What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018, significantly changing how companies handle personal data of their EU consumers. The GDPR will replace the current EU Data Protection Directive as the overarching data privacy framework across the European Economic Area (EEA).
With ad tech companies striving to create the best user experience by delivering the most relevant advertisements, the GDPR’s effects will be substantial.
How will the GDPR enhance personal data protection?
The GDPR calls for a “one-stop shop” approach to data privacy laws across all EEA countries. Any entity, regardless of its location in the world, that controls or processes the personal data of EU data subjects must adhere to the GDPR. Whether an entity offers goods or services to EU data subjects, monitors the behavior of individuals in the EU, or is “in the context of” EU business operations, the GDPR applies.
What data does the GDPR aim to protect?
The GDPR focuses on “personal data.” Personal data is that of an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier. Personal data includes: names, physical addresses, email addresses, social security numbers, and financial information. It also includes: IP addresses, location data, device IDs, and advertising IDs. Furthermore, special categories of personal data, such as genetic data, sexual orientation, biometric data, health data, and religious or philosophical beliefs, are subject to additional protections.
Specifically, the GDPR is directed at the processing of personal data. Processing broadly refers to any action that an entity performs on personal data, such as collecting, recording, organizing, storing, disclosing, combining, erasing, disseminating, or destroying the data.
How can companies ensure that personal data will be handled in accordance with the GDPR's requirements?
The GDPR requires companies to hire personnel who will then be responsible for ensuring GDPR adherence. Appointment of a Data Protection Officer (DPO), who will act independently and possesses data privacy expertise, may be required to oversee a company’s compliance with the GDPR.
Companies must maintain internal records about data processing activities to assure transparency and accountability. Additionally, companies should only collect personal data to the extent necessary for the processing activity or service, ensure accuracy of personal data, and destroy or anonymize personal data when the data is no longer needed.
Before any of that is done, however, any processing of personal data requires a lawful basis. The legal grounds for processing data under the GDPR are: (1) consent from the data subject; (2) legitimate interests of the data controller; (3) performance of a contract to which data subject is a party; (4) the controller’s compliance with a legal obligation; (5) protection of the vital interests of the data subject or a natural person; and (6) processing in the public interest or by a controller’s exercise of official authority. When relying on consent as the legal basis for processing, data subjects must provide consent to receive targeted advertising, where “consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication.”
What are a data subject's rights under the GDPR?
The GDPR gives EU data subjects an array of privacy rights with respect to their personal data. Applicable rights include: access, rectification, erasure, restriction or objection to processing, data portability, and other rights relating to automated individual decision-making and profiling.
What if a company fails to follow the GDPR's requirements?
Failure to abide by the GDPR includes steep penalties that companies should be wary of. General fines may be imposed for infringements of a company’s obligations as a “data controller” under the GDPR, resulting in administrative fines of up to €10 million or 2% of annual revenue – whichever is higher. Increased fines for infringements regarding the basic principles for processing, individuals’ rights, transfers of personal data, or noncompliance with regulators’ orders may result in administrative fines of up to €20 million or 4% of annual revenue – whichever is higher. Individual EU data subjects can also sue for compensation for material or immaterial damage.
In January 2017, the European Commission proposed the ePrivacy Regulation as part of an initiative to replace the current ePrivacy Directive. Together with the GDPR, the ePrivacy Regulation will aim to provide the strongest protection to internet users' data across the EU.
Although the ePrivacy Regulation was intended to go into effect alongside the GDPR, the extensive process required by the EU makes it unlikely that the ePrivacy Regulation will become effective in May 2018. Nevertheless, companies are advised to review it seriously because it is lex specialis to the GDPR, and thus likely to become a regulation in the future.
Visit our ePrivacy Regulation blog post to learn more.
In light of the GDPR, we will ensure that serving ads to your app and mobile website end-users through the Smaato platform continues. We strive to provide ongoing GDPR suggestions and best practices that can enable the highest quality service, and we are committed to assisting our partners with their GDPR compliance efforts.
Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of the GDPR.