Privacy Talk with Romain Robert, Member of the Litigation Chamber of the Belgian DPA: What do you expect from the behavioral advertising industry from the recent Norway DPA decision?
“This interview recorded on 7th August 2023 is talking about data protection enforcement and litigation issues.”
Kohei is having great time discussing data protection enforcement and litigation issues.
This interview outline:
- What do you expect from the behavioral advertising industry from the recent Norway DPA decision?
- What are you planning to do next?
- Message to listeners
- What do you expect from the behavioral advertising industry from the recent Norway DPA decision?
Romain: I don’t know what to expect because apparently it’s already happened. I don’t know if you’ve seen last week that Meta announced to shift to another legal basis for some of the behavioral advertising that they were just reorganizing the platform.
I must say that it’s quite a nice surprise to see that there was finally an enforcement against the complaint because that’s also the Norwegian DPA decision of last month is basically also one of the outcomes of a complaint, of one of the three first complaints of noyb five years ago.
Three complaints were filed, one in Belgium, one in Germany, one in Austria. All the complaints were sent to the Irish DPC. As you know, the DPC disagreed with the other DPAs and the EDPB adopted the decision.
The DPC, the Irish DPC had to adopt a decision based on the EDPB decision. This decision was issued in December of 2022. And giving if I’m not mistaken three months to Meta to comply with the order.
But we didn’t see much happening. And even the data protection policy of Meta was not even changed and they all agree that all transparency issues were addressed.
Apparently, I was not the only one to be surprised not to see anything changing or like not to see any legal basis. You could see that after the decision, Meta decided to change to another legal basis, which was the legitimate interest.
And we were of course preparing to take action against that. I think the Norwegian DPA seem to be a little bit impatient as well, since nothing was really moving, and especially considering a very recent opinion, recent decision of the Court of Justice in the German competition authority, when the Court of Justice really made clear that behavioral advertising could not be based on legitimate interest in many cases.
So and that’s exactly what Meta did in April, if I’m not mistaken, changing the legal basis. And based on that, meaning, the NO DPA acted seeing the lack of action from Meta and from the Irish DPC to enforce the decision of December to see whether there was compliance for Meta and considering the recent case of just the decision of the Court of Justice confirming that legitimate interest was really not the most relevant legal basis for behavioral advertising.
The Norwegian DPA didn’t want to wait primarily for the Irish DPC. It seems that the Norwegian DPA and the Irish DPC has a long history of this agreement that already happened two years ago when it was publicly revealed that they publicly disclosed that they did not agree with the Irish DPC.
And here you can see that the Norwegian DPA did not wantto wait more and any longer for the DPC to do something. In this case, the GDPR provides the possibility for one DPA to adopt a temporary decision on its own territory, so the Norwegian decision to ban advertising based on behavior by Meta, which is based on each legitimate interest, is only valid for three months in Norway.
That’s what happened. It seems as well that it’s like an attempt by the Norwegian DPA to bypass the Irish DPC because the Irish DPC was apparently taking too long to the taste of the Norwegian DPA to act and this case will probably go directly to the EDPB directly.
EDPB is the organ appointed to discuss and decide cases when there is a disagreement between the different DPAs. So of course you can see that here is going to go directly from the Norwegian DPA to the EDPB without involving the Irish DPC directly as the lead authority as we call it.
So I think it’s really an interesting regulatory development in the EU: the NO DPA move will probably end up “bypassing” the Irish DPC. But what is also interesting is that the last move of Meta since Meta announced last week that it will switch to consent, so back to consent, basically, which was exactly what was the complaint of noyb about: five years ago Meta used consent for this advertising, but the consent was not free back then.
So Meta just announced that they will just go back to consent for as Meta call it, the highly, (I am not sure I remember the term) the highly targeted advertisement, I think.
And Meta will ask for consent again, which I guess is also a reaction to the decision of Norwegian DPA. So that is for Meta because you ask what about the other industry: I think it’s also important and really crucial here for the business model of other companies.
Again, Meta cannot be the only one to have to comply with the law, leaving other companies doing the same with the impression that are not impacted
One cannot accept that after such a decision from EDPB and Norwegian DPA and the Court of Justice, other actors will just remain unchanged or they will not change the practice, we cannot expect on the Meta to be the one compliant you know, it’s nice to always discuss about big platforms are always the same ones. But DPA also ensures that it’s fair level playing field, meaning that all actors have to follow the same rules.
And will be curious to see whether there will be an action from the DPAs against the other platforms using the same kind of advertising and the same legal basis. So it’s very nice to see the result on Meta why not, but we have to see whether it will also be implemented by the other platforms in the EU.
And on that I’m quite curious to see what will be the next steps. Is the civil society going to act against that as well or is it a coordinated action from the EDPB going to happen. Or is the Norwegian DPA taking action ? We don’t know.
But that would be very important just not to again lead a decision of the Court of Justice and not do anything about it. Basically, what happened was Schrems I aims to, we had two very clear decisions from the court of justice and no action after that, which I think is really concerning to see that the highest court of the EU is issuing a decision which is not even followed or implemented by the actors.
In this case, the court of justice in the German competition authority, which was issued in June, was finally followed by one DPA, which didn’t want to wait for the other DPA to act.
So I think it’s quite a huge change in the enforcement framework.
when there is clarity with a decision of the court of justice when you have a case already pending for years, it’s time to act and to do something.
And a last thing, maybe you heard it: Meta also appealed the decision of the Norwegian DPA in front of the Court of appeal in Norway. Of course, we will see whether any also appealed the EDPB decision and they also appeal the Irish DPC decisions, so there was a lot of appeals pending.
It’s part of the “game” of course, and I hope that we will finally have certainty about the legal questions issued raised by this decision, but I think we already have an answer from the court of justice in this German competition authority decision in June.
That’s for Behavioral Advertising. As principle, consent should be obtained, with some space for legitimate interest it seems. We already have an answer on that. But still, there was a lot of legal questions that still seem to be solved by the Court of Justice.
So it’s, you know, it’s a cat and mouse game and it’s gonna take a long time to have a final decision, especially with the appeals pending, but I’m really looking forward to have these cases ending at the court of justice
Kohei: Thank you for sharing. It’s insightful. From Asian perspective, there is very complicated, but I think it’s a progression of these behavioral advertisement actions. So we just started to discuss this kind of topic. I think, like the European moves, is in very great reference for the other countries around the world.
What kind of discussion should be the requirements and the industrial issues against the data protections. So the next topic about your future landscape, I think you have been working in the data protection field as leading in the industry.
So could you share about what you’re planning to do next or if you have any ideas that you want to do something in the future? So this is a very important, interesting topic, from your personal idea?
- What are you planning to do next?
Romain: From my personal perspective, my next moves are not really clear yet, so I’m exploring options. I would definitely like to stay with the Belgian DPA for another two years of my mandate to enforce the GDPR, but it’s not a full time position so it just gives me time to think about something else.
I have some options for for my professional future, but the first thing that I want to do is just to rest for sure, because it’s been a really intense year here in noyb. So I need to rest a bit.
I was thinking to go back to practice a lawyer again. Because I really loved the enforcement and litigation part as well, I really think I would be involved in the collective redress movement.
There is a new directive allowing the civil society to enforce digital rights and I think it’s going to be a huge, huge, huge game changer in the future.
And another thing that I think would be interesting is just to also work as a data protection council in house. II would love to see how in house processes are just designed.
How is the discussion going on to understand how the industry and the organizations are preparing themselves for compliance with the recent developments. Finding solutions is also quite exciting
I don’t believe that there are two sides of the protection like the “bad” companies and the “good” civil society. I think it’s too simplistic. So I really have an interest in having a hands-on approach and to see what is happening in the industry.
Working for the Belgian DPA, you can not just ignore the difficulties and the obstacles of companies implementing data protection, you know, compliance is not always black or white, I really think is really interesting and important to understand the efforts of companies to comply as well.
I also have a huge interest in the DMA and the DSA because that’s part of the same piece of legislation and of course, the digital governments act, the AI act definitely.
I really think that DMA, DSA and GDPR is a nice piece of legislation altogether, and they should not be isolated. So I really think that that’s something that I would love to do in the future. I am exploring options to see how it can be put together and where I could articulate these texts.
That’s the most important for me: I would love to see what is working, what is not working, how do you enforce it, how do you not enforce it.
Also, I’m not afraid to go to court. I really love it. It’s nice to agree to disagree. If parties disagreen that’s what the courts are here for. They just take a decision. You know, I really love this part of the job to have a really clear position and you go to court and you defend your view.
Kohei: That’s a great passion and very important to keep this in mind. I’m also the Inspire this your conversation that’s been important actions for the data privacy expert community as well indeed.
So the last, I’d like to ask you about the message for the listeners. So you have a many experience and data protection space. And also you share some of the visions from your perspective. So could you share any message for the listeners?
- Message to listeners
Romain: I think dialogue is very important when I say dialogue is not only going to conferences or having this “ dialogue” like exchanging papers on the subject and not see a concrete outcome.
Dilogue is really interesting and really important, especially with AI. And I see it especially from the industry, always defending innovation: how is it possible for the EU market to stay competitive if we don’t allow this kind of product.
I think it’s not always the appropriate place to have a transparent discussion. I am not a huge fan of regulatory sandboxes which raises some issues, even if they are an interesting idea: the discussion should take place in the European Parliament or like the National Parliament.
I think in the future we should have a dialogue when the actors including organisations, industry, regulators and the civil society could understand the problem to address the problem. And to have concrete examples of what is the problem and what would be the concrete solutions. Sometimes discussions are too high level.
Regulators cannot change the law, it’s too late and it’s not the right place to change it. You should go be back to the European Parliament. Who should maybe sometimes do a better job, I think because this law is not always very clear. On the other side, no law is perfectly clear, that would be naive to pretend that of course!
And these new laws are not always very clear, we have to accept them.
Because we should not also forget these legislations are going to be very difficult to implement. I think the law makeris not always aware of the interaction between all these pieces of legislation, meaning the DMA, the DSA, the AI Act and GDPR (or simply ignores it).
And besides giving a lot of work for lawyers and law firms, it should also give some clarity for the actors not only for the citizens, but the company and the regulators.
Kohei: Thank you for sharing. That’s very important for us. I think regulation is the power of the difficult for all the general citizens but then your work is very important to bridge the not just like AI on the policy, but also in the practice, practice is very important.
And also that you have many experiences and try to empower the people in the data protection space. So again, thank you for joining me at this moment. It’s a pleasure to have a great conversation with you. Let’s get to your new work.
Romain: Thank you so much.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
