In our previous blog, we reviewed recent developments in Europe and the USA that clarify when digital identifiers should be considered Personal Data. The GDPR, like US data protection laws, defines Personal Data as information linked or related to a specific individual.
When information is linked only to objects (e.g., VIN of a car, MAID of a cell phone), according to these new clarifications, one must look to additional factors to appropriately determine whether such information should be classified as Personal Data.
In the SRB case, we reviewed that the data in one organisation’s hands may be anonymous, while that same information in another organisation’s hands can be Personal Data. The factor in that case is whether the appropriate organisational measures exist to keep the data in question separate from the identity of specific individuals, or not. The Information Commissioner’s Office refers to this as the “in-whose-hands” analysis.
Earlier this month, the Federal Trade Commission reached two settlements with US organisations that uphold the in-whose-hands test. The first case, involving Outlogic, involved the licensing of geolocation data linked to a MAID, and failed to implement “certain safeguards at a reasonable cost and expenditure of resources.” The FTC settlement prohibits Outlogic from sharing sensitive location information linked to specific individuals. Under the order, Outlogic must delete the data it has previously collected, but has “the option to retain historic location data if it has obtained affirmative express consent or it ensures that the historic location data is deidentified or rendered non-sensitive.”
The FTC defines the deidentification process in line with other US data protection regulations, namely a four-part test. To designate data in the hands of the organisation possessing it as Deidentified, that organisation must ensure it has:
- Reasonable Internal Measures: to prohibit the association of Deidentified information with a specific individual.
- Reasonable Public Policies: to not “attempt to reidentify the information,” such as publicly committing to use and maintain the Deidentified information in that form.
- Reasonable External Measures: appropriate prohibitions with contractual recipients that “specifically prohibit reidentification”.
- Reasonable Internal Security: appropriate “business processes to prevent inadvertent release of Deidentified information”.
The second FTC case, settled with InMarket Media, is consistent with the same definitions and obligations as Outlogic settlement.
These cases also support the same policies outlined in Google’s recent settlement with the California AG and 40 other US State Attorneys General over Google’s collection and processing of location data (see our related blogpost here) and marks a pragmatic step forward to support responsible handling within a decentralised, competitive ecosystem. We have identified three reasons why these settlements are a welcome development:
- It Exempts Deidentified Information from the Scope of Regulation
The exemption of Deidentified data is a pragmatic approach to incentivise organisations to rely on Deidentified exchanges whenever possible.
Moreover, this standard appropriately limits data controllers’ auditing obligations to their direct contractual partners – rather than the world at large. Where the GDPR regime prescribes that each recipient of Personal Data must be a joint controller with joint liability, this new approach disapplies GDPR where it is established that data has been de-linked from a specific individual and is not sensitive.
- Once Data Output is Rendered Non-Sensitive, it is Innocuous
In relation to transient processing, as highlighted in the FTC settlements, where appropriate organisational measures are used to render information non-sensitive and Deidentified, this innocuous information can be passed onto recipients. This is a pragmatic interpretation which correctly ensures that only high-risk, identity-linked data is subject to compliance and monitoring obligations. Therefore, small and independent publishers who deal exclusively with innocuous, Deidentified data are able to compete in a decentralised ecosystem, avoiding undue and excessive expenses.
- Different Obligations Depending on Proximity to the Consumer
Depending on their relationship with the consumer, stakeholders will be subject to a different level of consent obligations. First party publishers must give more notice and choice, as they have a direct relationship with consumers. Meanwhile, for aggregators like ad exchanges who operate as business-facing market marketers to improve the monetisation of media owners’ ad inventory, but have no direct connection to individual’s interactions with publishers, their obligations hinge on whether they have the reasonable organisational measures to appropriately mitigate risk. If as in the SRB case, they have no legal means of reidentifying the data in their hand, then there is a lower risk for this decentralised business data processing.
Importantly, the business-facing solution providers that support consumer-facing first party publishers, and do directly collect information from individuals’ devices, are in the middle of this spectrum. While they are subject to a lower set of obligations, relative to the first-party publishers, given they have a direct contract with these consumer-facing properties, they have a higher bar than ad exchanges and other market-making aggregators who have no direct connection to consumers.
This standard correctly highlights that, where risk has been mitigated upstream (i.e., with organisational safeguards), downstream recipient stakeholders who use such data are subject to less onerous compliance and monitoring obligations. As such, smaller, independent publishers who use non-sensitive information collected through aggregation providers can better compete with larger, vertically integrated rivals, thus promoting greater competition across the decentralised ecosystem.
Please contact Tim Cowen if you have any questions regarding the above.
The material contained in this article is only for general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.