Adtech industry under scrutiny of the German Data Protection Authorities

When we use apps or browse the web, play online games or stream the latest season of our favorite tv shows on mobile devices, the publishers of the app or content are often tracking our activity to provide us with relevant advertising in consideration for free apps and games. The so-called adtech, i.e. the technology working behind the scenes for such advertising, is highly sophisticated and usually requires the processing of some personal information of the users.

What has happened so far in Europe?

In the last months, the adtech industry has been in the focus of several data protection authorities in Europe. Beside fines posed on several businesses for their advertising practices, the data protection authorities provided some guidance on how they want the privacy and data protection rules in Europe, in the first place both the so called e-Privacy Directive (Directive 2002/58/EC and its updates) as well as the General Data Protection Regulation (Regulation 2016/679, GDPR).

The Information Commissioner’s Office (ICO) in the UK published their “Update report into adtech and real time bidding” in June, challenging the data processing practices of complex advertising technologies. The French Commission Nationale de l’Informatique et des Libertés (CNIL) published at the end of June their action plan for 2019, putting the targeted online advertising on top of their list, followed by an update to the guidelines on cookies and other tracking devices in July. Read more on this topic here.

What has happened so far in Germany?

Already in spring 2019, the German joint data protection authorities (Datenschutzkonferenz, DSK) posted their guideline for website publishers, focusing on the use of tracking mechanisms and advertising.

The guideline focusses mainly on the lawful processing of personal data with respect to advertising.

The existing German rules on processing of personal data by online service providers (Telemediengesetz, TMG) shall no longer apply. Therefore, the rules in the TMG might no longer serve as legal basis for processing of personal data concerning online (targeted) advertising.

Instead, the GDPR shall set the rules for such data processing and legitimacy of advertising from a data protection perspective and requires a diligent assessment concerning the legal basis for such processing. The DSK mentions three legal bases usually working in this regard: Performing contractual obligations, consent of the data subjects or legitimate interest. However, for processing of personal data for advertising purposes the performance of contractual obligations will serve as legal basis only to apply in a few exceptional cases. Usually, such processing is based on consent or legitimate interest.

The DSK makes clear that consent must be provided by the data subjects. In particular, with more complex adtech products the data processing involved is also getting more complex. Transparent information, for example concerning the list of recipients, is becoming extremely challenging and there is a lack of guidance by the DSK and the courts in Germany on how to ensure transparency in this regard.

However, if the processing is based on legitimate interest, the DSK provides a more detailed guidance for the responsible providers. The DSK mentions some examples on data processing activities that might not be based on legitimate interest, and it seems that the German authorities are very strict in this regard.

In Germany, enforcement of the data protection authorities has now started with formal requests for information on data processing concerning advertising and targeting.

What to do now?

Every business active on the German market should review their standards of online data protection compliance. This affects publishers, advertisers and adtech providers equally.

  • Publishers should focus on the level of transparency of their information towards data subjects online. In addition, publishers should review the assessment of the legal basis for processing of personal data. The actual settings should for example be in line with the requirements of the GDPR concerning documentation of a legitimate interest assessment.
  • Advertisers should be aware of the technologies used for placing their ads. In particular, they should review allocation of responsibilities for the data processing. Advertisers should also review requirements of an update with respect to the legal basis for the processing.
  • Adtech providers should focus on an update of their data protection product review. This means a review of the overall privacy design of the products, an update of information provided to publishers and advertisers if necessary, but also potentially a re-assessment of the legal basis for processing and the responsibilities for the data processing.