| Home | About | Insights | 0
  • Your Shopping cart is empty.


des lyon blog vendor contracts

With the recent ruling by the Courts of Justice for the European Union (CJEU) that website operators who install Facebook “Like” buttons means that Facebook are a joint controller with the website operator*, this post looks more closely at the contractual relationship between website operators and 3rd party technology solutions that collect personal information from an operator’s website, with a few tips for both brands and 3rd parties so as to help foster a trustworthy (and compliant) user experience.


For those still wondering why this ruling is so important, if you – the website operator (such as an e-commerce brand/retailer, or a publisher/news site) – have a Facebook “Like” button on your website (for example either on a news story or a product page) and a user clicks on that “Like” button, then that user’s personal information is being sent to Facebook who then have control of that user’s personal information and can determine what happens with that user’s information (such as inform that user’s friends via their news feed that the user clicked “Like” on a product or news content). There is also the capability of Facebook collecting all of that user’s “Like” activity in order to create a profile of him/her and then serve targeted ads or content (and possibly sell that users profile to other advertisers who are looking for a similar profile to serve their ads to). All of this is possible from what seems like an innocent act of appreciation for a product or news story that was published on the website operator site (the e-commerce brand/publisher/news site) who (as soon as the user interacts with any tracking or plugin) has no control as to what happens with that users information.


The CJEU ruling is also significant in that it doesn’t just apply to Facebook. The website operator is ultimately accountable for any Advertising /Marketing technology tracking and/or social media plug-in that is deployed on its website (that collects personal information) that collects personal information – either on its own right (such as IP address) or if overlaid with other data (for example “click reference/id”+”source”+”device id”+”location”+”products viewed”+”other websites visited” + “order ID”) on an electronic device (such as desktop, mobile/handheld or any other form of device) through:

  • Sponsored Search Engine (Pay Per Click) listings
  • Content Ads (for example – like those “Sponsored Links” that you often see on news/media sites)
  • Product Listings Adverts on Search Engine Shopping channels and comparison shopping engines/sites
  • Affiliate Marketing & influencer (blogger) marketing ads and text links
  • Social Media sharing
  • Display advertising
  • Behavioural Targeting & Re-targeting adverts


Using an advertising agency doesn’t shield you from responsibility

Even if a website operator outsources their marketing/advertising activity to an agency, and allows that agency complete free reign in how they achieve commercial & marketing objectives, it is the responsibility of the website operator to know what information has been collected about a user from those marketing channels, and what subsequent processing takes place with that users information so as to inform the user of who that website operator is working with that collects data.


How can website operators ensure they’re working towards compliance? 

Before commencing the relationship with any 3rd party vendor, whether that be for marketing/advertising technology solutions/social plugins or agency management for marketing strategy & activity, there needs to be a written agreement in place that defines the boundaries and where responsibility begins and ends in accordance with Article 26 (Joint Controllers) of the official GDPR text, and include the rights of the website operator within these agreements. The agreement (also known as a “controller:controller” agreement) needs to include the contact details of the joint controller, purposes of the joint controllers’ processing, categories of data being processed, details of where that data will be transferred to (if outside of the EEA – and safeguards being applied), how long that data will be kept for, and a description of the technical & organisational measures taken by that joint controller.


What else does the website operator need to do?

The website operator also needs to fully inform users in accordance with the lawfulness, fairness and transparency principle (as per Article 5) of the tracking/social media plugins on their site that will collect their data if they interact with (click on or “Like”) them. The website operator will need to list exactly what data is collected, the purposes for which it collected and processed, and include the contact details of the social media/3rd party tracking/plugin provider/agency for any queries or to obtain access to their information (as per the users’ rights to information, access, rectification, erasure, restrict use, or not to be subject to automated decision making such as profiling, the right to object, or to have their moved/ported to another provider/competitor as stated in Articles 12-22).


The website operator will have to obtain a lawful basis for the advertising/marketing technology provider and/or agency collecting and processing that data also have to obtain explicit, unambiguous, freely given and informed Consent from the user in order for the website operator and joint controller to collect and process that information. Legitimate Interest will not suffice as a Legitimate Interest Assessment proves quite clearly that the benefit to the user is outweighed by the commercial interests of the website operator.


Ignoring these requirements when it comes to Joint Controller or Controller:Processor agreements could leave the website operator completely exposed to the maximum financial penalty or possibly be faced with a stop order (which could be even worse than the fine for most organisations). It is vital that those 3rd party contracts are reviewed and updated to reflect Data Protection Laws and Regulations. 


Of course – if the 3rd party is acting only on the strict instruction of the website operator then that would be a “Controller:Processor” relationship and that requires a differently worded agreement but still requires the processor to have adequate security measures, policies and processes in place to protect user data if it of a personal nature.


For further information and guidance on 3rd party Contracts (Controller:Controller, Controller:Proessor, and Processor:Processor), email info@deslyon.com today.


(*ref: http://curia.europa.eu/juris/document/document.jsf;jsessionid=A06E0AB5DBF21253C4907DDCE5A5DDDB?text=&docid=216555&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=7104636)



Photo: https://pixabay.com/es/photos/cadena-articulada-apretón-de-manos-2853046/ 

blog post etc fine facebook $5bn (FFS!)

In a week that has seen more “intents” than a field in Glastonbury, the latest and greatest fine to-date was just announced as the US Federal Trade Commission approved a $5bn fine to Facebook as a result of the 2018 Cambridge Analytica scandal (source: https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html)


The Facebook–Cambridge Analytica data scandal was a major political scandal in early 2018 when it was revealed that Cambridge Analytica had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes. The method used was via an application under the guise of a “personality quiz” called “thisisyourdigitallife”, and data was collected not only from users who took part in the quiz, but also from friends of those users – all without the consent of either the user nor of course their friends. It is alleged that around 87milion users were affected by the scandal.


The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users. The agency was concerned that Facebook had violated the terms of a 2011 agreement, where Facebook agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public (source: https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep). The settlement required Facebook to give users very clear notifications when their data was being shared with third parties.


The settlement will now be reviewed by the Department of Justice (reports say), but the message being sent out by both the US and UK regulators (the latter intending to issue a £183.3m and £99m fine to British Airways and Marriott International Inc respectively) is that infringement of data subjects privacy (or by being in breach of data protection laws), will be treated with the utmost severity in terms of punishment for ignorance and systematic abuse of peoples’ personal information or by neglecting information security principles around Confidentiality, Integrity & Availability of personal data.


Of course, in addition to this, the UK Information Commissioner’s Office is also looking into the digital advertising industry – in particular behavioural advertising, retargeting and Real-Time-Bidding Auctions (of which big tech firms have a significant commercial interest in) so it is highly likely that this will not be the last time we see familiar faces and household names in the news for being in breach of Data Protection Regulations & Privacy laws for not obtaining users’ consent.


There will also likely be cases brought to the attention of regulators where companies fail to implement the appropriate technical and organisational measures, such as having an appropriate information security policy or not deploying the required training for their staff.


Martin de Bruin, CEO of Deslyon says:


This week we’re starting to see the consequences of failure to comply with Data Protection laws and Privacy regulations. Companies feel that they can take a laissez-faire approach when it comes to their obligations whilst we have constantly disagreed with their consensus. Now it is clear to see that doing nothing or skipping over data protection/privacy obligations is no longer an option.


News outlets report that Facebook declined to comment, however, if you are looking for guidance and advice on how to comply with Data Protection regulations and privacy laws for your organisation, contact info@deslyon.com.



Image source: https://www.flickr.com/photos/stockcatalog/26406050097/in/album-72157695350251185/


A little reading for the weekend.  Unless you’ve been partying on a yacht somewhere in the south of France this week, you’ve probably seen the report published by the Information Commissioner’s Office into adtech and real time bidding.  If you’re still too blurry-eyed to read the report, we’ve extracted some of the key “i-lights” from the report, not in any particular order:

“Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.”

“Transparency issues also exist for the ecosystem itself, given the opaque nature of the data supply chain.

For some market participants, these were at best not fully understood or at worst ignored.

“Data supply chain: In many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.”

Invisible Processing
“…’Invisible processing’ is an activity that carries inherent risk to rights and freedoms as it takes place with no or minimal user awareness. The ICO’s Article 35(4) list provides the following definition: ‘Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort (as provided by Article 14(5)(b).’ Our list clarifies that processing operations of this sort, combined with any of the criteria from the EDPB guidelines, require a DPIA. Similar examples appear on a number of the Article 35(4) lists prepared by other European data protection authorities”.

“What we found was an industry that understood it needed to make improvements to comply with the law.”

Europe global vendor list comprises over 450 organisations, each with their own privacy policy. Some of these will be in non-EU jurisdictions, meaning that international transfers of personal data are taking place.”

If you’re an investor of a company that is involved in the collection, processing, storage or trading of personal data as defined within the GDPR/DPA 18 then you may want to review whether your investment could survive a financial penalty – or even survive being instructed by the ICO to stop collecting and processing personal data, or if you’re thinking of acquiring a company that collects, processes, stores or trades in personal information, you may want to ensure that the appropriate due diligence has been carried out to ensure that you don’t end up paying more in the long run (see our blog post about M&A here: https://deslyon.com/2019/05/16/mergers-acquisitions-a-private-matter/).


It appears that with the decision to carry out an Industry Sweep, the ICO states: “Following continued engagement to obtain more information, we may undertake a further industry review in six months’ time.”  It is with almost certainty that the ICO won’t be brushing these issues under the carpet.

If you’re not familiar with the corrective powers bestowed upon the ICO, you may want to cast those blurry eyes over article 58(2) (d) and (f) in particular.

 All eyes really will be focused on the industry to see how it cleans up its act, which “Cannes” only be a good thing.  Chin-Chin!

(the full ICO report is available here: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf)