In light of global laws like the EU’s General Data Protection Regulation (GDPR) and California Data Privacy Act, there’s no question that data governance must be at the core of all data sharing activities. A universal challenge for all data-driven enterprises is how to support existing business processes while also accelerating innovation – without violating data privacy laws. But small companies, such as Vectaury, a provider of mobile programs and predictive marketing to brands and retailers, now have their entire business-model at risk.
According to recent guidance from the European Commission, “Data-driven innovation is a key enabler of growth and jobs in Europe.” A couple of months before the 25th of May 2018 – when the GDPR finally became directly applicable across the 28 Member States – the French President announced, “We will open our data in France.”
However, precisely because of the GDPR, the only way to make data-driven innovation or data sharing possible in Europe is to make it sustainable. This will only be possible by protecting the rights and freedoms of individuals whose data is being used in the process. The recent decision in the Vectaury case by the French Data Protection Agency – La Commission Nationale de l’Informatique et des Libertés (CNIL) – is a must-read for those interested in identifying best practice for sustainable data sharing.
The Vectaury Case In A Nutshell
According to its website, Vectaury was founded in 2014 “to support traffic generation in stores thanks to analysis of geolocation data, accessible from smartphones.” As the CNIL explains, it was engaged in the business of creating user profiles from moving habits in order to target advertising to mobile users. To this end, Vectaury had signed contracts with five companies operating 19 smartphone applications. User data collected through the apps were then combined with data collected at points of interests (i.e., physical locations corresponding in many instances to sales points). To collect user data through the apps, Vectaury had developed a SDK software integrated in the code of the 19 apps in order to collect geolocation data, mobile advertising identifiers, name and version of apps and types of exploitation systems (Android or iOS).
Vectaury’s business model relied upon three key steps:
- Integration of SDK software into the code of the 19 apps to receive data about the functioning of the apps;
- Linking of geolocation data collected through the SDK software with data collected at the points of interest for commercial canvassing; and,
- Advertising campaigns through the buying of advertising spaces on apps to send advertising of clients through a system of bid requests. Potential advertisers received geolocation data and advertising identifiers of mobile users (where the ad would be shown). Advertisers then bidded to buy advertising space on user apps. Notably, for the system of bid requests, user data were initially collected from apps without direct contractual relationship with Vectaury.
Vectaury was therefore an ad broker, receiving user mobile data before it was sent to advertisers for them to then bid for advertising space. In order to determine whether advertising campaigns were effective, Vectaury combined these mobile data with data collected at the points of interest to see whether targeted users had visited relevant sales points.
Vectaury had no problem acknowledging that it was acting as a data controller for the processing of user personal data received from the apps. However, under EU law, each processing of personal data should be based upon a legal basis, as enumerated by GDPR’s Article 6, which sets forth six potential legal bases for processing data. Vectaury had based its processing upon user informed consent (Article 6(1)(a)).
The CNIL’s Decision
The CNIL refused to accept that Vectaury had an appropriate legal basis for the processing of personal data and enjoined Vectaury not to process personal without an appropriate legal basis. This is because Vectaury was not able to demonstrate that informed consent on the part of the data subjects had been obtained for the processing purposes pursued by Vectaury.
As per GDPR Article 7(1): “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” (Emphasis mine.) Vectaury was given 3 months to comply with this injunction. Ultimately, Vectaury was not able to demonstrate the type of consent required.
Why This Case Matters
This decision is fascinating for many different reasons. In particular it explains, in context, the characteristics of valid consent (consent must to be obtained before the start of the processing, it must be informed, specific and must be given by a clear affirmative action) and, sheds light on how processing purposes should be formulated.
From a data sharing perspective, one key lesson to derive from this case is that a recipient of personal data, Vectaury in this case, cannot simply rely upon a contractual clause concluded with the data provider to demonstrate that data subjects have specifically consented to the processing of their personal data. Consequently, Vectaury should have monitored more closely the obtaining of informed consent at the data collection stage and then should have ensured that the processing purposes to which users had consented at the collection stage had been preserved over time.
The Vectaury case makes it clear that data governance should be at the core of all data sharing activities, which is precisely what Immuta aims to achieve through a combination of customizable and self-executing data policies, privacy enhancing tools, and purpose preservation mechanisms. With Immuta, sustainable data sharing in the field of advertising could become a reality.