How can you obtain users’ consent for online advertising purposes in a legally compliant manner without jeopardising your business’s sales? This question is more important than ever for marketing executives in 2020. Barbara Nietzer, Legal Director EMEA at Criteo, and Florian Tannen, Partner at Baker & McKenzie, explain where the regulatory challenges lie and what companies need to be aware of. They spoke about their experiences at a virtual event, Digital Bash Law, at the end of October.
Companies under pressure
Greater legal certainty
A lot of companies are now trading internationally. They then find themselves confronted by extensive data protection challenges. “The plan of creating standardized EU rules through the GDPR has somewhat failed as more than 50 topics have been placed in the hands of the local legislators,” Florian Tannen highlights. However, Barbara Nietzer has also noticed that the data protection authorities are communicating more with one another. She says: “It appears that the national data protection authorities are in conversation with one another. I am seeing increasingly bigger overlaps. The authorities have clearly recognised that we are living in a European world.”
Brexit, which is currently taking place, brings its own challenges, as the GDPR will no longer formally apply in the UK. However, there have been preparations and the UK has largely transposed the requirements of the GDPR into national law. The objective likely is to support the sharing of data as far as possible and prepare for an adequacy decision. There is the option that the EU Commission assesses third countries with respect to their data protection legislation and – in case such is found to be adequate – the international data transfer to such adequate non-EU countries face less requirements.
Privacy Shield no longer applies
Earlier this year, the EU-U.S. Privacy Shield was invalidated by a judgment of the Court of Justice of the EU, also referred to as Schrems II. “With this decision, we have lost one of the data transfer vehicles that enabled to send personal data to recipients in the USA if they were certified under EU-U.S. Privacy Shield,” explains Florian Tannen. Companies that relied on this transfer mechanism will now have look for new mechanism such as the EU Standard Contractual Clauses to back such data transfers; while also additional requirements in connection with such other data transfer mechanisms need to be considered following Schrems II. “This is essential and cannot be avoided.” “So everyone was in a type of pause mode until the new recommendations of the European Data Protection Board,” explains Barbara Nietzer. The invalidation of the Privacy Shield is not an issue for Criteo as the company relies on standard contract clauses. “We would however be grateful for clear guidance.”
The approach to cookie walls
Targeting and data protection pose challenges for companies in terms of the legal aspects and are also fraught with pitfalls. As a general rule, however, the following applies: When it comes to the handling of data, the GDPR applies indiscriminately to all companies, from small businesses to large corporations. Compliance with data protection laws is mandatory and must be taken seriously by every company. There is also an increased enforcement taking place with respect to the appropriate use of cookie consent solutions.