CRITEO penalty EUR 40m: CNIL needs to introspect

On June 15, CNIL, the French supervisory authority under GDPR imposed a penalty of EUR 40 million on CRITEO for failing to verify that the person from whom it processed data had given their consent. This is yet another case of GDPR where a substantial fine has been imposed on an incident which is not a “Data breach”.

The moot point for professionals and the industry to consider is whether this incident represents any harm on the individual. It appears that the only harm that has been caused is through display of personalized advertising when a user is browsing through Internet. Even this harm is speculative on the part of CNIL since the penalty is not based on a complaint from any end user but from the habitual protesters like the None of Your Business (NOYB).

CRITEO is an organization which is into “Behavioural Profiling” of individuals to identify their buying habits so that personalized targeted advertising can be provided to the individuals . For this purpose it places some cookies on e-commerce sites and gathers some information which is used later for delivering advertising. Their activity is well explained by the following diagram which has been published by CNIL.

The action of CNIL in penalizing this activity is a clear assault on the advertising industry which is unfair and disproportionate.

The decision to impose the penalty has been based on two aspects namely “Lack of evidence of the consent of the individuals to the processing of their data” and “Transparency”.

The activity of CRITEO results in display of the most relevant advertising to the browser when a data subject is visiting a website of his choice (If that website owner has contracted with CRITEO for delivery of advertising). This enables the website to monetize the content and deliver it free or at a subsidized rate to the user. If the website does not use such a service, they will be displaying random advertisements which have no relevance to the user or charging a hefty fee for the content. That would be an irritation to the user and a waste of resources.

However targeted advertising enhances the value of the content since it provides additional information though it is piggy backing on the content space. CNIL acknowledges that business model of the company ” relies exclusively on its ability to display to Internet users the most relevant advertisements”. If so it is difficult to understand why CNIL should have an objection.

Unless CNIL can prove that CRITEO’s behavioural profiling is completely in-effective and causes annoyance to the user while he is onto some productive content consumption, CNIL cannot consider that any harm was caused to the individual. In fact by avoiding a serving of unrelated advertisements, the service has made the journey of the browser through the content more pleasant and useful.

The fundamental premise that any behavioural monitoring and any advertising is harmful is wrong and CNIL has to re-think its attitude to advertising.

The detailed report as found here also indicates that in many cases where profiling was done through Cookies, the company did not have the “Name of the individual user”. But CNIL considered that the the data was sufficiently accurate to re-identify individuals in some cases.

This betrays the fact that the argument of CNIL was hollow and the information collected by CRITEO may not constitute “Information that may be identifiable to an individual”. If some information is identifiable to an IP address or an unknown Netizen it is improper to classify them as “Individually identifiable information”.

It is clear that CNIL has simply considered that the business of CRITEO is related to “Advertising” and any information collected for “Advertising” is an infringement of Privacy.

CNIL needs to introspect on its understanding of the concept of advertising. It may also be necessary for the advertising industry to undertake a global campaign to promote why Advertising is not to be considered as an enemy of GDPR.

The decision on CRITEO was supported by reference by all the 29 EU supervisory authorities and hence this is considered as a collective view of all GDPR authorities and the fallacy of the argument needs to be exposed.

One of the allegations is an infringement of Article 7.1 of GDPR because CRITEO tracker cannot be placed on the user’s terminal without their consent. The Cookie was placed when the user visited some of the partner sites. These partner sites normally have a consent for visiting a website which includes a clause to the effect …

“The content you may visit on this website may contain third party advertisements who may have their own privacy policies”.

This declaration makes the advertisers to be considered as authorized associates of the content website and the fact that there is a commercial interchange of consideration between the website and the advertiser further validates that they are together in the display of advertisements along with its pros and cons.

Further the Cookie policies of the content website take the consent for “Essential Cookies” and “Non Essential Cookies”. The advertising cookies come under the category of “Non Essential Cookies”.

Perhaps what CNIL decision may suggest is that Content owners need to have a new sub classification of “Advertising Cookies” and provide an option for the user to reject it in which case the website should disable the display of the advertisements.

This is technically possible but is a disproportionate security measure suggested for a non-existing harm.

The CNIL observes that the contracts concluded by CRITEO with the partners did not contain any clause obliging them to provide proof of Internet users’ consent to CRITEO. In addition, the company had not undertaken any audit campaign of its partners prior to the initiation of the procedure by the CNIL. These are the Compliance shortfalls which could have been imposed as a corrective measure for the future rather than imposing a disproportionate fine.

CNIL for records sake also alleged that there was deficiency in the Privacy Policy which did not disclose all the intended uses of information collection, the information provided when the right of access was exercised by data subjects should have been more elaborate, the right to withdraw consent was exercised only in the form of stopping the advertisement and not deletion of data collected. These appear to be peripheral deficiencies added for additional effect.

CNIL also commented that when the data erasure request was received, the company will determine on a case to case basis on whether there was legal basis for processing as if this was a wrong process. In this context, CNIL appears to be opposing the right of CRITEO to exercise its legitimate interest and legal obligations if any before erasing the information. Once the advertisement is stopped, the erasure is a procedural aspect that needs to take into account certain other requirements of the organization including its billing requirements, settlement of disputes regarding billing etc and it is unfair to expect an automated deletion.

CNIL has forgotten the fundamental reason for the existence of GDPR, which is to prevent the harm to an individual and if no such harm is caused, there should be a reasonable tolerance on the procedures used for compliance.

It is necessary for CNIL to consider itself as an organization that works for the improvement of the Privacy eco-system rather than an organization that wields a stick to collect revenue.

CNIL has also pointed out that the contract between the CRITEO and some of its partners could be found defective since it did not recognize the “Joint Data Controller Status”. This is a valid observation and indicates the ignorance of many Data Controllers. However this is part of the educative process and needs to be given some time for implementation.

In every such case, it is the duty of CNIL to provide for implementation of corrective measures rather than take pride in imposing large penalties.

We urge the EU supervisory authorities in general and CNIL in particular to consider whether through such decisions they are hurting innovations in data science and productive use of data for advertising which is not an enemy of the Internet.

By taking such unreasonably tough stance, the cost of internet will increase and the burden will have to be borane by the public. Hence such decisions are unproductive for the community.

In the era of AI and Data Science, the attitude of CNIL appears regressive.

I invite a debate on this aspect of “Relevance of Advertising based on Behavioural Profiling”.

Naavi

Also Refer: EDPB Decision on noyb complaint against Meta is ultra-vires its authority and unfair | Naavi.org

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.