SUMMARY

15 February 2021

Meet the Author Series: Web Privacy Measurement and the Power of online tracking technologies (Dr. Rob Van Eijk)

Summary by Alessandra Calvi (LSTS, BPH)

PDF version

On 10 December 2020, the Brussels Privacy Hub organised the 11^th event of the Meet the Author series. The event challenged the findings of Dr. Rob Van Eijk (Future of Privacy Forum), an expert on tracking cookies and similar techniques, on Web Privacy Measurement (WPM) and Real-Time Bidding (RTB),[1] presented in his dissertation at the University of Leiden. This was the first Meet the Author Event, held in an online environment.

Discussants were Ine Van Zeeland (imec-SMIT-VUB) and Rosa Barcelo (SQUIRE PB).

Hielke Hijmans (Belgian DPA) chaired the event. 

Hielke Hijmans opened the event, introducing the author and emphasising how cookies and similar tracking technologies are nowadays omnipresent on the internet, being many services possible due to online advertising (or RTB). He invited the speakers to reflect upon: the intrusiveness of tracking technologies and the privacy-data protection risks arising therefrom, particularly about profiling, the validity of consent and transparency; the interrelationships between the General Data Protection Regulation (GDPR) and the ePrivacy Directive; the different forms of client identification mechanisms used by big players in the sector and the opportunity to develop new business models.

Rob van Eijk shared a key finding of his thesis, namely that the differences in the legal compliance of tracking technologies among the European Member States mainly depend (1) on the transposition of the ePrivacy Directive at the national level and (2) on the 'enforcement appetite' demonstrated by national Data Protection Authorities (DPAs). He admitted that the privacy discussion concerning tracking technologies progressed thanks to the European case law (see e.g. Fashion ID and Planet 49 judgments); to the guidance issued by the European Data Protection Board (EBPB) and certain national DPAs (for example, the adtech workshops organized by CNIL and the ICO); to the (lack of) fines imposed by DPAs. He added that there are still uncertainties over the legality of cookie walls in the ePrivacy Regulation discussion; and that dark patterns in cookie banners can easily be measured, facilitating the assessment concerning their proportionality. He concluded by stating that innovation towards a post-third party cookie world is vital for adtech providers; that contextual advertising has potential, e.g. the Dutch Public Broadcast Organization (NPO) demonstrated its effectiveness in pilots; and that more privacy-friendly (browser) techniques can be used.

Ine Van Zeeland reflected on the differences between probabilistic and deterministic mechanisms for client identification in online advertising.[2] She noted that large market players, such as Google, thrive in deterministic environments, keeping their clients "logged in". She wondered whether the current model of online advertising favours this model and if this could determine a shift from probabilistic to deterministic client identification mechanisms.

Referring to a study conducted by imec-SMIT about the value of personal data sharing among media organisations in Flanders, she observed that, in an ideal situation, where advantages and risks of tracking are perfectly clear to both parties, users may express valid consent. At the same time, she highlighted that effectively explaining the advantages and risks of tracking and targeted advertising is among the greatest challenges faced by the media sector experts.[3]

She finally pointed out that the media experts interviewed agreed that personal data have value, but their opinions diverged as to offering individuals the possibility to pay with their data. She then asked the author to comment on this.  

Rosa Barcelo was optimistic about the role of European case law and EDPB guidance for the harmonisation of the regime applicable to RTB and tracking technologies. She nevertheless expressed concerns regarding the mismatching approaches adopted by national DPAs concerning fines, that range from a few thousand to million euro. She also called for better coordination of Article 5(3) ePrivacy directive with the GDPR. She pointed out that in RTB many players are involved (e.g. tech companies, publishers, etc.) and that, so far, most of the sanctions were issued against publishers. However, in the light of the recent enforcement actions undertaken against Google, she wondered whether this will be the trend for the future and how enforcement actions will shape the future of online advertising.  

She reflected on the rising role of NGOs to promote the legal compliance of online advertising (see e.g. cases against Google and IAB Europe), emphasising that many digital rights advocates nowadays deem RTB intrinsically not legally compliant, especially due to the challenges of obtaining user's consent.

She highlighted how the issue of cookie walls goes beyond the domain of online identifiers, as it legitimises the idea of conditioning access to services to the giveaway of personal data.

Rob van Eijk observed that there are differences between website and app ecosystems and that the trend for the website one now is to create stabler identifiers. He warned for the creation of globally consistent identifiers.

He stressed the importance of dividing existing clients logged in service from casual visitors of websites, reflecting on the role of the legitimate interest as a legal ground in existing customer relations, and on the advantages of personalisation, for example in the case of newsfeeds.

He was sceptical about the possibility to consider data as a commodity. Referring to a research carried out by Bird & Bird, he stated that albeit numerous legislations may confer protection to certain types of data or on datasets (e.g. copyright, database rights and trade secrets), currently EU law does not specifically discipline data ownership. He added that data do not fit existing economic models as they can be copied infinitely without losing value. It is rather the access to data that has a value. Furthermore, typically the price of data is not determined by data subjects but by the financial team of data collectors.

He stated that bidding based – in its current form - on real-time behavioural data is unlawful and cannot be legally compliant, but that such technology can be the base for contextual advertising, which is more privacy-friendly. He explained that for the advertising technology to work, relatively stable identifiers are required. The two most important identifiers are the bid_id and the user_id. Both ids are required to link the bids to the inventory on the website. In contrast with behavioural targeting and (re)targeting, these identifiers can be generated randomly and then deleted, preventing cross-site impression tracking and the use of profile data of logged in and/or registered users.  

He pointed out that companies as Google are taking steps to restrict the use of third parties cookies, moving machine learning capabilities to browsers to promote privacy-friendly advertising. He referred to a new technology, the Federated Learning of Cohorts, that aims at providing interest-based advertising building upon the behaviour of a cohort of similar people, instead of observing the browsing behavior of individuals.   

Ine van Zeeland expressed concerns about the market imbalances that the Federated Learning of Cohorts would promote, as the shift towards privacy-friendly technologies is promoted by a company that already has access to so much personal data. Rosa Barcelo wondered about the possibility to apply data protection law to such cohorts. Rob van Eijk noted that the privacy risks of groups are connected to the risk for an individual be singled out. Hielke Hijmans added that being part of a bubble entails risks, too.

During the Q&A, a participant observed that the discourse about tracking technologies still suffers the influence of the 90s terminology. He noted that there is an undue focus on cookies, which are different from identifiers; that the third parties are data controllers or joint controllers under the GDPR; that more should be said about the notion of the private sphere; that greater coordination between technical and legal experts is necessary. Doubts were raised about the effects of the upcoming EU Data Governance Act on online advertising, as the notion of data altruism seems to contrast with the idea of control over personal information, and the difference between personal and non-personal data is very often blurred.

Hielke Hijmans concluded the event by thanking the speakers and the participants for the fruitful exchange.  

[1] An RTB system is defined as a network of partners enabling big data applications within the organisational field of marketing. The system aims to improve sales by real-time data-driven marketing and personalised (behavioural) advertising. Rob van Eijk and Jaap van den Herik, ‘Web Privacy Measurement - Can WPM Withstand the Power of Online Tracking Technologies?’ [2019] Ars Aequi 592.  

[2] Deterministic client identification builds upon metadata directly linked to an individual, whereas probabilistic one builds upon metadata relating to an individual and based on probability. ibid 600.

[3] Natasja Van Buggenhout and others, ‘POLICY BRIEF # 41 Wat Is de Waarde van Persoonsdata Delen Met Mediaorganisaties in Vlaanderen? Natasja’ 1.

Copyright © Brussels Privacy Hub

Copyright © Brussels Privacy Hub