrain shared some interesting thoughts about how cookies and tracking technologies can be used by companies in practice while remaining compliant with global privacy regulations. Efrain joins us again today with the second part of a two-part series, in discussion with our Head of Strategy Fergal McHugh to dive into some of these issues in more detail. Read the first part here. This conversation took place on 21st of September 2020, and you can watch the recording here.

Fergal: So, thinking about the Privacy Sandbox I understand there are couple of relevant trends in terms of where EU is going with privacy legislation, they is going to be more interest in groups rather than just individuals, so bundling records even in an anonymous way may be problematic in the future. So that’s something that seems like in many ways we just don’t know, when you look at the Privacy Sandbox, even if though it works in an anonymized way, the power that it offers may create new legislative hurdles. It seems like there is probably a chance that whatever Google come out with could end up requiring another shift in how the EU legislates these kinds of activities. And also, if it is successful it looks like it might put us back in the situation where yet again — and I suppose this what is Google wants — from a Marketers perspective Google are controlling the field of play. The Privacy Sandbox will become one of the only marketplaces through which you can effectively target with users. So, it might look like we are on the brink of new opportunities, life without 3rd party cookies, an open future, and then it turns out with Google holding all the cards yet again.

Efrain: And that’s what it seems like to me as well. They [Google] should be working together with the legislators around Europe because, well, the technologies are advancing so fast, that sometimes I think we are regulating things in way, that as you said earlier, is just giving the illusion of control. What are we not regulating the algorithms for example? I think privacy begins not when users consent it begins way before that when you are developing a new technology. Even if you are massive company and really secretive you have to be a bit more open about what you intend to do or else, we are going to have a new E-Privacy regulation that is already outdated. I mean it hasn’t even come out of it, and maybe the trialogue on it is already outdate.

Fergal: There was one other topic I wanted to bring up in the remaining time. I wanted to ask you about Schrems II judgment from the CEUJ invalidating the US Privacy Shield and what that is going to mean, especially in the cookie world?

Efrain: Well in the cookie world, that’s even more complex because those transfers are seamless. If you are embedding social networks, most likely social networks from the US you have all that data pulled by pixels and cookies moving across. And those transfers, in fact transfers of any magnitude, are. since July 16th, 2020 no longer allowed under the Privacy Shield. So, in reality we should all be relying on other safeguards, including standard contractual clauses. However, the standard contractual clauses are still in limbo when it comes to the US. It was clear from the judgment that we could not ensure an essentially equivalent level of protection because you have laws in the U.S which give intelligence communities sweeping powers. They can tap the internet cables before they reach land, so they are still in international waters. In returning a decision like this I think CEUJ mean business. They invalidated — with no grace period — a Privacy Shield which was the only mechanism to have some kind of accountability. And even though we didn’t have a redress mechanism there was some level of accountability through the U.S DOC. Also, the DOC has come out and said that even after the decision, companies that were self-certified under the Privacy Shield should continue to maintain that, because they need to keep respecting privacy even if the issue now goes a lot deeper than that.

So, all of this has left us in a state of permanent doubt. I was watching the LIBE committee at the European roughly a week ago parliament. You had a few players involved there: the EDPB, the European Commission, you had the President of the LIBE committee and then you had Max Schrems. And it's not clear how this is going to get managed. The key problem is that Max Schrems is highlighting the fact that you have two opposing laws, two opposing legal systems, the wider EU dignitarian system where privacy is a core fundamental right and it is enshrined in the treat of Lisbon, right? And then you have a train coming in the opposite direction, US law, where privacy isn’t even a fundamental right, it’s not in their constitution, it’s in the penumbra between amendments, but it's not clear cut, not in stone. In the US you can even sell data, it’s a more liberal model. You have two trains about to collide you put the Privacy Shield between them, they still collide, and they wreck what’s in the middle. We can’t expect another mechanism like that. And if you put a new mechanism like that in place, we will be playing the same game, Max Scherms will complain again and in two years it will be invalidated again.

In the meantime, what we can do is look at Standard Contractual Clauses, but they are not sufficient for the U.S, because of this problem with adequate levels of protection on their side. Therefore, we need to think of other safeguards, and this is something that the EDPB said explicitly during the LIBE committee. But they have no idea what these might be, and they are still trying to define alternatives. Personally, I wonder. Why, if this has been happening for the past 7 years (if you count safe harbor) has the E.U not thought of pinning down the potential for safeguards coming from Article 46 besides the Standard Contractual Clauses, the Binding Corporate Rules, the Derogations. Most people agree that encryption is central to this, but that’s not enough because of the adequacy problem. My own suggestion is to do what needs to be done via remote access. It’s also a transfer, but you are also reducing the risk of the intelligence community tapping the cables, it is a US counterpart coming into an EU tenancy to see the information, so there is a disclosure, it counts as data transfer, but not being physical there is less of a risk of the data ending up in the hands of the NSA, or worse private companies.

Fergal: And just in terms of the scale of this. I mean this affects nearly every website with some kind of social media plugin, anybody using Google analytics, any of these common garden tools – they are presumably going to be impacted by this in some way? We are using services with these “seamless” data outflows which previously had some kind of structural guarantee which have now been withdrawn. Is that the scale we are talking about here?

Efrain: I think so. I even think because of the situation now if before there was a risk in theory at least of becoming a joint controller with the partners you use on your websites, Google for analytics, Facebook for Facebook connect and so on. Now, with the issue of these companies being based in the US, Facebook, for example, being vocal about not stopping their transfers anyway, you run the risk of becoming a joint controller with one of them, and I am not sure if you really want to be joint controller with those behemoths. So yeah, I think that’s the scale. It’s still to be seen to what extent you are responsible, there is always a way around these things. If I have a website and I want to user Google’s analytics cookies — not in Ireland, let’s say somewhere it’s not specific that you must get consent, Spain — maybe if I don’t subject Google Analytics to consent from the user and this data is transferred to the US, it’s quite likely that I am going to become joint controller and I am responsible for that, because I decided that there was a legitimate interest, and I am enabling it. Whereas if I tell every user that they have to consent, and not just that, that they will get an enhanced experience, but their data will likely be transferred to the data centers in the US, so as long as you clear, all your left with is compliance, mere compliance, so when the authority comes along you tell them we have been doing what you told us to do with whatever was left after the Privacy Shield, even for cookies.

Fergal: But that does seem kind of messy. Being told on the one hand that this mechanism has been invalidated, but you are not really left with any alternative. Presumably, there might be a really strict interpretation here which is Facebook won’t stop transferring the data I should just stop using Facebook? It might be the only way I can keep my hands actually clean?

Efrain: Exactly, I mean in the end your enabling, we are all enabling Facebook by using it. In a way I think as users, that’s part of the onus shifting to the user, not just consent, but we have to take back control one way or another, maybe that would mean closing Facebook accounts because we don’t agree to that. Those who don’t, there are some people who are happing tell Facebook what they did, what they had for lunch but…

Fergal: But pushing this a little further it seems that if I have a Facebook component on my website, I follow all the required practices around disclosure that actually some of this data is going to the US, and by the way there is no mechanism that actually safeguards that, because that has been invalided. And if I do that I am either not acquiring consent in good faith, but or I am acquiring consent for something I know – and I am telling the user I know this — that I should not be doing. It seems like a complete mess — it seems like I am wrong whatever way I go. It seems like I just need to not do this.

Efrain: Exactly we are in the dark right now. We are left second guessing the authorities. If they see that you have been responsible enough one hopes they will be lenient. I want to think that. But it all comes down to, now, when things are this raw, well you are left with just a checkbox of compliance. You gather all the elements you need to gather, to demonstrate what you need to demonstrate that you are being as responsible as possible, even if you are using Google Analytics which is funneling data to the U.S , even then you could prove that you are limiting the kind of data you are gathering and making sure its sufficiently anonymized. I am not a tech guy so you would need to see about that. But what my hope is that this situation will fuel in house technological developments, by in-house I mean European technological developments, where we don’t have to rely on U.S technology for everything. When people ask me what I think the best approach to analytics is I say, develop your own, and then you have a first-party analytics cookie!

Fergal: That is an interesting idea and very welcome one, that there are opportunities here for what we might call indigenous R & D and innovation here! Efrain, thank you very much for your time and joining me for this discussion.

Efrain: Thank you!

Are you interested in finding out more? Register now for our upcoming webinar with OneTrust about how to get compliant, stay compliant and about the future of digital marketing.