
Dave Cohen (IAPP)
[47:29] All right. That sounds great, Gary. Thank you, Mark. Thank you, Chris. Thank you, Gary, for that excellent presentation. We do have some time left and we've got some questions here.

Marc M. Groman (Groman Consulting Group LLC)
[47:39] I can't resist the opportunity to have Chris Docksey on a call with me. And so, I wanted to pose a question to Chris if that's okay since he's here, and I think it would be of interest which is: We both referenced legitimate interest as a way to our mechanism for lawful processing under GDPR for AdTech. And so, Chris, can you pretend that I’m your client and I’m in AdTech. So, now I have to do balancing. I have to balance the legitimate interest of my company in advertising or personalized advertising versus the rights to a data subject. That's a little alien for a lot of people outside Europe. How would I go about doing that?

Christopher Docksey (EDPS)
[48:23] Oh, boy, thanks for that question, Marc. But I think what I have to do is maybe go through how the Court of Justice does it and then embellish that a bit. And you saw that analysis in the Google Spain case. So, if anybody wants to read it, they can find it there. And they did it in the subsequent accountability cases. There's basically a three-step formula. What's the legitimate interest of the controller? The EU Charter includes the freedom to conduct a business as long as its fundamental rights, and President Lenaerts pointed to this as one of the freedoms guaranteed by the charter. So, I would just plead to read them to conduct a business as a fundamental right, possibly also the benefits of innovation and competition, which are really in the public interest. As you said, Marc, we don't want to come out of the Coronavirus experience with there being just five companies left. So, first, what's the legitimate interest of the controller? And there is one.
[49:31] Secondly, does this infringe the rights to privacy and data protection? If so, the balance is against the processing. And if you just say freedom to conduct a business per se and you do whatever you want, then that's going to infringe the rights to privacy and data protection. So, thinking about your IAF column, I would ask a number of questions. Was there information about the processing? Which is a transparency requirement, which was not respected in Wirtschaftsakademie and Fashion ID. Is it necessary for the specific business purpose or does it go further as the necessity requirement? Which is in Planet 49 where they were bundling different things for consent.
[50:15] Could it be achieved in a less intrusive way? The proportionality requirement, which was in Google Spain. And this is crucial, are there safeguards which adequately protect the rights such as risk analysis and mitigation, after a data protection impact assessment, or human intervention with regard to automated decision making using profiling that produces legal effects? These are the issues the regulators will also have in mind because they're worried. And the ICO in its report in 2019 said that the scale of the creation and sharing of personal data profiles in RTB appears disproportionate, intrusive, and unfair, particularly when data subjects are unaware that it's taking place.
[51:08] And so, you have those tests and if you can put in the safeguards and comply with the need to be specific and transparent, then you can move the balance into your favor as an accountable company. And finally, just to complete the analysis, it may be that there is actually a public interest in the data being out there. For example, freedom of the press, and that was a subject of another ruling recently in a CNIL case from France. Is that okay, Marc? Does that answer your question?

Marc M. Groman (Groman Consulting Group LLC)
[51:46] It does. I guess the one nugget that I sometimes get stuck on is in the context of advertising or direct marketing, what does “necessary” mean in that balancing?

Christopher Docksey (EDPS)
[52:02] Well, you look at the purpose. So, it would depend which of the actors in the AdTech ecosystem you're looking at. Is this the publisher? Is it the advertiser? Is it the AdTech in the middle? They will all have their own specific business purposes. And once you've identified the business purpose. Let's take the easy one, the advertiser: “I want to sell something.” Then, you have to identify what can I do that is necessary for that purpose as opposed to being extra? I would like it, but it's not actually necessary.

Marc M. Groman (Groman Consulting Group LLC)
[52:49] Thank you, Chris. I appreciate that. Now, let's turn to the other questions from the audience.

Dave Cohen (IAPP)
[52:57] Terrific. Thanks. That was great. And staying with you for a moment here, Chris, can you comment on how much divergence there is now between member states and how you suggest companies navigate those differences across the EU? Does this make accountability more difficult?

Christopher Docksey (EDPS)
[53:14] You've got two questions there actually, the level of divergence and whether it makes accountability more difficult. In principle, the GDPR is like an Act of Parliament. It's a regulation. It should be the same law in every member state, but they did allow a surprising amount of divergence between member states for regulation over a dozen areas where they can make their own rules or go further. And in fact, some of those I don't think they should be there, but they were the price of adopting it. But there are three saving graces for these differences. Firstly, if there is a difference, it's up to national regulators to find solutions that guarantee the free flow of data in internal markets. They cannot block the free flow of data. Second, national rules can't undermine the protections in the GDPR. And as we've seen in the case law, the Court of Justice is in charge of policing both controllers and regulators, and it's insisting on guaranteeing the most effective protection of the rights in privacy and data protection. So, if there's a difference, you take the higher standard.
[54:27] And third, and this is the reply to the question about accountability, I would turn it around and I would say accountability is the solution for the differences. It's not that the difference is causing problems for accountability. It's true they can make compliance more challenging, but an accountable controller has thought in advance about what it needs to do and how it can do that whilst it's respecting the privacy and data protection rules. Accountability is hardwired into the GDPR. It is actually probably the most important innovation in the GDPR. So, a company doesn't need to know the GDPR by heart, or these differences, so long as it has got a privacy professional in place that does know the law or know where to find it. Now, I'll just finish by saying the Article 29 Working Party has asserted that the DPO or the privacy officer is the cornerstone of accountability.

Dave Cohen (IAPP)
[55:32] Terrific. Thanks, Chris. That makes very good sense. And, Gary, I'd like to direct this next question to you, if I may. And it's this: Does all profiling for advertising have similarly significant effects? If yes, how is this a risk-based framework? Certainly, all profiling is not equal, but it appears to be treated that way. How would you respond to that, Gary?

Gary LaFever (Anonos)
[55:55] It's a great question and there's a lot of confusion on this. If you just read some of the case law or the guidance, it sounds as if all profiling by definition has a legal or similarly significant effect, but in fact that's not true. I just want to make a couple of notes here in case people want to verify it on their own. The Article 29 Working Party guidelines on automated decision making and profiling itself says: “In many typical cases, the decision to present targeted advertising based on profiling will not have a similarly significant effect on individuals. For example, an advertisement for mainstream online fashion outlets based on a simple demographic profile.” That's one of the reasons why functional separation enabled microsegments (mSegs) which are targeted to small groups of people and leave it up to the individuals within those groups whether or not to respond takes away the legal or similarly significant effect. Even the ICO report, which is causing a lot of concerns, that even says - even in the context of real time bidding - that automated decision making and profiling can have a significant effect on individuals.
[57:09] So I think what's really, really important is that a data controller be able to show that they went through the analysis - the data protection impact assessment, the legitimate interest impact assessment, they've applied principles of accountability and proportionality, and they have technology and controls in place that support the policies coming from that analysis to show that they've sufficiently mitigated the risk to the individuals. That's what it's about. You have to show demonstrable accountability and technical safeguards that enforce your policies and procedures to mitigate the risks to the data subjects. That's when the balancing of interest tests can be won by the data controller so they can continue to process the data. And in that instance, profiling should not and I believe does not involve a legal or similar effect.

Dave Cohen (IAPP)
[57:59] Okay. Thanks, Gary. And speaking of demonstrable accountability, there is a good follow-on here and I think we'll address this one to Marc. Why is demonstrable accountability an acceptable solution? Isn’t that a soft option? Marc?

Marc M. Groman (Groman Consulting Group LLC)
[58:12] Thanks. I'd like to unpack the question because it suggests that demonstrable accountability is the solution. It depends on the question we're posing in a problem that we're exploring. But I think that I'd like to go back to the answer that Gary just gave, which really keyed out where accountability plays just a critical and integral role, not only for GDPR compliance, but it should play a critical role for any company's global, continuous, and comprehensive risk based data protection program. And so, we talk about it in the context of GDPR where we do analysis under legitimate interests. We do balancing where it's baked into GDPR where we have to show to potentially a regulator or a business partner that we have the right processes and procedures in place. That we have data governance that we are taking steps through whether it's Pseudonymisation or encryption or other technologies or data protection by design - all of that goes into accountability, which is really like the foundation underneath the other requirements that get all a lot more attention.
[59:22] We always talk about it's about consent or it's about your legitimate business interest but below that has to be a framework of accountability to show compliance with GDPR, to show that in at least the context of the EU that the rights and interests of data subjects have been effectively taken into account and considered, or equivalent risks addressed or mitigated on this side of the Atlantic. So, it is a critical part of GDPR compliance. And I think it will be a critical part of any global company's global strategic data privacy program going forward. It's just absolutely pivotal. It doesn't get the attention of the other concepts, but in some respects it's more important.

Dave Cohen (IAPP)
[1:00:11] Terrific, Marc. I’m staying with you for a moment here. There's a good follow on question for you related. Why do you think the ICO is so skeptical about legitimate interest for subsequent processing then? And after you answer, Mark, I'd be curious to hear Chris’ and Gary's answer as well.

Marc M. Groman (Groman Consulting Group LLC)
[1:00:29] Well, I think that unfortunately, there's a lot of skepticism directed from regulators across Europe towards the industry in general and sometimes the larger tech companies that are here in the US, but there's that general skepticism about a willingness to really invest the resources to conduct the balancing, to demonstrate accountability, to show you've done the risk assessment. And so, that skepticism, I think, sort of purveys other issues and the relationship and how they go forward. It's unfortunately, not in all cases but in many cases, justified based on at least their perception of how compliance has gone to date with GDPR. But on the other hand, we've seen companies and trade associations reacting to guidance. Hopefully, that's a positive step. And hopefully, what's critical will be the ability to have a really thoughtful and nuanced discussion so that we can approach the balancing and the analysis thoughtfully based on the facts that technology and data are being used and not have that sort of a conclusion ahead, or before we do the analysis. I don't want there to be a conclusion already that: “Oh, you probably don't have it.” That would not be helpful for regulators, for consumers around the world, or for the business.

Dave Cohen (IAPP)
[1:01:51] Terrific. Thanks, Marc. Chris?

Christopher Docksey (EDPS)
[1:01:55] Well, Dave, if you look at what the ICO itself has said, I think it is worried. Even if you could argue in favor of relying on legitimate interest, what it's found and what it's put in this report is that a lot of controllers don't know what legitimate interest means and what it requires. They think it's a soft option compared to consent. I’m only telling you what they think and to think of legitimate interest as an easy option is really unbelievable. And what the ICO said is that controllers are simply not carrying out the legitimate interest balancing tests that Marc and I just discussed - the legitimate interests balancing test - or implementing the technical controls or the safeguards that you need. So, the ICO has been looking at the industry and I think it has found it wanting.

Dave Cohen (IAPP)
[1:03:07] It makes good sense and we’ll see how this plays out over the coming months for sure. Gary, I know you have some comments here as well. Yes?

Gary LaFever (Anonos)
[1:03:15] Yes. So what I find interesting is I find a lot of data controllers believe the legitimate interest test is an outcome-based test meaning they feel they have a legitimate interest in using the outcome of the processing when actually legitimate interest is a process-based test. There are three tests to it. First, do you actually have a legitimate purpose? And so, there they may satisfy the first of the three. But the second is the necessity test. Do you have to get this particular data from this source to achieve your legitimate purpose? It's the third one, the actual balancing of interests test is a process-based test where you have to show you have in fact done the analysis and have tools in place that enforce the policies and procedures that come out of your analysis so as to mitigate the risks to the data subject. If you can't pass that process test, you don't get the benefit of the outcome. So, I think there is, for whatever reason, a feeling that if you have a legitimate interest in the result of the process that you should be able to use legitimate interest and everything that Marc and Chris just said is actually true, which is that's a naive assumption and mindset when it comes to legitimate interest. It can be done, but not with that mindset. And so, I do believe and that's my hope for the industry, and not just for AdTech and direct marketing but for many innovative uses of data, that if the controls are put in place to enforce the appropriate policies and procedures and the concepts of accountability and transparency, that processing can still occur for the benefit of all society and that includes AdTech and direct marketing and many other applications.

Dave Cohen (IAPP)
[1:05:02] Terrific. Thanks very much, Gary. We're running out of time here. So, we have one last question. I'm going to direct this toward Chris. It’s a question on the current environment and also has tendencies to look to the horizon and what may be in store down the road for companies as they seek to comply in this new environment. And here's the question, Chris, why has there been such a massive increase in decisions by the Court of Justice? What do you think is going on here?

Christopher Docksey (EDPS)
[1:05:30] Well, the first thing, Dave, to note is that the Court is essentially reactive. It doesn't have its own agenda. It decides the cases that have been referred to it by the National Courts. And if you look at those accountability cases that I discussed, they were cases that were brought at the national level either by Data Protection Authorities, by consumer protection organizations and of course there are other cases brought by NGOs. So, the simple answer first is that a lot more people are going to court at the national level. And the National Courts are asking the Court of Justice to rule on what European Union law means, and this is having a self fulfilling effect. The more decisions there are, the more interest there is in National Lawyers and the Courts in using the Courts of Justice to get clarification on the law. So, I think processes are going on, and I really think we're going to see more and more decisions coming out to the Court of Justice as a result.