EU General Data Protection Regulation (GDPR)

At the end of 2015, after several years of ongoing negotiations, the European Commission, the European Parliament and the European Council reached a compromise on the wording of a new regulation intended to reform the existing EU data protection legislation. It is now clear that the EU General Data Protection Regulation, which came into force in May 2016, will automatically become binding on all Member States as of May 2018.

What are the implications of the adoption of the new EU General Data Protection Regulation for the online sector?

This Regulation will, by way of example, result in the following changes for the online advertising sector; these changes may to some extent have a significant impact on the design of products and services:

  • Extension of the concept of "personal data" to encompass online identifiers, such as cookie IDs, advertising IDs, IP addresses or even location data: Thus, all modern forms of online and tracking technology, such as cookie synchronization, cross-device targeting, online behavioral advertising (OBA) and many other targeting technologies, will essentially be subject to data protection legislation in the future.
  • Changes in the evaluation of pseudonymized data from a data protection perspective
  • New regulation of the possible forms of declarations of user consent
  • Introduction of the concept of "legitimate interests" of companies and/or "reasonable expectations" of users being capable, under certain conditions, of also justifying the use of personal data without the users' consent
  • New requirements as a result of the right of objection (opt-out)
  • Obligation to make data breaches public within a short period of time following their occurrence
  • Technology providers and systems operators will be required to carry out standardized data privacy impact assessments
  • The appointment of data protection officers in other European countries in which personal data is regularly and systematically collected, for example, will also be obligatory
  • Amendment of privacy notices

    Sebastian Doerfel

    Co-Founder & COO, adsquare GmbH

    We partner with ePrivacy to increase customer trust and secure our business models.

Side note: The Privacy Shield

Previously, the transfer of data outside of the US was governed by the so-called “Safe Harbor” treaty. This treaty was an agreement between the European Union and the USA regarding the transfer of data in the USA. The European laws provide namely that each transfer of personal data to a country outside of the EU requires a special justification and that it also must be ensured that the level of data protection in the receiving country corresponds with the level of data protection in the EU.

Because in many cases in the online sector there is a transfer of data to the USA, for example through use of an American cloud provider such as Google or Amazon, the EU and the USA already established early on in that treaty that there was a sufficient level of data protection in the USA and that any company which was certified within the framework of the “Safe Harbor” treaty would be authorized to receive data from the EU. 

After the European Court of Justice (ECJ) had declared this treaty to be invalid the data protection authorities concluded a new treaty: “Safe Harbor II”. This treaty, also called “Privacy Shield”, in the field of data protection law is made up of a range of promises from the US federal government and a ruling of the EU Commission based on this.

The treaty, which is not an international law treaty, but is merely made up of a range of letters, governs the protection of personal data which are transferred from a member state of the European Union to the USA. From 1 August 2016, US companies which want to transfer data between the two economic areas can be certified that they meet the requirements of the “Privacy Shield”.

All players in the online advertising sector should have clarified the following important issues with regard to their own business models by no later than the end of 2017:

  • Have the legal framework conditions applicable to our products and services changed to such an extent that our stored data is in future to be classified as personal data?
  • What form of declaration of user consent will be necessary for our business model in the future?
  • Do the possibilities for opting-out available to our users satisfy the new requirements?
  • What issues must be considered in the case of the dissemination of data to third parties?
  • What adjustments need to be made to our privacy notice?
  • Will we be required to appoint a data protection officer in the future?

Provision of assistance by ePrivacy

ePrivacy will assist you in developing your products and technologies from the outset in compliance with currently applicable and future data protection legislation.

Examples of the advisory services we provide:

  • Actual status analyses and evaluations on data protection issues
  • Expert opinions on the attainment of "GDPR ready" status, incl. assessment of any further necessary course of action for ensuring compliance with the new data protection legislation
  • Advice on the creation of technical business process models in compliance with data protection regulations
  • Carrying out of data privacy impact assessments (DPIAs)

Should you require any assistance in analyzing the future requirements of the GDPR and its ramifications for your company or your company’s business model, please feel free to contact us!

Do you have questions or recommendations for us?

We are glad to receive your comments.