Dave:
Fantastic. Thanks, Gary. And thanks Sachiko and Marty for your comments and remarks as well. We are now entering the question and answer portion of the program. So as a reminder to all of you out there listening in the audience, if you'd like to submit a question, you can type them in the field that's just to the right of the PowerPoint window there and we'll tackle as many as we can during the time that we have allotted.
So let's go ahead and get started with Sachiko with this first question and it has to do with the one-to-one personalized advertising versus what's known as contextualized advertising. So the question is, why is personalized advertising necessary when ads can be delivered in a contextual way? Contextual-based advertising based on appearance on website, particular areas, et cetera.
So Sachiko, would you like to tackle that first question?
Sachiko:
Yes, I can. Very good question. And my immediate response to that is, well, if that's what the marketers want, if that's what the brands want, then personalized data is still going to be something that we want to provide them with. It's really a demand and supply story.
However, very, very generally though, compared to contextual, I mean, there are many contextual advertisements that are very creative on its own. It is still perceived as the more effective way of improving the relevance of advertisements to the consumer.
Dave:
Terrific. Anybody else care to comment there?
Gary:
Yeah. So I think that's a great question and it highlights, hopefully, this is coming across that the 5th Cookie working group is not about an either/or or we versus they. It's about a broader conversation. And in those situations where contextual advertising meet the needs of the consumers, the data subjects and the brands, it makes complete sense. But there are, as Sachiko referred to, there are efficiencies to more targeted advertising that benefit both the consumers as well as the brands, the people paying for the advertising. And so, I think it's probably a combination mixture of both.
Dave:
Excellent. Makes sense. Marty, anything there?
Marty:
Not on that topic.
Dave:
Okay, great. Well Marty, this next one is actually, I think I'm going to start with you. Here's the question. Why is it important to determine if data science used in ad tech has a legal effect on data subjects? You referred to this in your comments. Care to elaborate there?
Marty:
So in the simplest mode, thinking with data is using statistical methodology to figure out what the data tells you or to actually test hypothesis and it depends on the methodologies you're using. From my perspective, that is knowledge discovery, but it comes down to the question in the data science, what is your general question? What is your motive? What is your reason?
So if your reason in a data science perspective is to determine what is the best market for a particular product and then offer that product to an individual, to a cohort, not to a particularly named individual, but to a cohort, that's really not data science that has legal effect. It's data science whose purpose is to segment markets.
If your purpose is like, was the case in or suggested in the last US election year, it is to define the right messages to discourage individuals from voting, voting is a legal right. So that would be data science or profiling that does have a legal effect because you're taking away a specific right.
So when you're doing the data science, the motive behind the data science is important. It's not the technical processes, it's the motive. And then when you apply those learnings, again, it goes to, what is the effect of applying those learnings?
Dave:
Okay. That's helpful, Marty. And just staying with you for a moment for this next question with regards to the purpose of direct marketing, if the GDPR says that we can use legitimate interest to process data for direct marketing, then what is the problem you're trying to solve? Care to comment there?
Marty:
The problem is that the GDPR was designed with a couple of motives. One was to go to a risk-based approach to data protection and data protection goes through the full range of fundamental rights and freedoms and that's a fairly broad range. It was also to assure that the right legal basis to permission data was applied and that the legal basis be effective in protecting individuals when it's applied.
I can tell you in my conversation with regulators. Right now, we have a trust deficit with regulators as it relates to legal basis other than consent. And part of what we need to do is to be able to demonstrate to regulators that there's process and theory that would assure that when organizations are using legitimate interest that they've done a balancing process that is empowering of individuals while it's empowering for the organizations.
So part of why we have a question in play is that there is a trust deficit among regulators as it relates to legal bases other than consent.
Dave:
Excellent. Thanks, Marty. And …
Gary:
If I could just jump in on that, because we do a lot of work with regulators and legislators, people that were involved in the working group for the GDPR. And quite candidly, there's a good deal of surprise on their part that people haven't picked up on Pseudonymisation. You don't mention the term 15 times by accident. But the term by itself doesn't cause magic to occur.
So legitimate interest is in fact, specifically identified in the GDPR as being applicable to direct marketing, digital marketing, but it's not just the term. You have to satisfy that term and it's the intermarrying of Pseudonymisation and legitimate interest processing that enables this to occur because as Marty said, you need to address this trust deficit with the regulators who have seen too many companies merely claim a legitimate interest without being able to show the technical and organizational safeguards they put in place to satisfy its requirements.
And so, that's really what this whole conversation is about. It's really what the 5th Cookie working group is about. It's, let's elevate this conversation as to how technical controls can enable us to address this trust deficit so regulators have greater confidence in data controllers and processors, data subjects and consumers have greater confidence in what's being done and not only businesses benefit, but society benefits.
There's a lot of benefits from data processing, a lot of innovation that can come from AI, machine learning, other processes, but it has to be balanced against the rights of the individuals and the expectations of the regulators and legislators.
And so, I truly underscore what you said, Marty. This is all about addressing the trust deficit that we currently have with regulators.
Marty:
So I can tell you, I've had direct conversations with numerous European regulators and actually, recently with Canadian regulators who have a different set of laws to apply. And what I'm being told by them is they literally have had no company come in to demonstrate their methodology for legitimate interest that to them, demonstrate that they actually understand what that balancing process is.
So the regulators are defaulting to consent because they haven't seen from organizations the knowledge that they understand how to apply legitimate interests.
Gary:
And there is data out there. The two ENISA reports on Pseudonymisation, the GDD draft code of conduct. It shows how this can be done. It's not how it's been done. That was the picture of the goldfish jumping from bowl to bowl, okay? That's not normal activity of fish, but if you show them how to do it and you give them the tools to do it, they can do it.
And so, this is absolutely critical, I believe, which is, it's the intermarrying of the technical controls to enforce the policies and the procedures to show accountable processing that regulators can then say, “Okay, I understand what you've done. I understand how you did it. And now, you have the right to do what you're about.”
Dave:
Excellent. Thanks so much.
Sachiko:
Hey, Gary. I want to just add something to what you said about the code of conduct of the GDD. Well, actually, this code of conduct of pseudonymous data of GDD is actually being sponsored by the Ministry of Interior of Germany. And it was actually presented at the so-called Digital Summit, which is an Angela Merkel-hosted event and it talks about how Germany can actually grow in the digital economy. And they really do bank on accountable organization using protective measures such as pseudonymous data.
So it is not only the regulators, but also on the governmental level, there is a strong interest in using, applying pseudonymous data as well as, of course, carrying out appropriate legitimate interest assessments.
Gary:
Thank you for that, Sachiko. And I think that what I at least believe is a key point here is, it's not an either/or decision. There is a way to balance the interests. There's a path and a tool and a means that the GDPR talks about and it doesn't only talk about Pseudonymisation. I'm not saying that. But it reflects the idea that technologies can be used not just to track and service ads to individuals, but to also reduce the risk to them and to do it in a way that still can be targeted to their individual interests and characteristics and behavior, but not in such a way that is naturally identifying. And I think that's what we're talking about here, right?
So countries, regions, the globe benefits, if and when we pull this off correctly. So thank you for pointing out, it’s not just the regulators.
Marty:
So to that point, the Canadian government which is in the midst of thinking about how to revise their private sector privacy law, has asked the IAF to think about how you can process data for advanced uses in a trustworthy fashion with means other than consent.
Dave:
Fantastic. Well, thank you, Marty and Sachiko and Gary. That brings us to the end of our question and answer period here. There were a couple of questions that we didn't get a chance to get to. But I can tell you that we'll do our best to export those and try to provide some answers to them either on the IAPP website or the Anonos site.
And as you probably noticed, the email addresses for all of us are available there on the screen in front of you or if you're watching this as a live presentation, you can go ahead and click those. And if you didn't get your question answered, you might fire it off to one of the folks on the panel available here as well.