Analysing Google’s Purported Legal Position vis-à-vis Publishers under the General Data Protection Regulation
Publishers and Google

Analysing Google’s Purported Legal Position vis-à-vis Publishers under the General Data Protection Regulation

Rohit Hebbale Ramkumar Rohit Hebbale Ramkumar

Rohit Hebbale Ramkumar

DPO & AI Compliance Officer | CIPP/E | OneTrust Trust Fellow & Fellow of Privacy Technology | Chess Player |

发布日期: 2019年11月2日
+ 关注

Background

With the General Data Protection Regulation (“Regulation/ GDPR”) having come into effect on May 25, 2018, businesses have had to reassess the nature, scope and the purpose behind their processing of a data subject’s personal data, in the European Economic Area. This has led to establishments, even outside the territorial scope of the Regulation, to make fundamental alterations to their data practices. For multinationals such as Google who offer goods or services to, with or without consideration, or monitor the behaviour of, EU data subjects, it is imperative that they are compliant lest they attract a fine of up to 4% of its annual gross revenue.  

While it has the technical and financial means to make such a transition easy, smaller businesses that heavily rely on Google’s suite of services have been blindsided, not by the implementation of the Regulation, but by Google’s own modification of its advertising policies. Publishers, who utilize Google’s framework and tools to generate ad revenue, personalize and measure advertisements and track user behaviour to tailor the experience were informed, on March 22, 2018, that they would be required to take unspecified, “extra steps in obtaining consent from their users”. As a lawful basis of processing, consent is more difficult to acquire, record and retain than legitimate business interests, and provides unilateral control to data subjects to withdraw it at will at any given point in time. The unspecified nature of Google’s solution to support publishers in showing non-personalized ads and its attempt to transfer GDPR’s heightened consent burdens to the publishers which utilize its services, is compounded by Google’s affirmative attempts to act as a controller of personal data. 

The ambiguity in Google’s relationship with publishers, the dubious phrasing of some of its Advertising Services’ policies and of its Controller/Processor Agreements, and its insistence for publishers to integrate certain consent frameworks by working with only designated partners raises untenable business and anti-trust concerns, and is on the whole inconsistent with the intent and wording of the Regulation. 

Google: Legal Position and Offerings

Google has taken the stance, an independent controller, joint controller, processor and sub-processor based on the nature of its offerings. While publishers and legal experts view its role as a processor when the former utilize services such as Google Analytics and Firebase, for collecting analytical information, and AdSense and DoubleClick Cookie, for advertising purposes; Google has tried to assert, via its many Data Processing Agreements, the role of a controller without shouldering any of the liability. It is admitted that Google does wear the robe of a controller in certain circumstances such as by the virtue of some of the sophisticated algorithms that it employs in its advertising services, however, it cannot and must not have unilateral controller over all other personal data collected from the properties of its publishers. The inherent flaw in its approach can be highlighted by concurrently dissecting some of its agreements, the provisions of the Regulation and the Working Party Recommendations. 

As Article 4(7) of the Regulation states, a “controller” for purposes of the GDPR is the natural or legal person which, alone or jointly with others, “determines the purposes and means of the processing of personal data.” On the other hand, a “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller as under Article 4(8). What adds to the confusion is services such as Google Cloud, where it hosts customers information and allows them ease of access of modification, is where Google has identified itself as a processor even though its relationship with data is closely similar to its other services. 

Google’s role as a controller inherently creates a contradiction, not only between its claim and the law, but also between its obligation and supposed liability. It argues that its services such as Google AdManager and AdExchange provide a platform that maximizes monetization, tailors ads, streamlines operations for publishers, tests algorithms, monitors latency and takes decisions to improve the overall product and end-user experience, it should be classified as a controller, one that regulates data processing, not of another processor but of another controller in the form of publishers. But the personal data that is being collected is from data subject traffic being received by the publishers’ properties who have contracted Google to process it according to their contractual relationship, and are the ones who share a direct relationship with the subjects.

Acquiring Consent: Framework

A simple perusal of the their EU User Consent Policy, specifically their page on ‘Tools to help Publishers comply with GDPR’ brings to the forefront their statement that their relationship of being independent controllers of their data is regulated by contract and does not provide them with any additional rights but, they also categorically state that inability to incorporate Google’s consent policy or failure to record consent, to inform about the method of revoking consent and of the presence and use of cookies properly by the publishers would lead to automatic limitation, suspension of their products from the Google platform and/or the termination of the agreement between the parties. Being able to dictate the above, instructing publishers to use ‘commercially reasonable efforts’ to ensure Google’s interpretation of compliance with the Regulation from third-parties utilizing their services, allowing their affiliates to be authorized as sub-processors under their ‘Google Ads Data Processing Terms’, inserting a caveat in their page, ‘How Google Uses AdManager and AdExchange Data’ to allow for sharing of data collected by the publishers using Google’s platform with publishers who do not compete with those who use Google’s above-mentioned services is a glaring example of how Google is indeed asserting additional rights. 

It’s compliance with the International Advertising Board’s (‘IAB’) Consent Framework is noteworthy, with Google not only propagating better data protection standards, but also the industry’s best practises. Such a mechanism addresses data leakage, collates privacy policies, makes acquiring consent and GDPR compliance must easier and integrated ePrivacy requirements. However, the intent of the framework, which was designed to be flexible and accommodate different publisher and vendor needs centering around transparency, control and choice is being defeated with Google mandating its own standards on top by strongly discouraging publishers from working with Vendors not listed on the Global Vendor List, penalizing them for any derogation, vitiating any consent obtaining procedure without providing the publishers with adequate and transparent fair processing terms and asserting itself as a controller even when the publishers are of the belief that Google works as a processor for them. Such an emphasis on the adoption of a framework that is yet to offer support for different purposes for different vendors due to payload issues being too big to handle undermines the relationship that it shares with publishers. 

If the relationship between Google and its publishers were truly that of independent controllers, or even partner processors, contractual arrangements would have to be individually decided, thus tackling risk allocation on a case-by-case basis. But such allocation is done in a manner that barely meets the criteria of an ‘independent’ controller with publishers only being allowed to control the data shared for bidding by publishers, decide the extent of sharing of non-signed in and signed in data or choose the amount of personalization of the ads that are displayed on their properties. 

Analysis: Understanding Google’s Relationship with Publishers

4.1 Legal Obfuscation 

Legal obfuscation can neither be used to hide from pertinent obligations, nor can it be used to escape proportionate liability. Use of multiple terms, contracts and policies stipulating different roles for Google and makes it confusing for both the end-user and publishers to gauge as to the nature of processing of their personal data. 

Furthermore, the absence of clear definitions for personalized and non-personalized adverts; lack of demarcation as to what extent an IP Address would be construed as personal data given that it does not view IP Addresses as Personal Data as under its EU Consent User Policy; the technical ambiguity behind the use of cookies given that they still need to fulfil their purpose without actually tracking the data subject contribute to growing confusion in the implementation of a harmonious data protection regime. 

4.2 Abuse of Market Power

The Google Controller Terms (§ 4.1(a) and (b)) spell out that Google will be an independent controller with respect to any personal data that is processed by either party under such terms in connection with their use of Google’s services. They will further individually determine the purposes and means of its processing of Controller Personal Data. 

Claiming such broad rights, without underlying transparency and without allowing the publishers to choose Google as a processor for certain types of data can be viewed as strong-arming tactics used by a market leader to process data beyond its bounds, dictate competition by dominating those who use Google’s platform and nudge them towards certain vendors favoured by Google.

4.2 Derogation from Valid Consent Structure 

As under Article 4 and 7 of the GDPR, consent must be unambiguous, informed, specific, free and active. Coupled with the principles of transparency and purpose limitation, data processing must be disclosed and “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Concurrent reading of the above, with Recital 43 and Article 29 Working Party in its Guidelines on Consent Adopted on 28 November 2017, it becomes evident that conflating several purposes for processing without safeguarding against function creep, ensuring granularity in consent requests and clear separation; leads to the conclusion that such consent was not freely given. Moreover, the broad-brush approach of Google placing the full burden on acquiring consent for “personalization of its ads or other services from its users” on publishers does not meet the standards stipulated under GDPR and is not an appropriate reaction to realizing that they cannot rely on prior or prospective consent bundled with the use of its services. 

Furthermore, as a controller, the standard for acquiring valid, unambiguous, specific, informed consent is greater, and Google is trying to delegate such a crucial act to its fellow publisher controllers by offering to obtain consent on its websites from data subjects while simultaneously requesting publishers to obtain consent for Google’s adverts on their own properties. The irony exists in the fact that the processors who are being asked to obtain consent on behalf of Google are unaware as to how the data will be used, making it impossible for the publishers to acquire valid consent. 

4.3 Lack of Objection Mechanism for Automated-Decision Making

While not all establishments who automate decisions are automatically controllers, Google has affirmatively adopted such a position and utilizes DoubleClick, which is an ad service that is designed to be automated- “A DS bid strategy can also automate the processes of creating and managing location targets and product groups.” 

The present model stipulated by Google does not anticipate potential objections to automated decision-making and profiling, as listed under Article 21-22, nor does it pay attention to giving publishers the choice whether to engage in such processing in the first place. Additionally, while certain kinds of automated processing are prohibited such as those which produces legal effects concerning him or her or significantly impact them, Article 22(2) can be invoked on the data subject’s explicit consent to justify such activities, but only after the implementation of “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.” Explicit consent is seemingly a higher threshold to meet but has been treated similarly, by being delegated to the publishers. Such consent, even if acquired, is prima facie invalid. Lastly, opacity in automated processing activities does not justify the lack of a data subject’s right to obtain human intervention from Google, contest automated decisions, the prevention of publishers from having any visibility or control over the mechanism available at Google.

4.4 Limitation and Transfer of Liability

Google’s Controller- Controller Data Protection Agreement and Google Ads Data Processing Terms include a liability limitation clause that states that the exclusions and limitations in the above terms are applicable in Europe, but not in the US. Understandably, there isn’t complete harmony between the US and the EU in terms of data protection standards even after the institution of EU-US Privacy Shield, and the penalties imposed in a private action suit is considerably lesser than those imposed under GDPR. But as a controller, Google is required to implement industry best practices, not just attain legal compliance. 

The problem is exacerbated when Google not only tries to limit liability but also transfer it to its publishers. If Google wishes to be an ‘independent’ controller making its own unilateral or automated decisions, it must be done so transparently. The contractual structure it has in place with publishers results in improper allocation of responsibility and liability by placing the burden of obtaining valid consent on behalf of Google on to publishers without understanding the purpose behind such personal data processing could result in potentially ruinous fines for publishers. Self-indemnification clauses such as those stating that the Data Recipient (‘Google’) will not be in breach if it processes the data consistent with the required consent even if the Data Provider (‘Publishers’) fail to obtain legally valid consent highlights how Google is attempting to use GDPR to mitigate its own significant risks created to fundamental rights and freedoms by its shady activities while omitting to mutually indemnify its partners. It's take it or leave it approach is ironically fundamentally against the GDPR and must be replaced with individual contractual negotiations.

Conclusion

While Google does take on the garb of a controller with regards to some of its services, it cannot make unilateral, sweeping decision about the use of data collected from publisher’s properties. They are the primary controllers of the data and share an actual relationship with their customers. They have simply, directly or indirectly, contracted Google to act as their processor due to the wide range of business optimization suites that it offers. Google must not use its unique position to leverage data to further its own ends or in a manner that neither the publisher nor the consumer understands. Google wants the benefits of being a controller and none of the liability, which is a standpoint that must not be allowed to exist. It needs to address the issues of lack of a human intervention mechanism for automated processing activities, of visibility of controls and choice for publishers and proper risk-sharing framework with publishers. Thus, certain recommendations have been listed below so as to alleviate the present situation and ensure greater compliance with GDPR by Google and its data protection policies. 

Recommendations

  • Google must act solely as a processor and must not use personal data that isn’t anticipated or agreed upon by virtue of its contractual relationship, barring the times when it must act as a controller to determine the nature of processing by necessity. 
  • This must be represented and warranted in its agreements with publishers. 
  • Google should negotiate risk allocation on a case-by-case basis with publishers
  • Appropriate limitations and carve-outs must accurately reflect the obligations, the nature and scope of their processing and their available resources without placing a blanket take it or leave it agreement in front of them
  • Include mutual indemnification clauses in their agreements to prevent the total liability from being placed on the publishers
  • Clarify certain key terms and the way certain technologies will operate to better inform technical experts and contractual relationships
  • Provide absolute transparency in processing activities- both present and anticipated
  • Specification of purposes for explicit consent
  • Provide proper, granular consent mechanisms to publisher customers who might be the only consumer facing entity, to acquire consent while bearing proportionate burdens
  • Provide objection, human intervention and re-consideration mechanisms for automated processing and profiling decisions
  • Provide training and a transition duration for publishers to be compliant with the internal consent framework without directly limiting or suspending a product or service or terminating the agreement with the publisher. 
  • This can be done through a warning system with a provision for a request for human intervention, if it is being automated
  • Simply discrepancies and confusion in its role as either a processor or a controller through comprehensive terms and policies. 
  • Placing equal emphasis on other lawful bases of processing, as opposed to always mandating consent as a basis for processing. 
  • Ensuring that publishers are informed in advance, and possibly allow for input from them, if there are regular changes being made to terms of use of Google’s services 

References

要查看或添加评论,请登录

Rohit Hebbale Ramkumar的更多文章

社区洞察

其他会员也浏览了