Brussels’ top data protection cop is calling for a ban on targeted advertising based on online users’ digital activity, in a major escalation of the war against the adtech sector which has triggered a stiff rebuke from online ad industry body IAB Europe.
European Data Protection Supervisor Wojciech Wiewiorówski made the call for a ban on surveillance-based targeted ads in reference to the EU Digital Services Act, but his battle-cry could also have a major impact on the long-delayed ePrivacy Regulation, which has been brought back from the dead this week.
While the UK is no longer part of the EU, it is likely that the country will still have to adopt any new data protection regulations – or take equivalent measures – to ensure British businesses can continue to exchange data with EU firms, if and when a data adequacy deal is signed.
Wiewiorówski’s intervention is being seen as a powerful pre-emptive strike against attempts to water down legislative protections for consumer interests.
In his opinion on the Digital Services Act, Wiewiorówski wrote that “additional safeguards” are needed to supplement risk mitigation measures proposed by the Commission, arguing that “certain activities in the context of online platforms present increasing risks not only for the rights of individuals, but for society as a whole”.
He added: “Given the multitude of risks associated with online targeted advertising, the EDPS urges the co-legislators to consider additional rules going beyond transparency. Such measures should include a phase-out, leading to a prohibition of targeted advertising on the basis of pervasive tracking, as well as restrictions in relation to the categories of data that can be processed for targeting purposes and the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising.”
Wiewiorówski also calls for amendments to ensure the proposal “complements the GDPR effectively…increasing protection for the fundamental rights and freedoms of the persons concerned, and avoiding frictions with current data protection rules”.
In response, IAB Europe said: “It is dismaying to see the European Data Protection Supervisor suggesting a full ban on targeted advertising to address the problem of data being used for advertising purposes, despite having been collected for non-advertising purposes.
“Such behaviour is already demonstrably illegal under existing law. Similarly, the EDPS call for restrictions on what data may be processed for targeted ads or disclosed to advertisers or third parties is difficult to understand, since such restrictions already exist in the GDPR.”
His intervention comes as the European Council has finally reached agreement on its negotiating position for the ePrivacy Regulation, which has been at a standstill since November 2019.
The review – which also includes the Privacy & Electronic Communications Regulations (PECR) – was first proposed in April 2016, nearly five years ago. It is designed to tighten up the laws on online and mobile marketing, SMS, email and telemarketing activity; the directive was last updated in 2009.
The Commission has now confirmed that member states have agreed on a negotiating mandate for revised rules.
It stated: “These updated ‘ePrivacy’ rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices. The agreement allows the Portuguese presidency to start talks with the European Parliament on the final text.”
Digital rights advocacy group Access Now claims the Council has “hugely” missed the mark by suggesting online users should be able to give consent to the use of “certain types of cookies by whitelisting one or several providers in their browser settings”.
In a statement, Access Now senior policy analyst Estelle Massé said: “The reform is supposed to strengthen privacy rights in the EU [but] States poked so many holes into the proposal that it now looks like French Gruyère. The text adopted today is below par when compared to the Parliament’s text and previous versions of government positions. We lost forward-looking provisions for the protection of privacy while several surveillance measures have been added.”
The group said it will be pushing to restore requirements for service providers to protect online users’ privacy by default and for the establishment of clear rules against online tracking beyond cookies, among other policy preferences.
Perhaps unsurprisingly, IAB Europe is more upbeat. It stated: “The agreement constitutes a major milestone toward getting an updated regulation in place. IAB Europe welcomes this progress, and the prospect of a productive trilogue negotiation over the coming months.
“Digital advertising remains the major revenue stream financing Europe’s free and diverse press and media. It accounts for 81% of media digital revenues in the Union, enabling citizens to access trusted and high-quality content and services.
“A productive and successful trilogue phase should yield a final text that provides strong privacy protections and enables media and other online content and services to continue to rely on an advertising revenue stream.”
Businesses warned Brussels data deal is still unlikely
Fresh delay leaves ePrivacy Regulation dead in water
Brussels told to get a move on with ePrivacy overhaul
ICO drops data bombshell as cookie law is overhauled
DMA opens twin offensive against ePrivacy overhaul
Industry reprieve as ePrivacy shake-up hits the buffers
ePrivacy shake-up ‘will finally bring tech giants to heel’
Tech and ad giants go to war on EU ePrivacy shake-up
Industry wins more time to fight ePrivacy shake-up
Brussels under pressure to slam brakes on ePrivacy law
UK firms face months in the dark over PECR shake-up
Online giants baulk at EU plan to overhaul cookie law