Since the May 25th deadline there have been two rulings that have helped put some flesh on the bones of what a post-GDPR world looks like. As more and more cases are brought, and rulings given, so our understanding of what best practice and future guidance looks like will inevitably deepen.
The first legal case precedes GDPR but is shaped within the context of the new data laws and impacts one of the businesses that is under most scrutiny, Facebook.
In June 2018, the Court of Justice of the EU (CJEU) ruled the administrators of Facebook fan pages should be viewed as joint-controllers of the personal data processed about the people who access their pages.
Stemming from a 2011 case involving Wirtschaftsakademie, a German educational company, the ruling potentially broadens the scope of which types of activity and businesses could be classified as a controller.
This is important from an affiliate perspective because, prior to GDPR coming into force, there was much industry discussion about whether affiliates are data processors or data controllers. A processor generally speaking doesn’t ‘control’ what and how data is used and as such is subject to fewer legal obligations than a data controller.
While there is no explicit processor/controller definition for affiliates, the status is based around the various ways that data is used. So, a company may decide they are a processor for certain things they do, but a controller for other. Regardless the status isn’t based on what a business would like to be defined as, but how regulators interpret they use data within the framework of GDPR.
What this ruling seems to suggest is that while affiliates may have considered themselves processors, regulators will take a different view. According to Out-Law.com, “The judegment represents a significant broadening of the concept of data controllership under EU data protection law”.
The ruling aligns with Awin’s view on affiliates. In May we published our own guidance, concluding affiliates, advertisers and Awin are all joint-controllers in a tri-partite relationship:
“Publishers are already controllers of data processed to acquire their own website users; only they have decided the separate purpose: ‘Let’s get some traffic so they can see the ads we publish’”.
An early GDPR ruling has also recently emerged, again from Germany. Concerning the purpose of processing personal data, a German court has declined US company ICANN’s application for preliminary junction as it hasn’t provided sufficient proof that collecting certain personal data is necessary to fulfil the purpose of the underlying contract.
The case is based on a contractual relationship ICANN had with German domain registrar EPAG, the latter agreeing to collect personal data from individuals and businesses purchasing domain names.
ICANN requested EPAG hand over certain information for the technical contacts at the companies registering domains. EPAG refused, essentially arguing the data wasn’t necessary to fulfil the purpose of the relationship and was not compliant with GDPR.
ICANN in turn took legal action, however, a court in Bonn confirmed EPAG’s position, not having been able to identify the necessity of the additional data for the defined purpose. The decision embodies GDPR’s core principles of data minimisation and purpose limitation and highlights that compliance with applicable law – in this case the GDPR – prevails over contractual obligations. Further development of this case is expected as ICANN has appealed the decision.
The European Data Protection Board said ICANN also needed to “explicitly justify” why it is necessary to retain personal data beyond the two-year limit outlined under GDPR as well as stating that, contrary to the company’s belief, it is a data controller.
Further rulings are expected in the coming weeks and months that will continue to build our understanding about how the new laws are interpreted. Awin is continuing to monitor the situation and will update our advice and guidance based on the outcomes of these cases.
Affiliates and advertisers can refer to the information we’ve supplied on Awin's GDPR portal. Upcoming initiatives the network will be embarking on is continuing to raise awareness about data processing, monitoring and integrating cookie consent tools and revising our publisher compliance procedures.