Last Friday I had the pleasure of speaking at the Digiday Publishing Summit Europe in Nice, France. There were a good number of European publishers and technology companies in attendance. For me, the Summit was an opportunity to sound the alarm about the storm that is gathering in Brussels around online “tracking”, and how that storm may break on European media, depriving them of an important and growing revenue stream just when many of them are struggling in the transition to digital.
I explained how the negotiations on the General Data Protection Regulation (GDPR) had landed rather poorly for my members, with more data falling in-scope and fewer options for processing it legally than under 1995 Data Protection Directive. Still, I said, at least in theory we came out of the GDPR with three potential bases for processing personal data – consent, contract and legitimate interest.
I then shared the demoralising news that no sooner was the ink dry on the GDPR than we were confronted with the prospect of the goalposts being moved again, and those three legal bases being reduced to only one. This is a perfectly plausible outcome of the current review of the ePrivacy Directive, with its famous “cookie” provision. Instead of repealing that provision – which seemed to us to be the only logical course, since the GDPR leaves little or no room for arguing that cookies are out of scope – the Commission looks set to retain it in a new ePrivacy instrument, making digital advertising – or, in another variation, virtually every interaction that European users have with the Internet – subject to a single legal basis, consent.
But what’s wrong with that, you might think – surely something as important as the processing of personal data should not be done without the knowledge and agreement of the user?
My companies would fully agree. No one in my membership, and no publisher worth his weight in salt, wants to process the personal data of his customers in secret, or against their will.
But as I pointed out above, consent under the GDPR, consent, like the other legal bases, looks a narrower construct than under the 1995 Data Protection Directive. This is because recital language in the Regulation suggests that consent will not be operative when refusal to provide it might lead the user to suffer undefined “detriment”, or if there is “asymmetry” between the user and the provider of the online service that he or she is trying to access, or if the consent entails letting a publisher conduct data processing that is not “necessary” in order to deliver the online service. Any of these conditions could be interpreted in multiple ways. In the case of the “necessity” test, publishers may try to argue that it is “necessary” to pay journalists and keep the lights on in order to deliver content to users. Data Protection Authorities (DPAs) may make a different call.
Worse yet, I explained, even consent may not work in future. Since the summer, the national data protection authorities meeting in the Article 29 Working Party, with strong support from the European Data Protection Supervisor (EDPS), have been socialising the view that “cookie walls” – a phenomenon originally endorsed by DPAs as a means of implementing the cookie provision, and that allows publishers legally to collect consent for data processing – have failed, and need now to be banned. Informed consent, they argue, is a fallacy; consumers cannot be trusted to make the “right” choice, so they need to have the decision taken out of their hands.
Under this approach, the law would make it impossible for publishers to make access to their content conditional on the willingness to receive data-based advertising – the only kind of advertising that generates any meaningful revenue – or to process data to adapt content to what cookies on the browser of a regular user suggest that he or she is likely to be interested in. A future ePrivacy instrument could force publishers to offer either the very same content without advertising – that is, to give it away for free, or virtually for free – or via subscription, and at “reasonable cost”.
Such is the hysteria around tracking in Brussels now, and such was the failure of the GDPR to provide a “third way” for the low-risk processing of pseudonymous, non-sensitive data for advertising and the personalisation of digital content and services, that people one would not normally consider to be part of the lunatic fringe are perfectly at ease with the idea of the law dictating European publishers’ business model going forward – at least that of the publishers who are able to remain in business once the future rules come into force.