EU Data Protection Supervisor Advocates for Ban on Targeted Advertising

The primary data protection authority within the European Union has put forth a recommendation for a prohibition on targeted advertising that relies on tracking users’ online behaviors. This suggestion is intended for inclusion in a significant revision of digital services regulations, with a central aim of enhancing the accountability of digital operators.

Wojciech Wiewiorówski, the European Data Protection Supervisor (EDPS), issued the call for a ban on surveillance-based targeted advertising in response to the Commission’s Digital Services Act (DSA), following a request for input from EU legislators.

DSA and DMA: A Major Overhaul of Digital Rules

The DSA legislative proposal was initially presented in December, concurrently with the Digital Markets Act (DMA). This marked the beginning of the EU’s extensive co-legislative process, involving debate and amendment negotiations within the European Parliament and Council before a final text can be approved.

Consequently, positions are being established to influence the ultimate form of the most substantial overhaul of pan-EU digital regulations in decades – with much still to be determined.

The EDPS’s intervention, advocating for a ban on targeted ads, serves as a proactive measure against efforts to weaken legislative safeguards for consumer interests.

While the Commission’s initial proposal did not extend to such a comprehensive ban, substantial lobbying from the technology sector is occurring in opposition. Therefore, the EDPS’s firm stance is considered particularly important.

EDPS Opinion: Beyond Transparency

In his assessment of the DSA, the EDPS asserts that “additional safeguards” are necessary to complement the risk mitigation measures proposed by the Commission. He argues that “certain activities within online platforms pose increasing risks not only to individual rights, but to society as a whole.”

The EDPS has expressed particular concern regarding online advertising, recommender systems, and content moderation practices.

“Given the numerous risks associated with online targeted advertising, the EDPS urges co-legislators to contemplate additional regulations extending beyond mere transparency,” he states. “These measures should encompass a phased reduction leading to a prohibition of targeted advertising based on pervasive tracking, alongside restrictions on the types of data processed for targeting and the data disclosed to advertisers.”

Growing Momentum for Privacy-Focused Regulations

This recommendation represents the latest regional effort to address mass-surveillance-based targeted advertising. The European Parliament previously called for stricter regulations in October, suggesting a phased-in ban should be considered by EU lawmakers.

However, the EDPS is advocating for a more direct and immediate prohibition.

Recently, the CEO of Axel Springer, a prominent European publishing company, publicly criticized U.S.-based data-mining tech platforms, characterizing them as turning citizens into “the marionettes of capitalist monopolies.” He called for EU lawmakers to expand regional privacy rules by prohibiting platforms from storing and utilizing personal data for commercial purposes.

Calls for Stronger GDPR Enforcement

Apple CEO Tim Cook also urged Europe to strengthen the enforcement of its General Data Protection Regulation (GDPR) during a recent conference.

Cook cautioned that the adtech “data complex” is contributing to a societal crisis by facilitating the spread of disinformation while seeking to profit from mass manipulation. He implored lawmakers to adopt a “universal, humanistic response” to those who claim a right to users’ private information, defining what will and will not be tolerated.

Apple is preparing to implement stricter tracking limitations on its smartphones, requiring apps to obtain user permission before tracking their data, rather than automatically collecting it. This move has understandably provoked opposition from the adtech industry, which relies on mass surveillance to deliver “relevant” advertisements.

Competition, Consumer Protection, and Data Protection

In response, the adtech industry has invoked “antitrust” arguments, attempting to persuade competition regulators to block platform-level measures against consentless surveillance. The EDPS’s opinion on the DMA reinforces the crucial connections between competition, consumer protection, and data protection law, asserting that these three areas are “inextricably linked” within the online platform economy.

Wiewiorówski also addresses recommender systems in his DSA opinion, stating that they should not rely on profiling by default to ensure compliance with regional data protection rules, where privacy by design and default is legally mandated.

He calls for additional measures to enhance the Commission’s legislative proposal, aiming to “further promote transparency and user control.”

This is essential, the EDPS argues, because these systems have a “significant impact.”

Algorithmic Recommender Systems and Societal Harm

The role of content recommendation engines in guiding internet users toward extremist viewpoints has been a subject of public concern for some time. In 2017, U.K. parliamentarians questioned tech companies on this issue, expressing concerns that AI-driven tools, designed to maximize platform profit by increasing user engagement, could inadvertently promote radicalization, causing harm to individuals and societal cohesion.

Despite these concerns, limited information is available on how these algorithmic recommender systems function, as private companies protect their workings as proprietary business secrets.

The Commission’s DSA proposal aims to address this lack of transparency by mandating platforms to provide “meaningful” criteria used for ad targeting, explain the “main parameters” of their recommender algorithms, and offer user controls, including a “nonprofiling” option.

Content Moderation and the Rule of Law

However, the EDPS urges regional lawmakers to go further in protecting individuals and society from the negative consequences of an industry based on harvesting personal data for manipulation.

Regarding content moderation, Wiewiorówski’s opinion emphasizes that it should “take place in accordance with the rule of law.” The Commission draft, however, has favored leaving interpretation of the law to platforms.

“Given the widespread monitoring of individuals’ behavior, particularly on online platforms, the DSA should clarify when efforts to combat ‘illegal content’ justify the use of automated means to detect, identify, and address it,” he writes, acknowledging recent CJEU jurisprudence in this area.

“Profiling for content moderation purposes should be prohibited unless the provider can demonstrate that such measures are strictly necessary to address systemic risks explicitly identified by the DSA,” he adds.

Interoperability and GDPR Consistency

The EDPS has also proposed minimum interoperability requirements for very large platforms and those designated as “gatekeepers” under the DMA, urging lawmakers to promote the development of technical standards to facilitate this at the European level.

Concerning the DMA, he urges amendments to ensure it “complements the GDPR effectively,” calling for “increasing protection for the fundamental rights and freedoms of individuals and avoiding conflicts with current data protection rules.”

Specific recommendations include clarifying that gatekeeper platforms must provide users with easier and more accessible consent management, clarifying the scope of data portability, and revising a provision requiring gatekeepers to provide access to aggregated user data to ensure “full consistency with the GDPR.”

The opinion also highlights the need for “effective anonymization,” with the EDPS calling for “re-identification tests when sharing query, click, and view data related to free and paid search generated by end users on online search engines of the gatekeeper.”

Progress on ePrivacy Reform After a Period of Inactivity

The emergence of progress regarding ePrivacy reform coincides with contributions from Wiewiorówski in shaping upcoming platform regulations. The European Council has now finalized its negotiating stance for the long-awaited EU update to existing ePrivacy regulations.

According to a press release from the Commission, Member States have reached a consensus on a negotiating mandate for revised rules concerning the safeguarding of privacy and confidentiality within electronic communications services.

The Commission explains that these modernized ‘ePrivacy’ rules will delineate the circumstances under which service providers are permitted to process electronic communications data or access information stored on users’ devices. It further states that this agreement enables the Portuguese presidency to initiate discussions with the European Parliament regarding the final text.

Reforming the ePrivacy directive has faced significant delays due to conflicting interests, thwarting the Commission’s earlier aspirations to complete the process by 2018. The initial ePrivacy reform proposal was released in January 2017, and it has taken four years for the Council to establish its negotiating position.

The prior enactment of the GDPR seems to have heightened the stakes for entities reliant on data, particularly within the adtech and telecommunications sectors. The latter is keen to eliminate existing regulatory obstacles concerning communications data, allowing them to leverage the extensive user data accumulated by large internet companies offering competing messaging and VoIP services.

A deliberate attempt is being made to utilize ePrivacy to undermine consumer protections enshrined in the GDPR, including efforts to weaken safeguards for sensitive personal data. Consequently, a contentious battle over rights is anticipated as negotiations commence with the European Parliament.

Rules pertaining to metadata and cookie consent are also integral to ePrivacy, resulting in a complex array of debated issues.

Access Now, a digital rights advocacy organization, criticized the Council’s approach as significantly falling short of expectations.

“While intended to bolster privacy rights within the EU, States have introduced so many exceptions that the proposal now resembles Swiss cheese,” stated Estelle Massé, senior policy analyst at Access Now. “The adopted text is inferior to the Parliament’s version and previous governmental positions. We have lost progressive provisions for privacy protection, while several surveillance measures have been incorporated.”

The group intends to advocate for the reinstatement of requirements for service providers to prioritize online user privacy by default and the establishment of clear regulations against online tracking beyond cookies, among other policy objectives.

The Council, conversely, appears to favor a weakened form of “do not track” functionality, suggesting that users should be able to consent to the use of “specific types of cookies by adding providers to a whitelist within their browser settings”, as indicated by the Commission.

“Software developers will be encouraged to facilitate easy setup, modification, and revocation of consent through browser whitelists,” the press release adds.

The specifics of the Council’s position will be crucial. The European Parliament has previously supported a “legally binding and enforceable” Do Not Track mechanism for ePrivacy, setting the stage for further disagreements.

Encryption is also expected to be a key point of contention during the ePrivacy discussions.

As security and privacy researcher Dr Lukasz Olejnik highlighted in mid-2017, the parliament strongly endorsed end-to-end encryption as a means of protecting the confidentiality of communications data, asserting that Member States should refrain from imposing obligations on service providers to compromise strong encryption.

Notably, the Council’s public position contains limited discussion regarding end-to-end encryption. A statement indicating that “electronic communications data will generally be confidential, and any interference, including listening, monitoring, and processing by parties other than the end-user, will be prohibited except when permitted by the ePrivacy regulation” offers little reassurance.

This omission is particularly concerning given recent efforts at the Council level to promote “lawful” access to encrypted data. Digital and human rights groups are preparing for a significant challenge.