EU: Data sharing in adtech - Designating controller, joint controller, and processor roles
When a website operator ('the Publisher') wants to sell ad space on its website for the purposes of targeted online advertising, this involves the sharing of personal data with a large number of other adtech companies ('Participants'). This can include data sharing with advertisers, advertising exchanges, demand side platforms, supply side platforms ('SSPs'), data management platforms ('DMPs'), and consent management platforms ('CMPs'). James Fenelon, Senior Associate at Bird & Bird LLP, provides an overview of data sharing in adtech and why specific roles are important under EU legislation.
Once the publisher deciphers the roles and acronyms, it will also need to enter into contracts with many of these partners to paper the data sharing taking place. As part of this exercise, the publisher will need to assess the data protection role of the participant i.e. are they a controller, and if so, are they an independent or joint controller? Or are they a processor? This can be difficult. Adtech and real-time bidding ('RTB') can be complicated, particularly for those unfamiliar with the jargon, its participants, and data flows. Even if the Publisher diligently works through the analysis, many publishers may lack the bargaining strength to re-negotiate the Participant's standard form agreements (regardless of whether they are legally accurate or not). However, such arguments are unlikely to be a regulatory defence for processing with data sharing arrangements without appropriate paperwork in place.
Establishing controller or processor roles
To the dismay of many data protection practitioners, there are no set of controller/processor labels that can universally be used across the board. This position is further hampered by the fact that similar counter-party's may adopt varying roles: we cannot say with certainty that all SSPs are always controllers (some are positioned as processor). In many cases, therefore, there is no substitute for a factual, case-by-case analysis, to designate the controller/processor role. That said, there are general patterns that can be drawn out to help with this analysis:
- The Publisher is a controller, as it is deciding to sell ad space on its website for targeted online advertising.
- The advertiser is a controller, as it is deciding to bid to serve ad impressions on the Publishers website.
- Ad networks tend of be controllers. As the Article 29 Working Party ('WP29') have noted in their Opinion 2/2010 on Online Behavioural Advertising1, 'when behavioural advertising entails the processing of personal data, ad network providers also play the role of data controllers.'
- The DMPs that analyse categories and collate incoming data from multiple sources to support targeted advertising tend to be data processor. However, this is not a rule without exception. For example, if the DMP itself provides third-party data, rather than facilitates the provision of third-party data, to help the publisher enrich its first-party data, it will likely be a controller, at least for that activity.
- As for CMPs that enable publishers to manage user consents, they generally process personal data on behalf of the controller and therefore will be a processor.
- The providers of website analytics products also tend to be data processors.
For other participants, the position can be more nuanced. However, since the introduction of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the number of Participants positioned as controller has significantly increased. There are a few reasons for this:
- the introduction of the GDPR required organisations to focus on data protection in a way that they had not done before (including revising their data protection role, which many organisations re-assessed as controller);
- data processors had no direct obligations under the predecessor to GDPR, the Data Protection Directive (Directive 95/46/EC). The GDPR changed that (meaning that the processor status was less beneficial post GDPR); and
- a controller status, by its nature, provides participants with greater flexibility to determine what they do with the data they process (and accordingly is often more aligned with participant's commercial aims).
In light of the foregoing, the designation of participants as a controller or processor is therefore a question that generally needs to be assessed on a case-by-case basis. In carrying out this analysis, there are a number of factors which publishers should have regard to which will help determine if controllership applies:
- If the counter-party does not always act on the instructions of the publisher on how to use or process the personal data which the publisher provides, this strongly indicates a controllership status.
- If the Participant makes decisions about how to use the data, such as who to share it with or how long to keep it, then the counter-party will likely be a controller.
- If the service is not carried out in a per publisher silo i.e. if the participant mixes the publishers data with other publisher's data to gain insights or match cookies or other IDs, that suggests that the vendor is a controller.
- Similar to the above, if the service providers creates a unique ID for its own purposes and/or shares or uses the same unique ID with its different clients, the service provider is likely to be a controller.
- If the vendor enriches the publisher's data with third-party data then this indicates that the participant is a controller.
- If the participant keeps the publisher's personal data or subsets of it for the participant's own product improvement, this indicates that the participant is a controller (at least for that element of the processing).
- If the participant would be unable to delete or return the data if the relationship with the publisher changed or was terminated, then the participant is likely a controller. This criterion can be very useful when assessing complex adtech services as where the publisher's data has been mixed or shared in such a way that it cannot be deleted or returned by the participant, this will be a strong indicator of controllership status.
Where the publisher establishes that the participant is a controller, the next question will be to ascertain whether they are acting as an independent or joint controller.
Under the GDPR, organisations can be controllers 'jointly with others' if they act together to determine the purpose and means of processing.
There has been little guidance from regulators to date on what differentiates joint control from data sharing between independent controllers more generally, and ascertaining where independent controllership ends and joint controllership begins is no mean feat.
The European Data Protection Board ('EDPB') is, at the time of publication, working on a new opinion on the controller/processor status to update and replace the WP29's 2010 opinion on the matter. The expectation is that the paper, due to be published in late 2020, will find widespread joint controller relationships among adtech participants. Recent jurisprudence from the Court of Justice of the European Union ('CJEU') supports this view which illustrates that the threshold for joint controllership is low.
Those engaged in adtech activities should closely monitor regulatory guidance in this area. In cases where participants consider joint control may be relevant, it is also advisable, regardless of labels used, that the contract or other arrangement between the parties sets out who is responsible for what GDPR-obligations. For example, vis-à-vis the publisher and ad networks, this could be the publisher, as gatekeeper, being primarily responsible for notice and consent, and the parties otherwise being broadly responsible for their own processing operations subject to an obligation to assist each other with data subject requests under Chapter III of the GDPR.
In addition to the contractual requirements, organisations need to focus on due diligence of partners; while most companies' due diligence has in the past been focussed mainly on data processors and the acquisition of third-party data, in line with the GDPR principle of accountability, due diligence is becoming increasingly relevant to data sharing more generally.
While the COVID-19 ('Coronavirus') pandemic resulted in the UK's Information Commissioner's Office ('ICO') pausing its investigations into RTB, this grace period may be short lived, with the ICO's recently confirming that the ICO's concerns with adtech remain and that they plan to restart their engagement during 2020/2021.
James Fenelon Senior Associate
Bird & Bird LLP, London