GDPR One Year On: Interview with Platform161 Germany MD Christopher Reher
This interview is translated from the original, which appeared in Adzine on 20 March 2019.
Almost a year has passed since the mandatory introduction of GDPR. Since then, a lot has happened. In this interview, Christopher Reher, Managing Director Germany of Platform 161, talks about the current legal framework for digital advertising and takes a special look at in-app advertising.
ADZINE: Hello Mr. Reher, as Managing Director Germany of Platform 161, you are active as a tech provider in the programmatic market. However, as a Jurist, you also bring expertise in privacy and legislation. A year ago, the industry was still in high excitement. GDPR was imminent. Everyone tried in time to adapt their systems to the new specifications. If advertisers today adopt a data strategy, what should they be aware of?
Christopher Reher: Advertisers should differentiate first and foremost in how they employ user data. There are a variety of measures that can be taken that don’t necessarily require the consent of the user, since they are covered by legitimate interest or contractual obligations. Although they may be related to personal data, they are not used for profiling. Only in the moment that advertisers apply user data for tracking or profiling to improve their advertising, do they leave the field of legitimate interest and the user’s consent is due.
Therefore, it is important for companies to consider the context of data processing.
ADZINE : GDPR has made getting a user’s consent for advertisers a priority. Do companies follow this task?
Reher : The GDPR regulates pretty clearly that for profiling of the user, his or her consent must be given. Even if it is often not perceived as such, consent is not an end in itself. Its purpose is to explain to the user what happens to his or her data and to convince him or her that the processing of this personal data is to his advantage. Users should be willing to “pay” with their data for the respective service. The consent is not simply to inform, but to be an active participation between the company that wants to use the data, and the user. The user should be aware of this and be able to control this ratio.
Currently, however, it is still common for companies to hide or implicitly seek to obtain consent by informing the user that they automatically agree to share their information by using their service. Although this is still generally accepted as consent, it is not effective according to GDPR.
The following requirements apply to consent according to GDPR: it must be individual or personal and must be given by someone who has been informed and who voluntarily provides it.
The biggest challenge is usually the awareness and willingness of the user. The information must not be too complicated – easy to understand for laymen. In addition, the consent must not be linked to services. There are now a number of judgments that make it clear that not all consent under the GDPR is valid. In the forthcoming ‘Planet 49’ decision, it will be clarified how deep a declaration of consent must be. The user must be told what data is collected and for what purpose, and above all, the choice must be left to him or her.
ADZINE : Has it not been quiet since May 25 2018? Apart from a few prominent cases, such as Google and Facebook, little has been heard of the other consequences of GDPR. How do you see the market?
Reher : Actually a lot is happening – there are now a number of judgments that further clarify GDPR. The Facebook Fanpage judgment, for example, focused on who is responsible for data processing. Another judgment in the case of the “Fashion ID” was around the responsibility of data processing when using third-party plug-ins on a website. This was also related to social buttons. The ‘Planet 49’ decision specifically concerns the question of whether one needs the consent to place a cookie that does not collect personal information. In addition, data protection authorities are becoming increasingly active. They are increasingly asking questions and actively participating in the discussion.
What I often see in the market is companies still clinging to old models. In the English-speaking world, solutions are often still used which are practically working as opt-out based models to obtain consent. In Germany, data usage is often used to justify legitimate interest. There is a provision in the form of § 15 III TMG as a special implementation of the e-privacy directive here in Germany. Both are approaches that seem to want to cling onto the way things were before.
However, if a company goes into an audit process and tries to justify its use of data with implicit consent, it is very likely to fail. In the Netherlands, for example, there has just been a statement from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) stating that cookie walls in their current setup are in no way gaining consent. That is evidence of exactly this fact.
ADZINE : These are all examples in which the GDPR prohibits old models. Are there also constructive parts of the regulation?
Reher : I see GDPR primarily as a kind of “enabling mechanism” through which companies can get in touch with their customers. The nice thing about consent is that if it is clean and engages the user, then you have absolute ability to act in the context which you have highlighted. On the other hand, one could say that the people who do not want to give consent may just not be the right target group for your brand. And even if user numbers decline, there still remains the opportunity to address them in a targeted manner via contextual targeting.
A huge part of the GDPR is documentation. It is a clean working environment. We’ve got new rules that are pretty accurate and precise, and can be implemented.
ADZINE : To get their consent, many companies rely on Consent Management Platforms (CMPs). Here, however, there are examples in which opt-out through nested menus is difficult. How can that be?
Reher : At the moment, we are still in a phase where many companies are providing solutions that are not legally sound but often promise to be. A CMP has to map the complete communication with all used tracking providers. Redirects to the pages of the providers are not an optimal solution. The user should have as much control as possible in the minimum possible number of steps over the data that he or she consent for use.
In addition, there is a general problem when CMPs operate on the opt-out principle, that is, the user must deselect the services that should not access his or her data. This approach is based on the legitimate interest of the customer. As long as he does not opt-out, the possibility of legitimate interest would exist.
According to GDPR, this model does not work anymore. If the user is to participate and platforms work according to the “privacy by default” divide, then a CMP should have all services disabled in its default setting, and the user should voluntarily submit their data after previous information. If a CMP is set from the outset so that it allows everything, then that is a fundamental contradiction to the idea of the GDPR.
ADZINE : The scenarios discussed mostly relate to tracking in the browser. However, there are also mobile vendors who can install their SDKs in apps and thereby measure other apps or the actions of the user on their smartphone. At what point do app users need to be informed? In the App Store? Or when launching the app?
Reher : In this case, the question arises, where the data processing is scheduled. For example, the Google Play Store communicates early through image and text which data is accessed. In this context, it can also be stated that personal data is used.
If the data processing does not start with the installation of the app, then an additional layer on the first opening of the app would be sufficient to inform the user and to obtain the consent.
ADZINE : The GDPR distinguishes controller and processor and regulates their responsibilities. What about this in the app arena? Are Apple and Google also responsible for their app stores?
Reher : Actually, the Facebook Fanpage verdict gives very good information here. It says that if a company initiates data processing, no matter how much control it ultimately has over the data, it still counts as a (co) controller. However, it is not liable to the same extent as the company that actually uses the data. The situation is different when a company decides to install, for example, the plugin of a third party on its own homepage, as was the case with the Fashion ID. The user of this plugin is then clear what the plugin aims to do. Again, there is a co-controller relationship, but the liability is more aligned.
These cases can also be applied to the app sector. The Play Store explains the initial usage of what data is retrieved. That is, Google is already taking care of informing of the user. If app operators decide to install a third-party SDK, they will have to take some responsibility for that. The SDK operator itself will also not be able to withdraw from any responsibility. All of these examples act as co-controllers in their individual areas. Judgments so far lead us to the fact that the former relationship between controller and processor does not actually exist anymore. Instead, everyone is a controller. Each player involved is no longer an assistant who does something, but an active participant in the process.
Christopher Reher at the Mobile Ad Summit
As in 2018, the Mobile Ad Summitwill again offer training sessions this year to delve deeper into mobile topics. In his “Privacy in Motion” session, Christopher Reher will discuss current developments in the legal framework for mobile advertising and answer questions. Sign up for the event and have the opportunity to participate here.