An article for the Amsterdam newspaper De Volkskrant, TPC, the Netherlands’s privacy rights organization, discusses the growing privacy concerns of Europeans regarding behavioral ad companies. In addition, this article discusses Google’s recent fine for violating GDPR obligations. The report also discusses what the Netherlands’s DPA is doing to protect privacy.
The behavioral ad industry violates EU privacy laws.
Regulatory bodies worldwide weigh whether the behavioral advertising industry is violating EU privacy laws. Recent news stories have highlighted the controversial practice of personal harvesting data from Facebook users for political advertising purposes. The recent Cambridge Analytica scandal, which involved many websites including xhamster and 87 million Facebook users’ data, has fueled the debate. The controversial practice leaves people open to fraud, misinformation, and scams. Moreover, due to recent news, some people may have been misled by behavioral advertisements.
Meanwhile, the European Commission has raised concerns over the failure of the UK UK to require behavioral advertisers to obtain user consent before collecting personal information. The Data Privacy Directive in the EU makes it illegal to collect personal information from Europeans without their explicit permission. It means that the behavioral ad industry is violating EU privacy laws by failing to obtain consent from web users. While this may sound like a trivial problem, it can have significant consequences for ad tech in the local market.
Regulations in the EU have made it difficult for the behavioral advertising industry to meet its obligations. While the Working Party opinion has outlined specific commitments for companies, there is no agreement on the responsible parties in the ecosystem. Ultimately, ad networks are the controllers of targeting data, but publishers of targeted advertisements may be responsible for obtaining user consent. Nonetheless, the Working Party has recommended that the EU adopt a national privacy law to enforce these rules on the behavioral ad industry.
Behavioral advertising relies on placing cookies on web users’ computers.
These cookies create a profile of personal information. The European Union’s Data Protection Directive, or GDPR, governs this type of advertising. It also contains a definition of what constitutes processing data—as such, manipulating data to serve behavioral advertising is likely to fall under the directive’s scope. And there are already numerous examples of the behavioral ad industry violating EU privacy laws.
IAB claims that it can rely on a legitimate interest (LI) as a legal basis for processing people’s data
The IAB Europe has violated GDPR by failing to comply with several obligations related to data protection. These include failing to appoint a data protection officer, maintaining a comprehensive record of processing activities, and not ensuring that data is kept confidential. The ICO’s findings are significant and are likely to lead to further action from the IAB.
IAB Europe argues that the TC String information relating to its members is not personal data, as it cannot be directly linked to the users. However, when used with IPIP addresses, it could indirectly identify users. In addition, the APD has taken the same position as the EDPB, ruling that the information relating to its members can be processed following the rights of the data subjects.
However, a recent case has cast doubt on IAB’s legal basis for processing people’s data. The Belgian Data Protection Authority has fined IAB Europe EUR 250,000 for processing personal data in its TCF. Still, the fine may have broader implications for the RTB ecosystem, intermediaries, and technical standards. The IAB has argued that the TCF is valid under GDPR, but this argument is subject to the fact that it’s not the only one.
Another common complaint against IAB’s use of legitimate interest as a legal basis for processing the data of individuals is that it is interfering with the data subjects’ fundamental rights. The IAB also says it is legally permitted to use this legal basis, but it must demonstrate that it has an actual interest in processing the data. In addition, the legitimate interest assessment must consider the data subjects’ fundamental rights and privacy.
Google’s privacy concerns in the Netherlands
A report by the Dutch Data Protection Authority has highlighted several concerns about Google’s privacy practices in the Netherlands. For example, Dutch internet users interact with Google through search, YouTube, Maps, and third-party websites, such as Cam4, Tech2 Gadgets, covering technology news, gadget reviews, and specification. The DPA says that Google combines personal data from multiple sources without consent, including data from search queries, YouTube videos, and e-mails sent and received.
The Netherlands is the latest European country to challenge Google’s privacy policies. The Dutch Data Protection Authority has given the search giant until October 6 to change its data handling practices and pay a fine of up to 18 million euros. The Netherlands’ privacy laws are less stringent than those of other European countries, such as France and Germany, and the Dutch government wants to make sure that no one can use Google services in those countries.
Google’s lobbying attempts to replace existing EU data protection legal standards with its own “reasonable” standard have been called irrational by two European data supervisors. Moreover, Google has not changed its business practices or introduced encryption key escrow or a robust contractual clause for challenging access requests. Nevertheless, the Dutch data regulator has given Google three months to inform offline data subjects and destroy the payload data.
The Dutch DPA is worried that Google’s Workspace applications may combine personal data with information from other websites. For example, students may access YouTube and search from their Workspace account but still be tracked if they visit other Google services. This is because Google stores the same information about the user in other applications. And as this means that Google is not only tracking student behavior in one location, but it can also track the students’ online activities.
Google was fined for failing to comply with GDPR obligations.
The EU regulator said that Google’s practices violated the GDPR because it failed to obtain users’ “genuine consent” and failed to give enough control over how it used their data. In the EU, companies must receive “clear and unambiguous consent” from their users and make it easy for those users to withdraw it. The fine is not the first in this case. Other big tech companies have also received penalties under the GDPR.
The CNIL, the leading European privacy regulator, imposed sanctions on Google over its practices of capturing and processing personal data. Its enforcement actions have been limited mainly to individual companies, but it has also been active in publishing guidance and making enforcement decisions against companies that violate its rules. Google will likely appeal the decision, which has prompted the company to enter renewed discussions with the regulator. If the company fails to comply with the GDPR, the consequences will be significant.
France’s data protection regulator, the CNIL, has fined Google EUR50 million for failing to comply with GDPR obligations. The CNIL ruled that Google could not obtain consent from users before collecting personal information for advertising purposes. Google admitted that it did not disclose how it collected user data and used it for personalized advertisements across various services. This has led to complaints from French privacy rights groups.
The GDPR’s new privacy protection laws will significantly impact the technology industry. A fine of this size will be the largest under the GDPR. Currently, only a handful of companies have faced such a fine. For example, CNIL has fined Apple, Brazzers, Netflix, and Spotify for non-compliance. The EU privacy regulator is also looking at the company’s business model, namely turning the data of millions of users into narrowly targeted ads.
Google was fined for failure to comply with GDPR obligations.
French data protection authority CNIL has fined Google for failing to comply with its obligations under the EU’sEU’s new data protection law. The regulator found that Google’s actions in this regard deprived users of “essential guarantees.” This is due to the massive volume of data Google collects and the range of its services and almost limitless combination possibilities. The CNIL also pointed out that Google did not make its disclosures clear or easy to understand. Users had to click through several documents to reach relevant information and took up to six actions to obtain all pertinent information.
In its report to the European Commission, CNIL criticized Google’s “comprehensive and transparent data processing policies,” saying that it was unclear about the data sources that Google uses to collect and use users’ personal information. This fine is the first time a major tech giant has been fined under the GDPR rules. The regulation went into effect last May, making it the first major technology company to fall foul of the rules.
The CNIL’s decision comes after complaints from two non-profit organizations representing 9974 individuals. Google was found to have violated the GDPR by failing to provide complete information about how it handles user data. The decision will undoubtedly have a lasting impact on how we interact with technology. If our privacy rights truly protect us, we all must work together to ensure that our technology is secure.
Another example of failure to comply with GDPR obligations is Google’s consent flow. The website pushes users to create a Google account by telling them that they’ll have a worse experience without it. This is illegal and violates GDPR obligations. Google has also been fined for ‘conducting fraudulent activities’ concerning data collection. This is known as ‘consent bundling.’