Copyright © Media Law International 2017. All Rights Reserved.
Specialist Guide to the
Global Leaders in Media Law Practice
Apart from using such data to target advertising, many media and entertainment businessesgenerate value by offeringpersonalised servicessuch asinformation/news services (e.g. Upday; Microsoft News Pro; News360) or music/video streaming services (e.g. Spotify; Netflix)tailored to the individual user’s interests and preferences.
Data Protection Challenges
The use of data for high quality analytics regularly triggers the application of data protection law as such use often includes the processing of "personal data". Generally, any information allowing the identification of an individual (the data subject) is considered "personal data".
Today,sophisticated algorithms combine and analyse information from different sources (such as person, sensor, location and machine). The more (non-personal or anonymised) data is aggregated, the easier it gets attributable to an individual and thus personal.With big data analytics, it has therefore become more difficult to argue that data is anonymous and falls out of scope of data protection regulation.
The regulatory framework for the processing of personal data is fragmented into national, regional and sector-specific laws and regulations. Internationally operating businesses are likely to fall within several data protection jurisdictions and to be supervised by different data protection authorities at the same time.
On an international level, the prospective EU General Data Protection Regulation ("GDPR"), applicable as from 25 May 2018, significantly widens the territorial scope of EU data protection law and will even affect many businesses based outside the EU such as Switzerland. Firstly, the GDPR will apply to the processing of personal data from any data subject anywhere in the world if the data controller (who determines the purposes and means of the processing of personal data) or processor (who processes personal data on behalf of the controller) has an establishment in the EU and the data is processed in the context of this establishment’s activities.
Secondly, the GDPR will also apply to the processing of personal data by a controller or processor outside of the EU if the data subjects are in the EU and the activities are related to either (i) the offering of goods or services to data subjects in the EU, regardless of whether a payment of the data subject is required, or (ii) the monitoring of behaviour of data subjects in the EU as far as their behaviour takes place within the EU.
For instance, a media company offering personalised music streaming services in the EU based on an analysis of users’ preferences and past online behaviour, falls within the scope of the GDPR, irrespective of whether the company itself is located in the EU.
Governance and compliance efforts to maintain the legal handling of data will increase considerably for any company which processes personal data. The GDPR not only requires such companies to provide more detailed information and documentation on the data processing, but also provides for stringent data processing requirements.
The Fiction of Informed User Consent
Under the GDPR processing of personal data is considered unlawful unless it can be justified. The most robust justification is the user’s (data subject’s) consent (other justifications include processing to fulfil legal requirements or processing necessary to perform contractual obligations as discussed below). Such user consent must be unambiguous, freely and informed given and relate to a specific purpose. Further, profiling requires explicit consent from the data subject.
In order to be unambiguous, the consent must leave no doubts as to the data subject’s intention to provide consent.Pre-ticked boxes or inactivity of the user are not sufficient. The consent is deemed freely given if the data subject does not face any significant negative consequences in case of refusing consent, which means that the data subject must have a "real choice".
Consent to the processing of personal data which is not necessary for the performance of a contract should not be made a condition for performing the contract. Further, a valid consent requires the controller to provide information which allows the data subject to make a well-informed decision about the processing of his/her personal data. Lastly, in order to be specific, the consent must relate clearly and precisely to the purpose(s) of the processing of personal data.
For providers of online platforms and services, the balance between data protection compliant consent formats on the one hand and usability and attractiveness of the services on the other will become more challenging. Further, the data subject may withdraw his/her consent at any time, leaving businesses such as providers of personalised media services at risk on whether the data analytics foreseen by the business model may be further pursued in the future.
Even though data privacy is of increasing concern to the public in general, individual users rarely make use of available control mechanisms such as clearing cookies or opting out of targeting while surfing the internet. Users also tend not to read long and complicated privacy policies and even if they do so and disagree with certain provisions, they are well aware that the provider would not accept any changes anyway. As a result, online services are regularly designed as "take it or leave it" offerings.
Other Justifications for Processing Personal Data
Whereas valid and documented consent remains the most compliant and risk-reducing justification for processing personal data, the GDPR also acknowledges other justifications.
Data processing in the course of personalising media services can be necessary for the performance of the contract with the user (if personalisation is key part of the contract) and thus justified even without specific consent. Conversely, targeted advertising (without the user preliminary requesting specific offers) is unlikely to qualify for this justification.
The GDPR also acknowledges legitimate and overriding interests pursued by the controller or a third party as a justification for processing personal data. Whereas the GDPR explicitly references "direct marketing" as a legitimate interest,it is unclear at this stage, though crucial for the advertising industry, how far-reaching this exception for own or third party marketing purposes will be interpreted by the competent authorities.
Whereas under the current EU regime, the modalities of the controller’s information obligation are a matter of EU member states law and the data subject might have to actively ask for some information, the GDPR requires the controller to provide the data subject, amongst others, with the following information prior to the collection of personal data:
In case the controller intends to process personal data for a purpose differing from the original one, the controller needs to provide the data subject with information on that other purpose beforehand.
If, as is often the case with big data analytics e.g. used for personalising media services, personal data of the same data subject is aggregated from different sources, the GDPR requires the controller to provide the data subject with information,amongst others, on these sources. This information needs to be provided at the latest within a month after obtaining the personal data, at the time of the first communication to the data subject or the disclosure to other recipients.
All information needs to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. As longer privacy policies do not necessarily provide better information, the GDPR laudably acknowledges the additional use of standardised icons in order to convey the information. This allows communication of data privacy issues to become more creative and attractive and thus valid consent to be facilitated and fostered.
In case of violations of the GDPR, and further to potential civil claims for damages, criminal sanctions include fines of up to EUR 20 million or 4 per cent of the last worldwide annual turnover (whichever is higher).
Besides legal and regulatory requirements, contractual restrictions, for instance in commercial contracts, licenses or NDAs, may further limit the use of aggregated data for analytical purposes. Companies are advised to review and potentially revise end-user license agreements (EULAs) and privacy policies when planning new ways of leveraging user data such as personalised services.
The Way Ahead
It is questionable whether the prospective EU model with its default prohibition of data processing without a specific legal basis such as informed consent, necessity for the performance of a contract or legitimate business interest adequately addresses the media and entertainment landscape with its many low-risk data processing applications.
Rather, a more risk-based approach in regulation (beyond isolated provisions in the GDPR e.g. on automated decisions, data breaches and data protection impact assessment, and as already applied selectively in the US), balancing the rights of the data subject on one side, and of the controller and processor on the other, should be considered. By prohibiting or limiting high-risk data uses (e.g. automated decisions in highly sensitive fields such as health, social security, financial services and job applications which can have severe consequences for individuals), but at the same time allowing rather low-risk data uses such as personalising media services or advertising, the market reality and actual risks would be addressed much more adequately.
In respect of (personalised) advertising services, it is to be hoped that "direct marketing" as a legitimate interest for processing personal data under the GDPR will be interpreted extensively and also cover state of the art tracking and targeting methods which are indispensable for the generation of online advertising revenues.
A narrow interpretation of the "direct marketing" interest would likely shift advertising spending to platforms operated outside of Europe and to the growing category of native advertising (e.g. paid content, sponsored posts and corporate publishing), impeding European media and entertainment industry’s innovation and economic clout.
Jonas D. Gassmann
The wide availability of free content through disseminators such as LinkedIn and Facebook and through aggregators such as Google News, reddit, Newsvine or Daily Beast, lowered consumers’ willingness to pay for content considerably. This leaves the media industry exposed to an increased pressure to look for new ways to generate revenues. More and more, value is created by collecting and processing user data through "Big Data" analytics.
Rolf Auf der Maur
Since the beginning of his career as an attorney in 1992, Rolf Auf der Maur has focused on the legal aspects of the internet, combining his fascination with new communication technologies with his legal expertise. His clients include leading companies from the media and entertainment industries as well as from the telecommunications and information technology industries. In addition to his activities as an attorney, Rolf publishes and speaks regularly on internet-related legal issues and is a member of various industry bodies (e.g. as a board member of simsa Swiss internet industry association, IAB Switzerland and the International Association of Entertainment Lawyers). Renowned as a leading expert in Switzerland in his field, Rolf is listed as "1st Tier" for TMT in Chambers & Partners and other directories.
Jonas D. Gassmann works as an Attorney in the IP/IT/Regulatory team. He advises and represents individuals and companies in proceedings before Swiss courts and authorities. His primary practice focuses on media law. Furthermore Jonas Gassmann assists both companies and private individuals in intellectual property and competition law matters.