My visitor on this episode of the Cellular Dev Memo podcast is Mikołaj Barczentewicz, an knowledgeable on EU digital privateness legislation. Mikołaj is a legislation professor at, and the analysis director of, the Legislation and Expertise Hub on the College of Surrey in the UK, and he has analysis affiliations with the Stanford Legislation College and the College of Oxford, from which he acquired his Ph.D.
I discovered of Mikołaj after studying a bit he co-wrote titled GDPR Choice In opposition to Meta Highlights that Privateness Regulators Don’t Perceive ‘Necessity’. I invited Mikołaj onto the podcast to debate the current spate of choices within the EU associated to digital privateness, together with:
- The Irish DPC’s ruling in opposition to Meta over the corporate’s use of the contractual foundation for processing person knowledge associated to customized promoting;
- The French CNIL’s current sanctions of Apple and Voodoo Video games;
- The invalidation of the EU–US Privateness Defend.
Moreover, Mikołaj and I focus on a variety of extra summary matters:
- Consent as a mechanism for accumulating and processing first-party knowledge within the EU;
- The distinction between the need and bonafide curiosity bases below GDPR;
- The dynamics between the European Knowledge Safety Board (EDPB) and the information safety businesses inside the varied EU states;
- The way forward for trans-Atlantic knowledge flows.
A lightly-edited transcript of our dialog might be discovered under. As at all times, the Cellular Dev Memo podcast is obtainable on:
Podcast Transcript
Eric Seufert:
Mikolaj, I’m so completely happy to talk with you right now. I recognize you taking the time to talk with me. We’re going to have, I’m certain, a really attention-grabbing dialogue on the subject of European knowledge privateness laws, however earlier than we try this, I’d ask you to introduce your self to the viewers in your individual phrases.
Mikołaj Barczentewicz:
Hello. I’m Mikolaj Barczentewicz. I’m an instructional legislation professor on the College of Surrey. I’m additionally a senior scholar on the Worldwide Heart for Legislation and Economics, and I work usually on tech legislation points and significantly on EU privateness legislation.
Eric Seufert:
Nice, and that is simply out of curiosity, other than residing in Europe, being from Europe, what triggered your curiosity on this subject? What made you wish to pursue that?
Mikołaj Barczentewicz:
On the whole, I’ve at all times been fascinated by tech, even longer than I’ve been fascinated by legislation. I was a coder. I labored briefly on this broader internet trade as an online developer within the mid-2000s after which, I went to legislation faculty. So I stored that curiosity and now I get to show the authorized features of the identical factor that I knew from a distinct facet earlier than.
Eric Seufert:
Fascinating, so that you sort of have extra hands-on tactical expertise in the way in which these merchandise are constructed, the way in which that customers work together with them, and I believe that’s in all probability a really uncommon path for folks to take. Have you ever ever met anybody else that has pursued that path?
Mikołaj Barczentewicz:
I don’t suppose so. I imply, there are some folks like that, however not too many. Normally, attorneys and legislation lecturers simply have straight authorized paths, a minimum of in Europe. We’re a bit totally different than America.
Eric Seufert:
From my expertise, most attorneys sort of knew they needed to be a lawyer from age eight or no matter and by no means actually strayed from that path, however that’s actually fascinating.
So the explanation I reached out to you was that I very a lot loved an article that you just wrote and printed final month titled GDPR Choice In opposition to Meta Highlights That Privateness Regulators Don’t Perceive Necessity. Now, the explanation I needed to have you ever on the podcast is that it’s not simply regulators that don’t perceive necessity. I don’t perceive necessity, and I believe lots of people that work within the digital promoting area don’t perceive necessity, and I believed after studying your very instructional piece, I’d invite you onto the podcast to clarify to the digital promoting operator viewers, what’s necessity?
Mikołaj Barczentewicz:
Wonderful. Thanks for having me on.
Eric Seufert:
Nice. So I’ll begin with the topic of your piece. I ought to have revisited it proper earlier than the podcast recording, however I’ll begin with, in any case, the Irish DPC’s current sanction [of Meta] associated to the contractual foundation. In order that was associated to the adverts platform, not … [the Irish DPC] had one other choice that was associated to WhatsApp particularly, however the one I’m speaking about right here was that the Irish DPC fines Fb, I believe it was like a record-breaking wonderful, one thing like 300 one thing million euros, 400 one thing million {dollars} associated to their use of the contractual foundation for accumulating and processing person knowledge for the needs of adverts concentrating on. On this case, it was first-party knowledge. It was the information that’s generated from customers’ interactions that occur on Fb, that occurred on Instagram.
This was the topic of the sanction, and I believed this was a really attention-grabbing case as a result of … I’ll ask you to elaborate as a result of I’ve a layman’s understanding right here, but it surely was a really attention-grabbing case from my perspective for 2 causes. One, that the Irish DPC initially disagreed with the notion that Fb was violating privateness legislation, after which, they pushed again on the EDPB, and the EDPB mentioned, “No, you will need to impose this wonderful,” and I wish to get into these dynamics too.
The second cause I discovered this fascinating was that this was associated to first-party knowledge. Now, everybody within the digital promoting area has turn out to be very aware of App Monitoring Transparency, Apple’s coverage which attracts a really vivid line between first-party knowledge and third-party knowledge.
On this case, the sanction was over the usage of first-party knowledge, and I believe that’s one thing that not quite a lot of digital promoting operators and even large tech corporations perceive. So, I’d love to simply, to start with, possibly you might sort of present a greater background on this case than I simply did.
Mikołaj Barczentewicz:
So right here, it’s in a way, one case however the Irish Knowledge Safety Fee issued two choices in opposition to Meta Eire. So one was with respect to Fb and one was with respect to Instagram. These choices are largely equivalent, nearly paragraph-for-paragraph, simply with some particulars modified due to the totally different traits of the companies however sure, as you mentioned, they did add as much as a 400 million Euro wonderful and likewise to maybe a behavioral change on Meta’s half, which I’m unsure if it occurred, as a result of what Meta used to do since 2018 I believe, and maybe nonetheless does, was to say that the lawful foundation on which they course of a person’s private knowledge for private promoting functions — that this lawful foundation below the GDPR is in contractual necessity.
So it stems from the contract between a person of Instagram, between a person of Fb, and Meta. This choice which the Irish Knowledge Safety Fee was pressured to take, says that it’s illegal for Meta to depend on this lawful foundation. It doesn’t say strictly talking that they can’t do behavioral or customized promoting in any respect. It’s simply that they can’t depend on this specific foundation for it.
Eric Seufert:
Proper, and so for the listeners who aren’t completely conscious of what the GDPR stipulates as being authorized bases for accumulating and processing knowledge, there are six and it seems like … and proper me if I’m improper right here, but it surely feels such as you’d somewhat use any of the 5 earlier than you need to go to consent, proper? As a result of when you go to consent, you will see some proportion, in all probability some massive proportion of customers decide out. So that you’d in all probability somewhat use any of the opposite 5 earlier than you resort to consent. Are you able to simply stroll listeners by what these are? I think about you in all probability know them off the highest of your head. Should you don’t, we will edit this out, don’t fear about it, however I think about you in all probability do.
Mikołaj Barczentewicz:
That’s okay and I do have Article Six of the GDPR simply in entrance of me. In order you mentioned, we have now letters A to F, and the primary one, the primary lawful foundation, is consent, as you mentioned. What we even have is necessity, contractual necessity. Now we have professional pursuits of the enterprise that’s processing the information or another third occasion, and I believe that these two — contractual necessity and bonafide pursuits — are those which are most engaging for a number of causes, and I’m certain we’ll speak about that in additional element. Then we have now another ones that are much less prone to be relevant, a minimum of in enterprise circumstances as a result of we have now the need to guard very important pursuits of the information topic or one other individual, and efficiency of a process carried out within the public curiosity, and compliance with a authorized obligation.
These cowl some makes use of and for instance, in case you have a look at Meta’s privateness coverage, they, I believe, depend on all of them for varied issues, however for enterprise functions, you’d normally wish to depend on necessity or professional pursuits.
Eric Seufert:
Bought it. So, the GDPR, I believe particularly from an American perspective, but in addition from the sort of litigation lens — and once more, right me if I’m improper right here — but it surely feels inscrutable. It feels inscrutable. You’re both an knowledgeable or nothing, proper? What I’ve discovered is, it’s very arduous to dabble and get a high-level legitimate mental grasp of this. You both delve completely into it or your grasp is so superficial that it’s ineffective and doubtlessly harmful. So I believe there are a few issues that I’d like to have you ever unpack right here simply to set the baseline, and I do know even setting the baseline may in all probability take up the entire hour and a half, however with some sort of consideration paid to time. So why are we even speaking about Eire?
Nicely, there’s a provision within the GDPR, as a result of clearly Meta is predicated in California, that’s their headquarters. There’s a provision within the GDPR referred to as the One Cease Store, and it says, “Okay, properly what we did with GDPR was, we tried to unify a bunch of privateness regulation throughout the EU member states, and we wish to give corporations the flexibility to simply work by one level of contact, one privateness regulator.” Nicely, it so occurs that the majority [non-EU companies] have the Irish DPC as their [EU] privateness regulator. Why? As a result of most overseas or non-European headquartered corporations arrange their EU headquarters in Eire. Why? As a result of it’s very tax-friendly, but in addition simply usually very business-friendly.
In order that’s why you see Meta Eire, Apple Eire, Amazon Eire, TikTok Eire, they usually all, when these points come up, when the GDPR points floor, they’re coping with the Irish DPC. Are you able to simply discuss to me somewhat bit concerning the historical past there and why that’s essential?
Mikołaj Barczentewicz:
So what all you mentioned is 100% right. Perhaps additionally they just like the climate. I don’t know. I hear Dublin might be good.
Eric Seufert:
Appears unlikely, however certain, possibly.
Mikołaj Barczentewicz:
Sure, so the GDPR changed a earlier knowledge privateness directive and … one of many issues that the GDPR was meant to deal with was that there was a notion earlier of complexity, authorized uncertainty, and administrative prices related to having this separate system of enforcement of privateness legislation in varied nations. The European Union, one of many important concepts why we have now it, is to advertise the only European market to be in some methods like the US the place you may function largely throughout state borders, and that’s what the EU is supposed to supply within the GDPR world, the place the thought was to deliver us nearer to that, however as you say, offering companies, cross border companies with what the GDPR calls a single interlocutor, that there’s one authority you may discuss to as an alternative of getting 27 or extra authorities.
Eric Seufert:
Proper. Sarcastically, the US appears to be … with respect to privateness laws and knowledge privateness laws, it appears to be abandoning that precept, as a result of now we’ve obtained no matter, I believe there’s like three new state-level knowledge privateness legal guidelines that handed the legislative course of this yr or one thing. Perhaps I’m improper on that quantity. Anyway, there’s some … I believe we’re approaching double digits of states which have their very own idiosyncratic [privacy laws] … I imply they’re largely the identical. These state-level privateness legal guidelines, they’re kind of modeled after GDP, and for probably the most half, they’re the identical. They have an inclination to vary, if I perceive accurately, with the sanctions which are imposed and the flexibility to type a category to sue anyone.
That’s my understanding. Okay, so the GDPR established One Cease Store, you solely must cope with one privateness regulator. Should you’re headquartered within the EU, that’s wherever you’re headquartered. Firms are usually headquartered in Eire for various causes. In order that’s why, whenever you see these GDPR points erupt, it’s normally the Irish DPC that’s on the heart of it. So then discuss to me concerning the EDPB as a result of if I’m completely sincere, and possibly that is embarrassing, I had by no means heard of the EDPB till just lately. It was not one thing that I used to be conscious of and I believe it got here to the fore with this case particularly. Are you able to discuss to me concerning the dynamic between the EU state-level privateness regulators and the EDPB … and possibly about how a state-level privateness regulator will get to find out whether or not the GDPR was violated or not, after which, what sort of sanction to impose or not,
Mikołaj Barczentewicz:
Proper, so the EDPB, that’s the European Knowledge Safety Board, you may’t consider it as being the boss of the nationwide Knowledge Safety Authorities or DPAs. It’s extra like a company with a task to coordinate the cooperation between home, nationwide knowledge safety authorities. All that we mentioned concerning the One Cease Store precept is true, however what we additionally ought to observe is that there are exceptions to it. So for instance, when you might have Meta Eire, properly, domiciled in Eire, once they do enterprise in varied member states, there could also be methods for home nationwide authorities in these states to take motion with respect to what Meta is doing. There’s a particular urgency process in Article 66, however what ought to curiosity us right here a bit extra, and that’s how this Irish choice took form, is the particular cooperation mechanism in Article Six.
The best way it labored right here was that there was a criticism, a criticism filed, I believe in Austria and in Eire by Max Schrems’ group, NOYB, and this was a criticism in opposition to Meta alleging that Meta is violating all kinds of provisions of the GDPR. So I believe the criticism was round 2018. It took the Irish DPC fairly some time to analyze it, however as soon as they completed their investigation, they ready a draft choice. Then, when this occurs, when there’s a draft choice, particularly from the Irish DPC, then different nationwide regulators who even have customers of Fb and Instagram of their nation — which I assume is all of the nationwide regulators — can object to the method taken by the lead authority, on this case, the Irish DPC, and if we have now this draft choice to which there are objections that triggers the cooperation mechanism.
Usually, the thought within the cooperation mechanism is that the lead authority reaches some kind of settlement with these objecting involved authorities and it takes all of the objections into consideration or these authorities will retract their objections. This manner, a choice might be finalized with out one other mechanism, however on this case, there was no such settlement. This meant that the … as soon as the Irish DPC completed their draft that went to the process, the dispute decision process the place principally inside the EDPB mechanism, the nationwide authorities get to vote on how the choice must be resolved. At first, they vote by a two-thirds majority, but when that doesn’t work, then after two months or so, they go … the extent required goes right down to a easy majority.
So ultimately, a easy majority of these European authorities can overrule no matter method was taken by the lead authority. Thus far, as far I do know, this occurred seven instances, and the lead authority that acquired this binding choice was the Irish Knowledge Safety Fee.
Eric Seufert:
Okay, let me see if I can play that again to you with respect to this specific case as a result of I believe it’s actually fascinating. So so far as I perceive, NOYB launched the criticism the day that GDPR went into impact. We’re going to no matter day it was, 2018, GDPR is now the legislation of the land. We’re going to file the criticism. Irish DPC took a while, quite a lot of time, 5 years … they got here to love a draft conclusion that mentioned, now we don’t suppose it is a violation. We predict that Meta can use a contractual foundation for this objective, for promoting concentrating on. Each European nation has folks inside its borders that use Fb. In order that they obtained a say and a majority of them disagreed, or was it a super-majority disagreed, so 67% mentioned no, or is that how that works or-
Mikołaj Barczentewicz:
I’m unsure we all know, however a minimum of the bulk.
Eric Seufert:
Proper. Okay. So anyway, a minimum of the bulk disagreed. They went forwards and backwards, a minimum of a easy majority stored disagreeing, and we obtained to the purpose the place the EDPB says, “Okay, properly you may’t come to an settlement amongst yourselves. We’re going to undertake this case and we’re going to resolve whether or not or not [Meta] violated GDPR and likewise what the sanction is.” Is that right?
Mikołaj Barczentewicz:
Sure.
Eric Seufert:
Okay. So as soon as that call is made, it will get pushed again right down to the related privateness regulator they usually must implement it.
Mikołaj Barczentewicz:
Sure.
Eric Seufert:
I see. In order that’s the journey that Meta went on, or the Irish DPC went on, by this course of. The EDPB mentioned, “No, we disagree with you Irish DPC. We’ve decided that Meta did in actual fact violate GDPR. Right here’s the sanction that you will need to impose on them.” The Irish DPC acquired that. Clearly, Meta mentioned they’re interesting. The Irish DPC goes to impose the sanction, and Meta is interesting. We’ll see what the end result of that’s. Then, Meta additionally mentioned, “We predict you overstepped, EDPB.” Are you able to discuss to me about that?
Mikołaj Barczentewicz:
So the Irish DPC said-
Eric Seufert:
Sorry, the Irish DPC mentioned, “We’re going to impose the sanction on Meta. We disagree with it.” I imply, that is all within the press launch, “We disagree with the sanction, however we’re going to impose it but in addition EDPB, we disagree along with your energy right here. We disagree along with your interpretation of what your energy is. We predict you’ve overstepped the facility granted to you by the GDPR and we’d take some motion.” May you discuss to me about how the Irish DPC reacted to this?
Mikołaj Barczentewicz:
So there have been three points from the Irish DPC’s perspective. There is part of their choice of which there was no disagreement and that was about sure transparency necessities violations, and the Irish DPC thought that Meta did violate these guidelines. That’s in a way, not the intense a part of the choice.
Then there’s the substantive disagreement between the Irish DPC and the EDPB over contractual necessity. Right here, the Irish DPC, even within the press launch once they say, “Sure, we’re fining Meta, however truly we sort of disagree with our personal choice. We’re pressured to take it.” In order that’s one subject, however there’s a third facet which isn’t strictly about contractual necessity, but it surely’s about EDPB telling the Irish DPC that they need to begin a brand new, broader investigation that the Irish DPC doesn’t wish to begin.
That is what the Irish DPC says is an overreach: they are saying that they don’t seem to be like a nationwide court docket with basic supervisory authority over the Irish DPC, that they will solely coordinate as soon as … there’s a draft choice, however they can’t power a nationwide authority to start out an investigation. So in a way, the disagreement over which the Irish DPC mentioned they’re contemplating going to court docket will not be strictly talking about this, the core subject in that call — this may in all probability be right down to Meta to problem — however over this procedural facet about forcing the Irish DPC to start out a brand new investigation.
Eric Seufert:
Bought it. Okay. So let me learn that again to see if I’m understanding accurately. In order a part of this judgment that the EDPB handed to the Irish DPC to implement, additionally they mentioned, “By the way in which, we expect that it’s best to undertake a a lot bigger investigation round Meta’s enterprise practices associated to GDPR.”
Mikołaj Barczentewicz:
Yeah.
Eric Seufert:
And what the Irish DPC is pushing again on will not be the judgment that the EDPB handed right down to them within the case of this investigation, which they only kind of settle for that they have to impose, but it surely truly pertains to the EDPB’s potential to inform any given privateness regulator that they have to undertake an investigation. And that’s the place the Irish DPC says that the EDPB is overstepping.
Mikołaj Barczentewicz:
Sure. Though who is aware of, possibly if they carry an motion for annulment, which is the technical identify of the authorized measure they’d use in opposition to an EDPB choice, possibly then they may broaden the scope of that motion to incorporate some substantive points as a result of they did inform us they disagree substantively with the EDPB. So possibly they may do it or possibly they may merely go away that to Meta to litigate.
Eric Seufert:
Bought it. Okay. That’s in all probability as clear because it’s going to get for a layman like myself, however that’s very useful.
There are a dizzying variety of acronyms that should be used on this area. I don’t know the way you handle to take care of your sanity right here. I believed advert tech was dangerous with acronyms, however European privateness is even worse.
So, simply fascinated about the results of this, how ought to corporations that make the most of first-party knowledge for adverts personalization interpret this choice? How ought to they modify their very own practices? As a result of to your level, this doesn’t prohibit the use. This simply says, “Okay, properly if you wish to course of knowledge for that objective, you’ve obtained to make use of a distinct authorized foundation from the GDPR, or we don’t suppose you should use contractual foundation. You in all probability have to make use of a distinct foundation.”
So what Meta has mentioned and what lots of people are saying privately is that, “Nicely, we’ll simply change to professional curiosity and that’ll be wonderful,” proper? Now my argument again — and once more, I’m a layman, I don’t know that a lot about this and I’d love to listen to your ideas on my argument again — is that, properly, TikTok tried that. TikTok tried to change its privateness coverage such that they had been utilizing the professional curiosity foundation and never the contractual foundation to sidestep the consent mechanism. As a result of [TikTok has] a consent mechanism in Europe. Should you open up TikTok [in the EU], there’s a consent popup that claims, “Do you comply with have your knowledge be used for adverts personalization” or no matter, that exists, proper? They needed to cease doing that.
So what [TikTok] had proposed to do was to alter its privateness coverage such that it was utilizing professional curiosity in order that they wouldn’t have to gather consent. And my understanding is the Italian DPA mentioned, “No approach. Should you try this, we’re going to problem it.” After which, TikTok consulted with the Irish DPC, which is their privateness regulator as a result of they’re headquartered in Eire, that dialog befell after which they mentioned, “Okay, we’re not going to make this alteration. We’re going to stay with what we’ve obtained.” Are you able to discuss to me about that? What’s the professional curiosity foundation and why would possibly that not be the silver bullet right here for any firm that’s doing this very same factor?
Mikołaj Barczentewicz:
So the professional curiosity foundation could appear to be fairly enticing as a result of it signifies that it’s lawful so that you can course of your person’s private knowledge on your personal curiosity. And you’ve got set a number of the examples that GDPR provides for which are if you might want to stop fraud in your companies, and even for direct advertising and marketing. Direct advertising and marketing is an instance of professional curiosity that’s utilized by the GDPR itself. So it does appear enticing.
The issue with that is that the identical a part of Article Six that introduces it additionally says that it’s allowed besides, the place such pursuits, these professional pursuits, are overridden by the pursuits or elementary rights and freedoms of the information topic. So then you might have this tough authorized train of balancing whether or not my curiosity as a enterprise to do direct advertising and marketing, overrides or is overridden by the person’s curiosity to not have their very own privateness restricted, in order that’s one downside.
The opposite downside is that you just can’t reuse professional pursuits to course of particular class knowledge below Article 9 of the GDPR. That’s knowledge like knowledge revealing racial or ethnic origin, political views, spiritual or philosophical perception and in case you’re Fb, you might have this downside that really you gather a lot knowledge that it’s very arduous so that you can say that a number of the knowledge you gather is probably not revealing that sort of data. I assume TikTok is in the same scenario. So for these two causes, the Italian authorities issued a proper warning to TikTok, and it does appear to be TikTok shelved that concept, and that’s simply the GDPR. We didn’t even point out the ePrivacy Directive, which doesn’t have the notion of professional pursuits, solely consent. So TikTok didn’t go together with that plan.
Eric Seufert:
Proper, yeah. So I needed to get to that subsequent. One factor that sort of confused me once I started the method of making an attempt to grasp the area is Irish DPC is a DPA.
Mikołaj Barczentewicz:
Sure. Knowledge Safety Authority
Eric Seufert:
Proper, then the Irish DPC is simply the nationwide identify for that DPA, which is Irish Knowledge Safety Fee, proper? Okay. Yeah, that was complicated to me as a result of folks appear to make use of these two acronyms interchangeably and they’re I assume, however the Irish DPC is simply that particular workplace.
So thanks for the segue as a result of I wish to discuss concerning the ePrivacy directive and I wish to sofa that dialogue able proposal. Right here’s my place proposal, and inform me if I’m approach off or if I’m shut to focus on. My sense is that we’re trending to a degree the place by the GDPR and ePrivacy directive choices — and we’ll get to what a few of these have been, some current examples in a second — however by these GDPR and ePrivacy directive choices, we’re trending to a scenario by which consent is the one viable mechanism for processing knowledge.
We in all probability gained’t see these different GDPR authorized bases be permitted for customized promoting, for adverts personalization, adverts concentrating on, no matter you wish to name it. These corporations are in all probability going to must resort to consent. What do you consider that? How would you reply to that?
Mikołaj Barczentewicz:
I believe that it actually does appear to be companies are being pushed in the direction of consent, a minimum of for the sort of knowledge processing that authorities understand as having important privateness impression. And profiling or behavioral promoting is seen as having this important impression because it’s not simply accumulating a mailing checklist for direct advertising and marketing or direct emailing or snail mail. The issue with consent is that it’s actually not simple, and also you talked about already that is one facet that consent needs to be knowledgeable. So we have now a difficulty of discover the steadiness between offering an excessive amount of technical element after which a person wouldn’t perceive it as a result of it’s too technical. Then again, you might be too basic and simplify an excessive amount of so {that a} person is not going to be adequately knowledgeable.
So knowledgeable consent is hard, however I don’t even suppose that’s the largest subject. I believe that what might be the largest subject, for instance, for Meta is that this downside of bundling consent. This comes from Article Seven of the GDPR, which says that there’s a presumption that if a person has to provide consent to knowledge processing to entry some service, and when the service supplier can’t depend on contractual necessity, then this consent will not be freely given and that’s not legitimate. So right here, the issue is that this bundling subject, in case you inform your customers, “If you wish to use our service, you need to consent.” Usually, if there is a matter of true necessity, you then wouldn’t have to ask the person for consent as a result of you then say, “Nicely, the processing might be based mostly on the contract between us,” and that’s what Meta tried to do.
What Article 7-4 says is that, properly, in case you then can’t depend on contractual necessity, then there’s a minimum of a presumption that you just can’t ask for consent in case you make consent a situation of accessing the service. So if Fb says, “You must consent to this sort of knowledge processing, or we are going to delete your account otherwise you can’t open an account.”
Eric Seufert:
Then, on this particular context after we’re speaking about customized adverts, it’s … properly, we’d like customized adverts to run the service. So in case you don’t consent, we simply can’t supply the service to you. That’s what you’re saying. They will’t try this. They will’t bundle this stuff collectively such that — and also you talked about this in your article — that’s take or go away it, you’ve obtained to provide them an off-ramp for that particular characteristic for which they’re consenting.
Mikołaj Barczentewicz:
Yeah, so I imply, we will attempt to have a look at it from Meta’s perspective. So the EDPB tells them that they can’t depend on contractual necessity for knowledge processing for customized promoting as a result of a minimum of based on EDPB, it’s theoretically potential to run a social enterprise with out customized promoting. By the way in which, they supply no proof for that, so set that apart. There’s additionally the problem of professional pursuits. So on this case, we’re just about left with consent, can’t use professional curiosity, can’t use contractual necessity. So right here, Article 7-4 makes it very tough, if not, not possible to make use of consent as a situation of entry to a service, so what appears to be a conclusion in order that Fb might have to supply an equivalent service with out customized promoting or maybe any personalization to any person who wish to refuse to consent. Then, you may ask additional questions.
So can Fb cost customers for entry to that service? The tough subject right here, and we return to consent, is that if customers must pay for an alternate, that would imply that … they could be pressured to consent to the free service as a result of they can’t afford to pay for the personalization free possibility, possibility C. So [Meta] could also be between a rock and a tough place: that in case you inform customers to pay, this can be forcing them to consent, and if [Meta] forces them to consent to the customized model, then this consent will not be legitimate and that’s unlawful. After all, everyone knows that Meta has at all times been against the thought of getting a paid subscription possibility, so forcing them to do it might be actually tantamount to telling Meta that the regulators know higher run their enterprise, however that’s additionally a difficulty.
Eric Seufert:
Proper, so there’s a lot to unpack there. It’s humorous as a result of — having labored within the area for my complete profession, cell apps, digital adverts — there are issues that I simply know to be true, and I don’t know this stuff by rigorous scientific interrogation. I do know them simply by osmosis from having seen so much and noticed so much. I do know that you just can’t cost for a social media app. That won’t achieve success. Should you attempt to cost for it is not going to achieve success. You may’t even make it meaningfully tough to onboard. Have a look at Mastodon, it is not going to work. [Social media] needs to be quite simple to onboard and it needs to be free.
Each half a second of friction that you just add to the onboarding course of, however particularly if that friction is said to somebody pulling out their pockets, simply dramatically reduces retention. So I do know that to be true, I can’t show that, however I simply understand it to be true. In order that’s why they’ve by no means experimented with the paywall product. Now, what you’re saying, if I’m studying this again accurately, is that if [Meta] mentioned, “Okay, properly look, we’ll offer you the choice. We’ve obtained to pay for our servers. We’ve obtained to pay for our engineers, we’ve obtained to make some cash right here. If we go purely contextual, we’re not going to make any cash.”
Mikołaj Barczentewicz:
Yeah.
Eric Seufert:
So we’ll provide the possibility, person. Both you go free product with adverts personalization otherwise you pay. You’re saying that that might be challenged. That might be saying, properly, that’s consent below duress, that’s consent below some various the place cash is exchanged, and that’s not actual consent. You’re saying that that might in all probability be challenged.
Mikołaj Barczentewicz:
In order that’s not how I’d interpret the GDPR, however I’m extremely assured that the identical authorities, the home authorities, that objected to Irish DPC’s method, they will even take that route and they’ll say, “Nicely, it’s not actual consent as a result of right here, you’re not selecting between two free choices, so they don’t seem to be equal selections for the person, as a result of right here, one possibility is free and one possibility is paid. So the consent for the free possibility is that’s not absolutely free and freely given and that’s invalid.”
Eric Seufert:
Proper. Okay. Sorry, I don’t imply to place phrases in your mouth. I’ll attempt to chorus from it. I’ll simply attempt to summarize and have you ever inform me whether or not I’m proper or improper. I do know attorneys are very specific about semantics. Okay, so it sounds prefer to me my interpretation of what I’m listening to is that that might probably be challenged.
Mikołaj Barczentewicz:
Sure.
Eric Seufert:
Okay. Now, in case you have a look at Europe as a share of Meta’s revenues after which, you attempt to again … as a result of the UK will not be within the EU. So, in case you have a look at Meta’s share of what they name “Europe” income, and you then have a look at the IAB’s breakdown of income inside geographic Europe, 50% of it’s UK. That’s what the IAB says. So, the opposite 50% is continental Europe. What if Fb mentioned, “Look, the juice will not be well worth the squeeze right here. We’re going to maintain our app as it’s within the UK and of that line merchandise on our quarterly earnings that claims Europe, we all know that about half of that’s UK, in order that’s in all probability wonderful. The opposite half is continental Europe. We’re simply going to solely make a paid app in Europe and we all know that our income there’s going to lower considerably, however possibly we’re simply keen to take that threat or we’re keen to soak up that loss as a result of hey, we certain are paying quite a lot of fines.”
Then, they provided the kind of free app with customized promoting baked in, all around the remainder of the world. May that be challenged since you’re saying, “Nicely no, you’re not giving us the identical app, you’re disadvantaging this geographic territory relative to the opposite geographic territories by giving us an inferior app simply so that you don’t must adjust to our privateness legal guidelines, we’re not going to permit you to try this.” May that be challenged?
Mikołaj Barczentewicz:
Nicely, however I’m assuming that on this situation they really do adjust to the legal guidelines within the sense that they take away personalization, behavioral promoting, after which, they attempt to get well it by subscription.
Eric Seufert:
You see, let’s say that they create Fb EU and there’s actually no personalization by any means. Your feed is all chronological. There are not any adverts, however you need to subscribe.
Mikołaj Barczentewicz:
I’m unsure it might be an issue below privateness legislation. If some very artistic regulators possibly will then take into consideration antitrust points and attempt to make a case that properly then, you’re value gouging. So relying on what the value is about for that, however sure, it may deal with the issue, identical to going to contextual promoting. So then you might say, okay, so we’ll have much less income, however you then’ll attempt to do it simply with contextual promoting.
Eric Seufert:
Yeah. Nicely, I believe folks have a look at contextual promoting as some sort of panacea to all kinds of privateness considerations, however contextual promoting solely works when there’s context.
Mikołaj Barczentewicz:
Sure.
Eric Seufert:
What’s the context of my Fb newsfeed, proper? I imply if I’m on espn.com, you may in all probability infer just a few issues about me, that is perhaps commercially actionable. If I’m on climate.com, you may’t. Then, if I’m on the Fb newsfeed, you actually can’t. So contextual promoting, my sense might be it simply doesn’t work for that product or the income will not be interesting,
Mikołaj Barczentewicz:
Nobody actually is aware of for certain what any enterprise ought to do, together with Meta particularly. However a technique to have a look at the present scenario is that a minimum of some European authorities, they don’t care to discover a approach for customized promoting, and even ad-supported enterprise fashions, to be achieved lawfully. Their method appears to be, “Listed below are all of the situations you might want to fulfill to do promoting lawfully, and whether it is not possible to fulfill them, robust luck. Discover a totally different enterprise mannequin.”
Eric Seufert:
Proper. I don’t wish to converse for too huge of a gaggle right here, however I’d say that the prevailing sentiment amongst digital promoting operators, and even simply publishers, in the US is that there’s no actual compromise potential right here. We’re in all probability not going to converge round some mutually agreeable answer.
Mikołaj Barczentewicz:
In order we seen on this Irish case, there is no such thing as a unanimity. Some authorities in some nations take a barely extra maximalist interpretation of the GDPR. Some take a distinct view, so maybe the political course of can nonetheless lead to a distinct outcome, however the present momentum appears to be going on this path as we simply mentioned.
Eric Seufert:
Proper. That’s sort of miserable, however we’ll transfer on.
I’ve written a few articles just lately concerning the CNIL, they usually’ve had a few actually attention-grabbing choices, and we will get to these. However are you able to discuss to me about what the CNIL is and what its jurisdiction is, as a result of that appears sort of fuzzy.
Mikołaj Barczentewicz:
So CNIL is one other DPA, just like the Irish Knowledge Safety Fee, however one cause why we’re speaking about CNIL proper now’s that in a number of different EU nations and former EU nations just like the UK, the Knowledge Safety Authority was given, in a way, double authorities, below the GDPR and below home legislation, which implements an previous or comparatively previous ePrivacy Directive. So authorities just like the CNIL and the UK Info Commissioner’s Workplace (ICO), they will put on two hats and implement these two totally different jurisdictions.
Eric Seufert:
Proper, discuss to me concerning the jurisdictional distinction between the ePrivacy Directive and the GDPR. So GDPR is EU-level privateness laws, and the ePrivacy Directive is a directive, proper? It’s not laws. It’s saying, “Hey, it’s best to, you EU block, you 27 EU member nations, it’s best to implement this legislation, however you might want to implement it in a approach that is smart on your personal home sensibilities.” Are you able to discuss to me concerning the distinction between these two ideas, an EU-level legislation and a Directive, after which additionally discuss to me concerning the distinction between the GDPR and the ePrivacy Directive?
Mikołaj Barczentewicz:
So the EU Legislation 101 on that is that rules and directives are totally different as a result of rules, they bind member states instantly and they’re their statutes, that are ready-made as soon as they’re enacted. Whereas when you might have a directive, a directive kind of units nearly like a objective within the distance that member states are nonetheless sure to succeed in, however they achieve this by adopting particular nationwide statutes. So with regulation, you don’t get nationwide legal guidelines individually from it, the regulation is straight relevant, as we are saying. With a directive, you get these separate nationwide legal guidelines, and the factor about directives is that these nationwide legal guidelines normally, there’s a little bit of leeway for varied nations on how they may obtain these targets.
For instance, a type of variations that may be amongst EU member states is whether or not they may have one authority each for GDPR and ePrivacy or separate authorities. So France and the UK, they went with one authority method.
Eric Seufert:
Bought it. In order that’s useful. Speak to me somewhat bit about that leeway although, as a result of I believe there’s in all probability some explanatory energy there when you concentrate on these particular circumstances that we’ll speak about in a second.
Mikołaj Barczentewicz:
So one downside with that leeway is that as a result of CNIL, the French authority has its home legislation, the way in which they use it’s they are saying, “Oh, we have now separate authority from the GDPR, which signifies that based mostly on that authority, we will act utterly exterior of this One-Cease Store course of which is required for the GDPR, however not for the ePrivacy Directive. So the ePrivacy Directive doesn’t have this concept that as a result of Meta Eire is domiciled in Eire, that they’ve the only real interlocutor important authority to speak to in Eire. Below the ePrivacy Directive, you might have 27 nationwide legal guidelines and every of these legal guidelines is enforced by the home authority, and I believe it might be truthful to say that the French Knowledge Safety Authority determined to be very artistic and aggressive in utilizing that authorized foundation as an alternative of GDPR.
A cynical interpretation of it’s that they’re merely making an attempt to sidestep that limitation, to get well some authority they misplaced by the One Cease Store precept and by the truth that most large techs are domiciled in Eire.
Eric Seufert:
Proper, okay and that’s nice as a result of that’s a terrific segue into the primary case I wish to speak about. So the CNIL sanctioned Apple.
Mikołaj Barczentewicz:
Sure.
Eric Seufert:
And it’s somewhat bit ironic as a result of Apple rolled out ATT.
Mikołaj Barczentewicz:
Sure.
Eric Seufert:
And it rolled it out with iOS model 14.5, and [Apple] kind of slow-rolled it. So normally what Apple does is once they launch a giant new characteristic launch, they’ll make it accessible, and folks will, of their very own volition, go and obtain it. Early adopters will go and obtain it they usually’ll replace their iPhone they usually’ll use it. Then, Apple can take a look at as a tech take a look at whether or not there are any breaking bugs that they didn’t catch or no matter. And after some normally reasonable period of time, like every week, they’ll say, “Okay, this seems to be fairly secure.” What they’ll do is that they’ll ship a push notification to everybody else’s cellphone and say, “Hey, this new model is prepared for launch.”
So what you may monitor is the improve graphs, principally, adoption graphs of folks that have upgraded to the latest model, and normally it’s this sort of very low degree of adoption progress. Then, there’s an inflection up and it’s this vertical graph that goes up as a result of everybody will get the push notification. So what they did with 14.5 is that they waited for much longer after which, they made some adjustments after which, they launched 14.6 and let it ruminate after which, they pushed the notification after which, the adoption curve inflected, and nearly all of folks had it in very quick order. That was proper round WWDC 2021, so it was late June.
So what the CNIL mentioned was … and this was not likely made public till just lately, however on the time, what the CNIL mentioned was, “Hey look Apple, you’re doing adverts personalization and you’re utilizing a bunch of identifiers that these customers haven’t consented to have accessed by you. And also you’re utilizing these identifiers to gather knowledge from these customers and to construct profiles of them and goal adverts to them in your individual advert platform, which is Apple Search Adverts, which is the placements inside the App Retailer and the Apple Information and Apple shares apps.” And what Apple mentioned was, “Hey, CNIL, thoughts your individual enterprise. If we’re headquartered [in the EU] in Eire, you may’t intervene right here if it is a GDPR subject, have the Irish DPC examine it. However we have now no accountability to clarify this to you and this isn’t a French nationwide subject. If it’s a GDPR subject, then we’ll undergo the One-Cease Store provision and we’ll discuss to the Irish DPC.”
CNIL mentioned, “No, as a result of you might have two corporations based mostly in France. You’ve obtained Apple Retail and another sort of home firm.” Now, Apple Retail sells … they run Apple shops. You go in there and you purchase an iPhone, however then the opposite firm was just like the native department that managed the ASA, the Apple Search Adverts help. They usually mentioned, “You’ve obtained a home entity right here and so due to this fact we will interrogate your practices right here below the French Knowledge Privateness Act.” They usually did they usually fined them. I believe it was eight million euros, which to Apple will not be some huge cash. However nonetheless, they had been in a position to make the case that no, this isn’t a GDPR subject. We don’t must undergo the One-Cease Store provision. We are able to litigate this by French home privateness legislation and we do and we’ve discovered that you’re in violation.
Are you able to simply discuss to me about that? Let me know if I’ve gotten something improper after which, what I discover very, very attention-grabbing is that [the CNIL was] in a position to push again on this concept that no, it is a French home subject. Sure, we will examine it right here based mostly on French legislation.
Mikołaj Barczentewicz:
Sure. So there are some circumstances below the GDPR when you may have a home non-Irish authority to analyze, and that’s what occurred with TikTok and the Italian authority. They used this urgency process, however that was below the GDPR. What occurred, what CNIL does, and that appears to be their M.O. just lately, is they only don’t use the GDPR. They use the identical … their nationwide knowledge safety legislation, which implements the ePrivacy Directive, and there’s this provision on this.
So, as a lot of your listeners will in all probability know, [the ePrivacy Directive is] the cookie legislation. In order that’s the true cause why we have now consent banners, not the GDPR, however actually the ePrivacy Directive.
However there’s one different characteristic of the ePrivacy Directive in its Article 5-3, which says that everytime you wish to retailer or acquire entry to any data on a person gadget, you might want to inform the person and provides them a possibility to refuse, to change. This principally means consent.
In order that’s the idea that CNIL is utilizing below the ePrivacy Directive as applied in French legislation, not the GDPR.
Eric Seufert:
Proper, and I believe there’s one thing essential to underscore there, however there are two issues. So one is, I mentioned on the outset, I mentioned it was ironic as a result of it was Apple. Apple has considerably disrupted the digital promoting area with ATT after which the CNIL discovered, “Nicely, you’re not compliant with the privateness directive.” So I believe the attention-grabbing consequence of that was Apple applied the consent dialogue after this occurred. My sense is — I’d conclude from that — that they had been by no means going to do this, had nobody pushed again on it. And that is simply my opinion, proper? I’m not making an attempt to kind of implicate you on this, however my sense is that Apple solely determined to implement that consent popup, which by the way in which, says adverts personalization.
It’s very totally different from the ATT popup, but it surely says adverts personalization they usually get much more kind of actual property to make use of in making the case than you do with the ATT popup, however nonetheless, they wouldn’t have achieved that had this not been kind of pushed again on is my perception, however I believe the opposite attention-grabbing factor right here, or a minimum of the opposite takeaway is that … properly, let me say there’s two extra. One is that in case you’re compliant with ATT that doesn’t imply you’re compliant with the ePrivacy Directive.
Mikołaj Barczentewicz:
Appropriate.
Eric Seufert:
ATT is a platform coverage, it’s not a legislation. The ePrivacy Directive will not be a legislation both, it’s a directive, but it surely’s transposed into legislation throughout the EU and also you won’t … simply being compliant with ATT is critical however not enough for being compliant with the ePrivacy Directive.
However the different perception I’d parse from this, which I believe is essential, however I wish to get your ideas on it as a result of I is perhaps misinterpreting it, is that there’s a legal responsibility inherent with complying with the ePrivacy Directive on the EU state degree. And also you would possibly say, “Okay, properly I won’t be compliant with the ePrivacy Directive as transposed into French legislation as a result of the French are being very litigious with this, however I might need much less legal responsibility in Germany and I might need nearly no legal responsibility or I’ve some legal responsibility however not very a lot legal responsibility in Spain.”
So I would make enterprise choices on that foundation. I would say, “Okay, properly I perceive that what I’m doing might be not compliant with the ePrivacy Directive as transposed into nationwide legal guidelines throughout the EU, however solely a few of these nations are literally going to pursue that. So possibly I’ll launch a distinct model or not have a model accessible in any respect in a few of these nations, relying on the chance.” Now for Apple, eight million euros, they in all probability don’t care that a lot, however Voodoo would possibly, or another firm would possibly, and that may truly persuade an organization to simply merely … as a result of it’s very simple with the App Retailer, I simply click on a field. I click on a field and my app is obtainable in your nation.
That’s all I’ve to do, so if I believe the legal responsibility is doubtlessly too materials to justify having the app dwell there, I simply unclick the field. Is that one thing that would occur or would that violate some sort of EU-level accessibility legislation?
Mikołaj Barczentewicz:
I’m unsure. I believe you might have sufficient freedom to decide on which nations to function in, and likewise, there’s that threat and which can help that sort of choice, as a result of in case you implement … So in case you go together with the interpretation of, for instance, what consent below Article 5-3 of the ePrivacy Directive, what it requires, and in case you go together with the interpretation adopted by the French regulator, and in case you do it for one nation, then your place versus vis-a-vis all different regulators is weaker as a result of then they will say, “Nicely, you probably did that for the French market, why wouldn’t you try this right here?” So that could be one cause additionally to go for that kind of semi-nuclear possibility. I’m not observing the market intently sufficient to say whether or not anybody did that.
Eric Seufert:
Nation by nation, I don’t suppose so, however within the kind of early days of GDPR, you simply had … particularly quite a lot of native newspapers in the US, you mentioned, in case you’re in Europe, we’re not going to permit you to entry [our product]. We are able to’t bear that legal responsibility. That might kill us. No matter, The Little Rock Observer, in all probability the ten readers they get from the EU on daily basis are usually not well worth the threat. Now clearly, the chance scales with the dimensions of the potential sanction based mostly on the dimensions of the person base in Europe. I don’t suppose anyone goes to go after The Little Rock Observer however nonetheless, I believe you get my level.
Mikołaj Barczentewicz:
Going again to the rationale of the One-Cease Store that we talked about in the beginning of our dialog, I believe it is a excellent instance and it’s perceived as one thing as a foul scenario in EU legislation as a result of it does go in opposition to the concept that EU legislation is supposed to supply harmonization and supply a single market the place you may function with out regulatory borders between nations. So there are some concepts to alter the scenario when the ePrivacy Directive is lastly going to get replaced with its successor.
Eric Seufert:
Proper, discuss to me about that, discuss to me concerning the ePrivacy Regulation. What’s going to that change?
Mikołaj Barczentewicz:
So the ePrivacy Regulation was in a way, a sister thought to the GDPR, and I believe the unique thought was that they had been going to be enacted on the identical time. That didn’t occur. It’s actually arduous to inform what precisely is the present state of the ePrivacy Regulation. The purpose is that it might … and one of many concepts for it was to have comparable enforcement mechanisms because the GDPR. So going from this fragmented 27 nations with barely totally different roles and concepts about enforcement scheme, we have now now below the ePrivacy directive, in the direction of one thing like One-Cease Store within the GDPR. What I do know is that there’s disagreement between the assorted legislators, so the European Fee appears to be in favor of the GDPR method for it.
However the governments of varied member states adopted their very own negotiating place, which might truly protect the fragmented system of enforcement. So even when the ePrivacy Regulation is adopted, there is no such thing as a assure that it’ll deliver that enchancment by way of enforcement.
Eric Seufert:
If I’d liken it to a scenario in the US, it’s sort of like California vis-a-vis federal privateness legislation. They wish to preserve their company with the CCPA and CPRA they usually don’t wish to give that as much as the federal authorities. Is that roughly comparable? Is that an okay comparability?
Mikołaj Barczentewicz:
I believe so. I don’t know which nations are the strongest voices behind this kind of fragmented enforcement method, however I’d be very stunned if France will not be amongst them.
Eric Seufert:
Proper, so one query I’ve for you is, is there a double jeopardy clause right here? As a result of that might be my concern, proper? So, okay, France sanctioned me based mostly on nationwide French legislation, transposed from the ePrivacy Directive and by the way in which, so did Spain and so did Germany. Is there a double jeopardy safety right here or may I simply get fined by each EU state for an infraction?
Mikołaj Barczentewicz:
That’s a very good query, however the issue is that technically, as a result of it’s nationwide legislation, every state fines you for what you probably did in that state. It’s additionally not legal legislation, so the final precept, double jeopardy, could not apply, however technically, these are separate infractions, proper?
Eric Seufert:
Certain.
Mikołaj Barczentewicz:
So sure, I believe you’re prone to being fined for a similar factor many instances over.
Eric Seufert:
Okay, obtained it. So I assume that raises the query, why is France the one on the vanguard of this? Why not Spain? Why not Germany? Why is it France? Why is it the CNIL that’s this energetic? As a result of in case you have a look at the variety of circumstances that they’ve litigated, it’s quite a bit.
Mikołaj Barczentewicz:
That’s true. There are some energetic regulators in Germany, but it surely does appear that the French Nationwide regulator, CNIL is especially aggressive. So I don’t wish to speculate concerning the French coverage selections, A, it might be a cultural factor, partially, it might be … There might be, I think a little bit of, as of virtually nationalist subject or a minimum of European sovereigntist subject as a result of a lot of these nations that are being prosecuted by CNIL are American corporations. So I believe this isn’t fully with out affect on the motivations behind it, however I believe it’s additionally tempting to notice that the identical French authorities, though CNIL is an unbiased authority, however CNIL takes a really maximalist interpretation of privateness although, whereas the French authorities is thought for taking a really minimalist interpretation of the GDPR and usually EU privateness legislation relating to any restrictions on governmental knowledge processing.
To the extent that they maintain litigating and shedding circumstances earlier than the European courts about their legislation enforcement and intelligence knowledge processing, which I believe is a reasonably attention-grabbing juxtaposition, proper? Each the strongest at imposing in opposition to tech corporations, but in addition probably the most eager on large-scale knowledge processing, however by the federal government, and based on the EU courts even to cross the boundaries of EU legislation.
Eric Seufert:
Yeah, properly, don’t get me began. I imply that’s … what drives me up the wall is whenever you see so-called — at all times self-appointed — disinfo consultants saying, we have to have entry to all the information that Fb has so we will stop Cambridge Analytica from ever occurring once more. It’s like, “Nicely how do you suppose Cambridge Analytica occurred? It didn’t occur … it wasn’t some like rogue hacker group in North Korea. It was a researcher.”
Mikołaj Barczentewicz:
Sure.
Eric Seufert:
Proper. So I imply, I don’t purchase that argument that researchers can by no means wish to be motivated by cash or no matter. I don’t know in case you’re a Simpsons fan, any likelihood of that?
Mikołaj Barczentewicz:
I do watch The Simpsons every so often. Yeah.
Eric Seufert:
One in all my favourite scenes was … Sideshow Bob infamously tried to homicide Bart a few instances and he went to jail. And he had “Die Bart, Die” tattooed on his chest. The parole board says, “Nicely, we don’t imagine you whenever you say that you just’re not going to attempt to homicide Bart once more since you’ve obtained Die Bart, Die written in your chest.” He mentioned, “Oh no, that’s German for The Bart, The,” and the parole board says, “Nicely, nobody who speaks German might be an evil man.” And it’s like nobody who’s an instructional may have an ulterior motive with this knowledge.
Mikołaj Barczentewicz:
So it’s not our important subject for right now, however I believe it’s price mentioning the brand new DMA and DSA rules, which additionally impose some knowledge entry necessities, for instance, creating this new advert database, which is supposed to be accessible by APIs for everybody. So it’s fairly attention-grabbing how on the identical time, so with one hand, EU legislation calls for extra privateness protections, however with one other, it seems to be like it might be undermining that which is doubtlessly a considerably schizophrenic scenario.
Eric Seufert:
Yeah, I imply, I’d like to have you ever again to speak concerning the DMA and the DSA. That’s clearly one other hour and a half, however we’ve obtained our fingers full right here, since you made a degree, which I believe I’d’ve been absolutely onboarded with till just lately, which is that possibly there’s some — and I don’t wish to put too wonderful a degree on this as a result of I don’t know whether or not it is a motivation or not — however possibly a part of the motivation for pursuing these circumstances was that these are American corporations and you might kind of interpret various causes for why a nationwide privateness regulator would wish to very, very aggressively implement their legal guidelines in opposition to American corporations. I believe up till no matter, six months in the past, I’d’ve mentioned, yeah, that in all probability is explanatory right here, however additionally they sanctioned Voodoo Video games. Voodoo Video games was sanctioned by the CNIL.
Voodoo Video games is a French firm they usually fined them thousands and thousands of euros. They mentioned that … sort of just like the Apple case, they mentioned, “Look, you’re accumulating the IDFV.” I believe a lot of the listeners are aware of ATT, however what ATT does is it exposes this pop-up, this consent immediate to customers once they open an app. It solely does it one time, but it surely says, “Do you comply with have this app monitor your conduct inside this app and throughout third-party apps and web sites?” or one thing like that. The person says sure or no. If the person says no, then what occurs is the coverage is in impact and the coverage covers extra than simply the IDFA. The coverage covers any sort of identifier that might be used and transmitted to a 3rd occasion for the needs of adverts monitoring.
It says you may’t try this, however the kind of concrete results of the person opting out is the IDFA will get set to all zeros, proper? So it’s successfully ineffective. The IDFA is about to zeros, and what Apple made accessible to builders was when the IDFA is zeroed out — as a result of the person opted out of monitoring, they mentioned no to the ATT immediate — is the IDFV. So the ID for Distributors. The IDFA is the ID for Advertisers. The IDFV is ID for Distributors. What that’s, it’s a publisher-specific gadget identifier. So it’s distinctive to that writer for that gadget, however it might be totally different for a distinct writer for that gadget. So Voodoo Video games operates various video games, they publish very many video games and for any person that performs a number of of these video games, their IDFV is similar, each time they play the sport.
In order that approach Voodoo may say, “Okay, properly this person Eric is enjoying this sport and this sport as a result of I’ve seen that IDFV in each video games.” In order that they know that that’s me enjoying a number of video games. Apple made that accessible within the case of ATT opt-out as a result of they mentioned, “Okay, properly that’d be tough to sew collectively. Should you despatched that off to a 3rd occasion, they will’t do an entire lot with it.” Now, it’s potential that they may, however it might take a extremely concerted effort and possibly quite a lot of cooperation throughout third events that aren’t prone to wish to cooperate. In order that’s in all probability privateness protected.
[The CNIL] mentioned, “Nicely, we don’t care, ATT is platform coverage … the French Knowledge Privateness Safety Act says you might not learn knowledge from a terminal except the person consented they usually didn’t consent. The IDFV, we don’t care that Apple says that’s privateness protected. We don’t say it’s protected. French legislation says you may’t learn this knowledge from the terminal with out their consent and also you didn’t ask for consent and so we’re going to wonderful you.” Speak to me about that as a result of I believe that was attention-grabbing for various causes. One, it’s a French firm. I believed that was attention-grabbing. Perhaps it’s much less attention-grabbing than I believe it’s.
Mikołaj Barczentewicz:
Yeah.
Eric Seufert:
The opposite factor is the motive right here, which Voodoo mentioned was, “Look, we’re doing this to be protecting of the person privateness.” There’s a bunch of different stuff we might be doing, however we’re not. We’re utilizing the IDFV as a result of that’s privacy-protective, and the French court docket mentioned, yeah, wonderful, but it surely’s not compliant with the legislation.
Mikołaj Barczentewicz:
We’re nonetheless speaking about this text 5-3 of the ePrivacy directive and it’s attention-grabbing how intently it tracks a number of the GDPR discussions, for instance, in Irish Meta circumstances as a result of this rule does say if you wish to retailer or entry any data on the person gadget, properly, you might want to give the person a possibility to refuse, to tell and provides the best to refuse, however there’s an exception. The exception says, “This shall not stop any technical storage or entry for the only real objective of finishing up, facilitating the transmission of communication or as strictly crucial in an effort to present an data society service explicitly requested by the subscriber or person.” So this final half, it actually seems to be just like the contractual necessity consideration.
In a way, yeah, I believe you might have very comparable authorized debates about whether or not, for instance, what Voodoo Video games was doing, whether or not that was truly crucial for them to have the ability to present that service as a result of they could be funded a minimum of partially by promoting. So it’s actually a really … a minimum of to me, it looks like a really comparable dialog however the issue is that even below the GDPR, it went the way in which … properly, let’s await the courts, however saying that no, you can not use contractual necessity because of this. Then maybe the ePrivacy Directive might be interpreted in the identical approach, but when the courts go … it’s a minimum of potential that the courts may interpret it in any other case. So to say, “No, promoting is a part of the deal, it’s a part of the contract, it’s crucial for provision of the service as a result of it’s an financial necessity, not only a technical necessity.”
And for that cause, then you might not require this consent, particular consent for storage or retrieval of data from the person’s gadget. So sure, I believe that’s price noting, however I’m not stunned that the French authority would take the identical view on this as they tackle contractual necessity and say, “No, you need to have particular consent.”
Eric Seufert:
Yeah, and also you made that very same level in your article, proper, concerning the financial necessity. That’s not likely being thought of when these are being litigated. Okay, I needed to get to at least one extra large subject. Trans-Atlantic knowledge flows. I believe that is one thing that in all probability most individuals are superficially conscious of. You see the headlines each from time to time, however the particulars are staggering or there’s only a lot there. Are you able to simply sort of briefly give a background of that pressure, that subject, after which possibly give us your tackle the way you suppose it’ll be resolved?
Mikołaj Barczentewicz:
So below the GDPR, transferring private knowledge exterior of the EU is just allowed if sure situations are met, and broadly these situations and a cope with whether or not it’s a spot, the jurisdiction to which knowledge is supposed to be transferred, protects privateness sufficiently and comparable individuals concerned, as within the Meta investigation, there’s Max Schrems. He’s in all probability most well-known for litigating this subject twice now and possibly quickly for the third time. So, far twice, he managed to persuade the European courts, the Courtroom of Justice to say that the scheme below which … below EU legislation, the US was acknowledged as a protected jurisdiction for knowledge privateness, that this scheme was not … was invalid below EU. In order that first occurred in Shrems One and extra just lately below Shrems Two.
So now there are some methods round this as a result of these two choices handled an overarching scheme referred to as beforehand the privateness protect below which it was an settlement and below which the European Fee and the US authorities, they agreed that the US will make some representations about defending Europeans knowledge, and based mostly on that, know if I used to be an EU or US enterprise transferring knowledge between the 2 jurisdictions, I didn’t have to make my very own particular person assessments, whether or not that is wonderful for me to do. For the reason that Shrems Two choice, for the reason that earlier choice was invalidated, now, we have now some methods round the issue, the principle of which is named SCCs. The usual contractual clauses and the SCCs are a scheme the place you as a enterprise individually must assess authorized dangers to your person’s knowledge from that knowledge being transferred to the US.
The SCCs is what Meta and all different main suppliers are relying upon for transferring person knowledge. What occurred in a number of Google Analytics circumstances and in a pending Meta knowledge transfers case seems to be just like the home knowledge safety authorities began to take a really arduous line about how the theoretical risk of non-public knowledge being accessed by US intelligence authorities undermines any use of these SCCs. So as a result of it’s potential that below US legislation, the data, the non-public knowledge of a European will within the USP accessed by the authorities with out, some argue, enough due course of, because of this it might be illegal for an organization like Meta to switch the information of Europeans to the US. And I believe it final yr, meta even made an announcement of their SCC submitting saying that this case, the spending case is such a threat that if it goes a technique, they could have to cease offering companies in Europe.
In order that they disclose that as a big enterprise threat in an SSC submitting. So that call is anticipated in April and everyone seems to be ready for a distinct choice, this time from the European Fee creating a brand new … so-called adequacy framework. So privateness protect, you might say three, that may make this meta choice in a way, mote. So even when the information safety authorities, had been going to seek out that no Meta is violating EU legislation by transferring private knowledge to the US, this may turn out to be extra as soon as EU legislation once more permits everybody to switch private knowledge to the US. So we’re very eagerly awaiting for the European Fee to formally undertake a draft adequacy choice that they already introduced. So it’s anticipated round, arduous to inform June possibly.
Eric Seufert:
Proper. So if I perceive accurately there was some information just lately, two weeks in the past or three weeks in the past, and there’s a difficulty across the timing as a result of that is being attacked from two totally different instructions the place it’s being dealt with.
Mikołaj Barczentewicz:
Precisely.
Eric Seufert:
So there’s the DPAs, the affiliation of DPAs or no matter, after which, the EC and the DPAs are … as soon as they go into the method, they’ve some fastened period of time, however the EC would possibly take longer. So the DPAs may say, “Nicely no, this isn’t authorized,” earlier than the EC proposes the third answer. After which, in that interim interval, there could be a grey zone or one thing the place it’s not simply Meta, proper?
Mikołaj Barczentewicz:
Black gap.
Eric Seufert:
Proper, I imply, this may apply to each American firm. Yeah.
Mikołaj Barczentewicz:
Google, Meta, everybody.
Eric Seufert:
Are you able to discuss concerning the timing?
Mikołaj Barczentewicz:
I imply, the answer itself would solely have authorized results with respect to at least one firm, clearly, however then everybody could be prone to equivalent or very comparable enforcement proceedings.
Eric Seufert:
Proper. Mikolaj, this was so informative. I’ve actually been wanting ahead to this name and it completely lived as much as expectations. I’ve so many extra questions, however I’ve already kind of eaten up an hour and a half of your day. I’ll ask, how can folks join with you? How can they learn your writing? How can they observe you? The place do you reside on the web?
Mikołaj Barczentewicz:
So I believe it’s finest to observe me on Twitter and it is going to be in all probability finest in case you simply put up a hyperlink within the present notes to my deal with as a result of my deal with is my preliminary after which, my surname, which could be very tough however sure, so Twitter is finest.
Eric Seufert:
Bought it, and simply sort of final fast query, so I really feel like I’ve a superficial grasp on these matters and I’ve in all probability invested, I don’t know, 20, 30 hours into this analysis. Most individuals don’t have that sort of time to decide to this. What do you do, in case you’re working at an American firm, you’re based mostly within the US and also you wish to be sure to’re compliant with myriad EU privateness legislation, what do you do? You simply rent a legislation agency or do you rent a full-time individual to handle this?
Mikołaj Barczentewicz:
I’m afraid … I imply, after all, it will depend on how large your operation is, however it might be very tough to keep away from some costly attorneys, sadly, which is among the unhappy features of this case as a result of these prices can add up in a short time. However I’m unsure there’s another accountable recommendation I may give than simply getting a very good lawyer.
Eric Seufert:
All proper. Truthful sufficient. It’s clever phrases for many conditions. All proper, Mikolaj, I very a lot recognize your time. Thanks very a lot for strolling by these matters with me and with the viewers. Take care.
Mikołaj Barczentewicz:
Thanks.
