Does it matter where data is processed? Should it? There are some interesting developments taking this question well beyond the familiar questions about data flows between jurisdictions.
What about data use on devices, on servers, and between them? There is a lesser-spotted trend for vertically integrated firms to encourage greater use of (1) on-device processing and (2) to limit the scope for interoperation between data on devices and on servers. These are significant competitive restrictions: they limit competition with no corresponding consumer benefit. They also harm rivals who use the server deployments set to be limited – rivals who may be highly innovative.
Two significant developments threaten the ability to use a range of competing servers:
Server restrictions in the Google Privacy Sandbox
Google’s Privacy Sandbox initiative currently proposes that only Google Cloud or Amazon Web Services (AWS) will be allowed to provide remote processing for the proposed Attribution Reporting API. This amounts to a ban on on-premises server use, that is, using your own server.
This is astonishing. It is like saying that you can lease any car, provided that it is a Ford or a Toyota. What if you would like to own a competing model – say, a VW?
There is simply no ability to do so while using the API as proposed, because it can only be used on a leased basis on the cloud.
This also bakes in the current generation of technology from the largest providers. So much for that innovative electric car you were thinking of trying out… A competing hosting provider simply isn’t allowed to interoperate with the API.
The proposal is all the more remarkable because approximately two thirds of existing deployments are on-premises:
So, the proposal is essentially to force a technological tie between data hosting and advertising systems.
This is all the more concerning because on-premise deployment is considered safer, on average, than cloud. KBV goes on to note:
“many benefits … come with on-premise deployment, including a high level of data protection and safety. Because on-premise deployment models have higher data security and fewer data breaches than cloud-based deployment models, industries prefer them, which fuels industry demand for on-premise deployment models.”
So there is no good reason to exclude the competing alternatives. This is especially so at a time when cloud computing restrictions are under review based on concerns about difficulties in switching.
If you currently use on-premise servers – or, indeed, anything other than Google Cloud or AWS – now would be a very good time to register a concern with the UK Competition and Markets Authority, which is reviewing Google’s proposals.
There is a quarterly reporting cycle with ample scope for concerns to be heard – the sooner the better, so as to influence the current reporting cycle.
Draft EDPB Guidance on Technical Scope
The same theme emerges from some important draft Guidance from the European Data Protection Board (EDPB). This revisits the much-maligned cookie consent box, which derives from Art. 5(3) of the ePrivacy Directive.
The draft Guidelines 2/2023 on Technical Scope of Art.5(3) of the ePrivacy Directive do not trip off the tongue, but their content is highly significant for competing data handlers. The draft extends the cookies analysis to other technologies including pixels and tracking links.
Significantly, there is a partial carve out for on-device storage. This risks a tilt towards those controlling devices, unless the rules are technologically neutral. The proposal is to capture movement into and out of local storage:
“The use of such information by an application would not be subject to Article 5(3) ePD as long as the information does not leave the device, but when this information or any derivation of this information is accessed through the communication network, Article 5(3) ePD may apply.”
That is very helpful to those able to execute local processing – but a tremendous hurdle for those who rely on server-side processing.
As server and on-device processing are indistinguishable from the consumer perspective, the technologically and competitively neutral rule would be to intervene on the basis of a reasonable evidence-based level of consumer protection – with the same rule, whether on-device or on the cloud, or moving between them. That would suggest that consent is not generally required to move data from the device to servers, as consumers are not harmed by this action.
IP addresses are highlighted as potentially requiring consent, without any carve out for innocuous use, such as audience definition. For example, an IP address with coarse location might contain no personal data at all, as where a business address is indicated. But the Guidance seems not to cater to that scenario.
There is also specific comment on the use of identifiers. The draft takes a highly precautionary stance: identifiers are seen often to link to identity – but is this so? Trillions of identifiers are used for innocuous audience matching purposes without any such link. If so, the guidance is over-broad and imposes a consent requirement beyond what is needed for a reasonable level of evidence-based consumer protection.
So, those with interests in the use of data for everyday, harmless but helpful audience optimization may wish to speak up. Comments can be submitted until January 18th.