EU: Do PECR and GDPR go hand-in-hand?
When the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') took effect on 25 May 2018, one of the challenges that organisations faced was identifying the correct lawful basis for each of their data processing activities. With a myriad of actors and processing activities across the digital advertising ecosystem, identifying the correct lawful basis and achieving transparency is a continuing challenge. Sarah Williamson, Partner at Ashfords LLP, provides an insight into the relationship between the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR'), and discusses their impact on the adtech sector.
When the GDPR took effect on 25 May 2018, one of the challenges that organisations faced was identifying the correct lawful basis for each of their data processing activities. Whilst Article 6 of the GDPR sets out six lawful bases, the two lawful bases gaining the most publicity are consent and legitimate interests. Despite guidance being issued by the Information Commissioner's Office ('ICO') on these bases, there is still much confusion as to when consent must be used and when legitimate interests may be used. Nowhere is this more apparent than in the adtech sector. With a myriad of actors and processing activities across the digital advertising ecosystem, identifying the correct lawful basis and achieving transparency is a continuing challenge.
Legitimate interest and consent – why the confusion?
One of the reasons for the confusion is the lack of understanding with regards to the interrelation of the GDPR with the PECR. In some cases, organisations have simply overlooked the existence of the PECR in all the GDPR mayhem, or have thought that the GDPR trumps the PECR. The ICO highlighted this as a particular issue for those involved in the adtech industry in its Update Report into Adtech and Real-Time Bidding, issued on 20 June 20191 ('the Adtech Report').
The GDPR has not replaced or amended the PECR. Article 95 of the GDPR states, 'This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive').'
It is also important to be aware of the proposed Regulation on Privacy and Electronic Communications ('the Draft ePrivacy Regulation'), which will repeal the PECR. Although we do not have a confirmed timeframe for the Draft ePrivacy Regulation at this stage, what we do know is that it is expected to achieve greater consistency with the GDPR and that there will be changes in terms of the rules regarding marketing and cookies.
How has the GDPR affected the PECR?
The GDPR has had one significant effect on the PECR, and that is that it has changed the standard of consent required. Consent is not defined under the PECR, but takes its definition from data protection legislation such as the GDPR. The GDPR defines consent as 'any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'
There are two important new additions to the definition of consent introduced by the GDPR. For consent to be valid it must be 'unambiguous' and indicated by 'clear affirmative action.' The effect of these new additions is that pre-ticked opt-in boxes, opt-out boxes, and silence will not constitute valid consent. The ICO has not ruled out the possibility for consent to be implied, but there must be some positive action and inactivity will not suffice. Furthermore, organisations processing special categories of personal data should be aware that the standard for consent under Article 9 of the GDPR is even higher and is required to be 'explicit.'
Due to the higher standard for consent under the GDPR, many organisations have been relying on the legitimate interests lawful basis. There is, however, much debate as to when legitimate interests can be used, particularly in the context of adtech and marketing activities.
When can legitimate interests be relied upon for marketing?
There is no hierarchy between the lawful bases. However, the ability to use legitimate interests in the context of marketing depends upon whether consent is legally required under the PECR, and also whether the conditions attached to the lawful basis can be satisfied. If the PECR requires consent for a marketing activity, consent should also be the GDPR lawful basis relied upon for any personal data processed during that activity.
Recital 47 of the GDPR explicitly states that the processing of personal data for direct marketing may be a legitimate interest, but it also stresses that a careful assessment is needed which includes an evaluation of the data subject’s reasonable expectations. Legitimate interests will therefore not always be an appropriate lawful basis even where consent is not required under the PECR.
Under Article 6(f) of the GDPR, legitimate interests can only be used when the interests of the controller or third party are not overridden by the interests or fundamental rights and freedoms of data subjects. The use of legitimate interests should not be regarded as the easy alternative to consent. Many organisations are citing legitimate interests without having carried out a legitimate interests assessment ('LIA'). Ultimately, the processing must be necessary and it is important to consider whether the organisation is acting outside of an individual's reasonable expectations. In this respect, transparency is key. The LIA is problematic for participants in the adtech ecosystem, where questions of necessity, transparency, and an individual’s reasonable expectations are not easily answered.
Whilst the general position is that organisations can only send marketing by electronic means to individuals when they have obtained specific opt-in consent, the PECR does permit what is known as the 'soft opt-in.' This is the ability to market to existing customers without obtaining their consent provided that:
- the organisation has obtained their details in the course of the sale or negotiations for the sale of goods and services;
- the organisation is marketing about its own products or services that are similar to those that the customer has already purchased or enquired about;
- the individual’s contact details have been obtained directly from the individual; and
- the individual was given an opportunity to opt out at the time their personal data was initially obtained and on each subsequent occasion they are sent a marketing message.
Additionally, business to business ('B2B') marketing does not require consent under the PECR, although 'corporate subscribers' should be given the opportunity to opt out as they still have an absolute right to object to marketing under the GDPR. There is a note of caution for B2B marketing, as the definition of 'corporate subscriber' does not include sole traders and some types of partnerships.
Consequently, because consent is not legally required under the PECR for B2B marketing and marketing to consumers on the basis of a soft opt-in, legitimate interests is a possible lawful basis under the GDPR for these activities, subject to carrying out an LIA.
Cookies and other similar technologies
The adtech ecosystem
Obtaining consent for all processing activities carried out in the digital advertising ecosystem is extremely challenging given the complexity of this ecosystem and the sheer number of actors, such as digital service providers, carrying out a multitude of processing activities. Industry-wide initiatives, such as the Interactive Advertising Bureau ('IAB') Europe’s Transparency & Consent Framework ('TCF'), have emerged in order to help parties manage transparency and obtain and manage consents. However, the TCF faced criticism from privacy campaigners and the ICO specifically stated that further work would be needed for the TCF, and also for Google’s Authorized Buyers framework, to be compliant. In terms of the TCF, a newer version has now been released ('TCF 2.0') which may address some of the ICO's concerns around transparency and consent.
Whilst the PECR deals with the placing of a cookie on someone’s device, it does not contain any rules regarding the subsequent processing of personal data collected by that cookie. We have seen that where the PECR requires consent, consent should be relied upon as the lawful basis under the GDPR. However, it is not entirely clear whether legitimate interests can be used as the lawful basis for any subsequent processing of personal data beyond the setting of the cookies, for example profiling or tracking. The Guidance indicates that this may be difficult but the debate is not new and is ongoing.
In the context of analysing or predicting preferences or behaviour, the Article 29 Working Party ('WP29') has stated in its Opinion 03/2013 on Purpose Limitation4 that opt-in consent would be required for 'tracking and profiling for the purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research.'
In 2014, the WP29 Opinion 06/2014 on the Notion of Legitimate Interests of the Data Controller Under Article 7 of Directive 95/46/EC5 recognised that activities, such as conventional direct marketing, could be considered a legitimate interest, subject to adequate safeguards and meeting the necessary balancing test. It also stated that where marketing involves 'extensive profiling, data sharing, online direct marketing, or behavioural advertising,' consent should be considered.
In the Guidance, the ICO has stated that in most circumstances, legitimate interests will not be available as an appropriate lawful basis for profiling and targeted advertising.
The ICO is currently looking into the adtech sector due to a number of complaints made by privacy campaigners. Faced with these complaints, the ICO and the Irish Data Protection Commission have both identified adtech as a priority. In March 2019, the ICO hosted an adtech forum attended by representatives from organisations in the adtech sector to get views on the challenges posed by the GDPR. This was followed by the Adtech Report. The Adtech Report outlines the main concerns which are centred around transparency, special categories of personal data, legal bases, and Data Protection Impact Assessments.
In the Adtech Report, the ICO states that many participants are using legitimate interests as the lawful basis for processing but not carrying out the appropriate assessments or implementing safeguards. The ICO has confirmed that legitimate interests should only be relied upon for marketing activities where consent is not needed under the PECR and where the use of personal data 'is proportionate, has a minimal privacy impact and individuals would not be surprised or likely to object.' The view of the ICO is that consent is the only available lawful basis for 'business as usual' real-time bidding processing, which goes from the placing and reading of the cookie, to the onward transfer of the bid request. Whilst recognising that subsequent associated processing could be carried out on an alternative lawful basis, the ICO has nevertheless stated that 'consent is also the most appropriate lawful basis for processing of personal data beyond the setting of cookies.' The ICO concluded in the Adtech Report that the processing of personal data is taking place unlawfully, as participants are using legitimate interests for placing and/or reading a cookie and explicit consent is not being obtained for collecting special category data.
It is clear that legitimate interests might work for some marketing activities where consent is not required under the PECR. However, when it comes to the digital advertising ecosystem and more intrusive activities such as tracking and profiling, the picture is a lot murkier. Demonstrating that subsequent processing of personal data is within an individual’s reasonable expectations, and that their rights and freedoms are not impacted, will be a challenge and something that will be closely scrutinised. With pre-GDPR opinions pointing towards consent as the only viable lawful basis, it seems unlikely that the regulators will now change their opinion. Following the release of the Adtech Report, the ICO has stated that it will continue to work with the industry, taking a 'measured and iterative approach,' recognising the complexities of the ecosystem and the role that advertising plays in funding online content. However, it states that the industry is 'immature in its understanding of the data protection requirements' and those in the adtech sector cannot simply sit back and do nothing. The ICO expects controllers in the adtech industry to revisit their privacy notices, as well as their use of personal data and the lawful basis that they rely on. Whilst the regulators are actively investigating this sector, it remains to be seen whether they will issue any clear guidance on the exact requirements that must be met by those involved in digital advertising. Will they completely rule out the ability to rely on legitimate interests for processing any personal data collected by a cookie, and how consistent an approach will different regulators take? Clear and consistent guidance is needed for all involved.
Sarah Williamson Partner
Ashfords LLP, London
1. Available at: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
2. Available at: https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf
3. Available at: https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf
4. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf
5. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf