The effectiveness of the sentence: “In relation to national law, the GDPR applies as a matter of priority to all automated processing of personal data as of May 25th, 2018 […]” is understood by experts. The Düsseldorfer Kreis – the conference of the independent federal and state data protection authorities on April 26th, 2018 – thereby confirms a regulatory framework – and once again surprises an entire industry. Just as, for example, the financial industry has underestimated the determination of the regulation for a long time, the media industry seems to underestimate the inherent connections between technological opportunities, changing regulatory conditions and the associated changes in decision-relevant parameters until now. This generally assumed that the previous regulations of the Telemedia Act would remain in force until the new ePrivacy regulation came into force, or at least could be based on the so-called legitimate interest according to Art. 6 para. 1lit.f) GDPR, i.e. the processing of personal data was covered by the “legitimate interest” of the advertiser or website operator. At the same time, the in-house lawyers brought the assessment to the management boards that the interpretation – if to be applied at all – should be mitigated and avoided, for example by referring to the preservation of jobs through supplementary lobbying measures.
Now, however, with a few exceptions, media companies must promptly and comprehensively switch their consent management as well as data usage to an “opt-in”. In addition to contract data processors, media companies and marketers are particularly affected: their business model is largely based on using personal data for the placement of personalized offers across domain and session boundaries.
Illustration 1: Requirements resulting from GDPR (and ePrivacy regulation)
The precedence of the GDPR is therefore connected with changes compared to the previous structure:
The result is nothing less than a drastic break within the area of data protection and informational self-determination. In particular, as of May 25th positive opt-in votes by users with regards to the use of their data will be required. The use of tracking mechanisms, for example for the creation of user profiles, requires likewise an informed consent in the form of a clear confirmation by the user, as does data processing.
Illustration 2: Change of paradigms within data protection through GDPR
If the user’s consent in accordance with the requirements and principles of the GDPR is not available, reduced options for action and stricter sanctions will result cascadingly. Although the consents obtained continue to apply, e.g. for sending newsletters, it can be assumed that in most cases no active consent for the processing of personal data has been obtained in advance. As a consequence, the corresponding collected data may no longer be retained, as in the case of consents that do not comply with the GDPR. The consequence of this affects the companies’ vital lifelines: The missing data will make it impossible to personalize offers. Estimates of the extent of this loss amount to an annual drop in sales of up to 30% in the media and marketing industry. It could take months to rebuild the relevant data and analyses – it would take years to rebuild lost trust after published violations.
Another factor, although an indirect one, is exacerbating the situation: Google, for instance, requires from its partners to obtain the consent of users according to GDPR, in order to use Google services. If consent is not given, companies may no longer be allowed to use Google tools and platforms. That would be another harsh blow to the companies’ ability to act. They would either have to focus on the technology base of their main competitor in media marketing or enter into high-risk technology investments, whose success depends on the formation of critical masses and the development of network effects. Especially as Google and co. anticipated this development a year and a half ago and are well prepared in the current situation.
In view of the impending loss of the core competence of personalized placement of offers, the task and its urgency are understood: A marketable solution must be formulated as soon as possible for the media and marketing industry in order to obtain users’ consent for the collection, transmission and processing of personal data, which is earmarked for this industry.
Currently, companies in the media and marketing industry are pursuing different approaches. (1) Individual solutions separately integrate an opt-in layer for individual websites in order to obtain the consent of the users. In contrast, (2) group-specific solutions organize the consent of individual users for several domains. Finally, (3) generic solutions are applied directly to the management of the user’s accesses. Each of the approaches formulates a particular solution for obtaining consent. However, none of the solutions harmonizes regulatory requirements, functional requirements and technical implementation options in a marketable manner: The range of the individual solutions is too small because no web networks are integrated; group solutions focus solely on the interests of the group companies; the generic solutions pursue a cross-industry approach, which is why they do not fully cover the specifics of individual industries or rather do not produce the necessary transparency with sufficient accuracy.
For the urgent task of creating a GDPR compliant solution for obtaining user consent, three workstreams must be initiated from our perspective with immediate effect:
With entry into force of the GDPR on May 25th, 2018, one of the most drastic breaks for data protection and informational self-determination becomes a reality. In concrete terms: the paradigm of an extensive free availability of usage data in Europe is being replaced by the one of active availability and control of users over their data, at least in the target state. This development is to be welcomed from the civil society’s perspective, concomitant adjustment processes must be actively accompanied.
Unlike other industries, media companies are particularly affected by the GDPR: The collection, transmission and analysis of data forms the basis for the placement of personalized offers across domain and session boundaries, which again forms the core of their business model.
In view of the fact that media companies and marketers will have developed only partly solutions in time, they are faced with the following choice: to continue previous patterns of action of hierarchical culture with high legal competence and little technical expertise – or to pursue a trust- and competence-based approach, taking into account network policy arguments and network strategic horizons in order to be able to actively participate in new paradigms also economically.
[German only:] Position of the Conference of Independent Data Protection Authorities of the Federal and State Governments, Düsseldorf, 26 April 2018: https://datenschutz.saarland.de/fileadmin/datenschutz/dsk_entschliessungen/95/Positionsbestimmung-TMG.pdf
Federal Court of Justice
[German only:] Press release, No. 78/2018: Federal Court of Justice: Offer of the AdBlock Plus advertising blocker not unfair: http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&Datum=2018&nr=82856&linked=pm&Blank=1
[German only:] „Wie Google deutsche Vermarkter mit vorauseilenden Opt-in-Forderungen quält“, in: http://www.horizont.net/medien/nachrichten/Datenschutz-Wie-Google-deutsche-Vermarkter-mit-vorauseilenden-Opt-in-Forderungen-quaelt-166612
IAB Europe 2018, https://www.iabeurope.eu