Ever since GDPR popularized “privacy by design” within our vernacular, media owners, advertisers and ad tech partners have been asked to adopt overly aggressive approaches to data handling out of fear of fines.
The biggest winners from such policies have been largely Google and Apple, which have been using “privacy” concerns to shield their anticompetitive conduct. They have attempted to redefine ‘privacy’ as something that they do to the exclusion of all others. Fortunately, regulators are finally stepping in to protect digital markets. More importantly, recent court rulings are providing businesses the clarity they need to responsibly share the data needed to drive innovation, while still safeguarding consumer privacy.
Historically, many businesses operated under the assumption that if data could possibly be reidentified, then it would be personal data. However, earlier this month, the Advocate General’s opinion upheld the precedent from earlier cases (like Breyer), in the landmark decision of Single Resolution Board (SRB).
The opinion states that, whether data is classified as personal or non-personal must be evaluated based on context and the recipient’s actual ability to identify an individual. The so-called ‘In Whose Hands’ test judges whether or not data is personal by asking not whether a piece of data is possible of being reidentified to a specific individual, but whether the person holding it could legally do so. In other words, across the complex ad tech ecosystem, just because one publisher requires authentication to access its property, does not mean all recipients who receive interactions associated with that visit are receiving personal data.
This ruling aligns with the FTC’s recent settlements that define whether data is personal or deidentified, depend on organizational measures that recipients of data have in place. Overly restrictive approaches stifle growth and have been found to harm consumers—restricting access to information, raising prices and preventing access to innovation. In practical terms, this new finding provides a pragmatic path for more organizations to explore new data-driven innovations so long as they rely on de-identified data, which minimizes risks to consumers.