Safe Harbor for Ad Tech Companies: A Practical Guide
“What happens in Vegas stays in Vegas.” If you’ve ever had to rely on that time-honored principle, you might understand the thinking behind the EU cross-border data transfer restrictions that can stop international deals in their tracks. Europeans worry about what would happen if information about them fell into the hands of outsiders. And to Europeans, Americans are outsiders whose supposedly inadequate laws are a sign they cannot be trusted to keep a secret or handle the information responsibly. That’s why EU law restricts companies from sending certain data from the EU to the U.S. And for that reason, many potential customers and business partners are hesitant to do deals with U.S. ad tech companies when the data pertains to European audiences.
This blog post explains (1) why these restrictions apply even to data that the U.S. ad tech industry considers non-PII, (2) why joining the U.S./EU and U.S./Swiss Safe Harbor program is the easiest way for an ad tech company to put those fears to rest and to tap the European market without running afoul of the restrictions and (3) how ad tech companies solve some of the special challenges that Safe Harbor certification presents to their industry.
Why This Matters: Under EU Data Protection Laws, Even “Non-PII” is “Personal Data”
Under EU regulators’ reading of their law, “personal data” subject to the international transfer restriction can include unique identifiers in cookies, IDFAs, Android Advertising IDs, IP addresses and many other data points that can be associated with only one individual, browser, computer, or device, as well as precise geolocation data. Traditional PII, such as email addresses, would of course be considered personal data subject to these restrictions. Some Europeans argue that even hashes of any of the above would be PII. Finally, segments and browsing behavior linked to any of the above are typically considered personal data in the EU, and thus are subject to the restrictions. (Thus, a wide range of what U.S. self-regulatory programs consider “non-PII” is in fact personal data in the EU.) To transfer any of the above data to the U.S. by any means (for example, direct collection from the U.S., encrypted FTP transfer, email transfer, or even just hosting the data on an EU server that is accessible from the U.S.), a company in the EU needs to take advantage of an exception to the cross-border data transfer restriction.
Why Safe Harbor Certification is the Best Way to Get Ad Tech Data to the U.S.
There are only a handful of available exceptions to the cross-border data transfer restriction. Safe Harbor certification is the easiest and most elegant way for U.S. ad tech companies because getting certified is a reasonably smooth process, and a certified company’s customers and business partners don’t have to jump through any legal or business hoops to transfer data to it. Before we explore that further, let’s consider why the other two most relevant exceptions to the cross-border data transfer restriction (consent and model contracts) carry significant disadvantages for U.S. companies and for their customers and partners:
- Data can be transferred to the U.S. on the basis of model contracts, which are agreements containing a set of contractual clauses approved by the European Commission for this purpose. In the event of a conflict between a model contract and the underlying business agreement, the model contract will take precedence. Significant downsides include: (1) these contracts have to be signed with each customer and partner that will transfer data, a process that can significantly slow down deals; (2) compliance with the contracts is a pain, and the extremely onerous language they contain cannot be altered by either party (except for portions of the exhibits, which frequently are negotiated); and (3) the customers and business partners that sign the contracts sometimes need to submit them to European data protection authorities, which nobody likes to do. These contracts can have a role to play where data is transferred from Europe directly to certain countries outside the U.S., but they generally shouldn’t be the first choice for U.S. ad tech companies.
To join Safe Harbor, a company takes a look at how it handles data, adds some protections where required to comply with Safe Harbor (as discussed in the sections below), and completes a very simple online certification form. After that, the company is basically on equal footing with its European competitors: its customers and partners can send data to it without taking any special measures. No extra consent to obtain, no extra contracts to negotiate and honor, and no extra regulatory filings. And better still, the Safe Harbor member company holds a competitive advantage over other companies that force their customers and business partners to deal with the headaches caused by the other data transfer options.
How Ad Tech Companies Comply With Safe Harbor
Membership in Safe Harbor usually requires the U.S. company to handle the data pursuant to the EU-style restrictions found in the Safe Harbor Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, as well as in the accompanying set of 15 FAQs.
Doing this the easy way requires strategic navigation of the unique challenges Safe Harbor presents for the ad tech industry due to (1) the unique nature of the data involved, (2) most ad tech companies’ limited or nonexistent ability to communicate directly with European audiences to provide notice and offer choices, (3) the only partially overlapping requirements of Safe Harbor, the EU Data Protection Directive, the EU e-Privacy Directive (also known as the Cookie Directive), and U.S.-based self-regulatory programs, and (4) the web of contracts that regulate the ecosystem. Below are examples of how some of the main issues can be resolved.
Notice: To the extent it applies, compliance with the Safe Harbor Notice Principle involves providing information to European audiences (mainly regarding how data is collected and disclosed for advertising and analytics purposes, how to opt-out, and how to contact the company with inquiries or complaints). Compliance strategies vary, but typically ad tech companies do this through some combination of the following:
- Serving the AdChoices’ icon in ads and ensuring that it links to appropriate information, including an effective opt-out.
- Explicitly shifting notice obligations to publishers, other data sources and others that interact more directly with the audience.
Choice: Participating ad tech companies may need to comply with the Choice Principle, which typically amounts to providing an opt-out from the use and disclosure of data for advertising or analytics purposes. (Under Safe Harbor, opt-in is required only when the company is handling sensitive data, which, as discussed below, includes a much broader set of data types than those deemed sensitive under the NAI Code of Conduct or the cross-industry Self-Regulatory Program for Online Behavioral Advertising.) In many cases, ad tech companies find that their existing opt-out already meets Safe Harbor standards, and compliance is just a matter of making the opt-out accessible to the right audience at the right time. They typically can do this through the same sorts of steps taken to comply with the Notice Principle, discussed above. In some cases, this includes contractually requiring publishers to comply with their existing obligations under the e-Privacy Directive / Cookie Directive (e.g., by serving a compliant cookie banner), which many of them already do.
Dealing with Sensitive Data. Going far beyond the NAI and DAA definitions of “sensitive,” the Safe Harbor —like the more onerous legal mechanisms for getting data to the U.S.—defines as sensitive (1) any personal data “specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership,” (2) personal data “specifying the sex life of the individual,” and (3) any other information received from a third party where the third party treats and identifies it as sensitive. Under the broad definition of personal data mentioned above, data segments based on these items (such as audience data sold on an exchange) may be considered sensitive data. This can mean that creating, using or disclosing the segments requires prior opt-in consent. However, in extremely limited cases, some ad tech companies may be able to rely on an exception, such as if they handle the data solely as conduits or service providers to their clients or if the collection of data for advertising or analytics purposes was made clear to the audience at the outset. Companies wishing to make use of these exemptions must tread very carefully, however, because EU laws typically require opt-in where use of the data is permitted, the U.S. company or its clients or partners may be subject to those laws, and the regulatory climate surrounding the data is particularly unforgiving.
Access. Under a rule that will feel familiar to anyone who has ever requested their own credit report, Safe Harbor requires most participating companies to give any European individual access to the personal data they hold about him or her upon request. While building a tool like the BlueKai Registry would go a long way to addressing this requirement, not everybody has the resources to do that. Many ad tech companies (particularly certain intermediaries) would find building such a tool to be inappropriate or impossible, and it should not be considered necessary. Access requests in the ad tech space are extremely rare, and in practice, many companies can comply with the Access Principle by responding to requests through a multipronged approach that does not involve such registries: (1) if the request pertains to data that they handle on behalf of a client, they can refer the individual to the client and then cooperate with the client’s decisions regarding the response, (2) if the request pertains to non-PII, they may well have to deny the request on the basis of an exception, such as that compliance with the request would be too burdensome, but in rare cases they may be able to honor the request, and (3) if the request pertains to the company’s own PII data, they will honor the request.
Enforcement. Safe Harbor requires companies to designate a dispute resolution provider to handle disputes that the companies are unable to resolve independently with Europeans whose data they have handled. For many ad tech companies, the best dispute resolution providers are certain commercial arbitration services that offer a low per-case rate for Safe Harbor disputes and feature certain company-friendly rules, such as requirements to conduct proceedings in writing or by phone instead of in-person hearings. When selecting a provider, ad tech companies should consider the likelihood that they will have disputes with European individuals. Disputes are rare, so it usually doesn’t make financial sense to pay a five-figure or six-figure yearly flat-fee retainer for a dispute resolution provider when significantly less expensive per-case options are available.
Concluding thoughts. There’s more to Safe Harbor and European data-transfer restrictions than this, but these are the main points of interest to U.S. ad tech companies. The unique issues that Safe Harbor presents for these companies can be solved in an intuitive manner, and the prizes for solving them are broader market reach, a significant increase in international deal velocity, and peace of mind.
To learn more about emerging ad tech legal issues, including more about the international issues, join ZwillGen’s Ken Dreifach and Mason Weisz for a free webinar on December 4, 2014, from 12:30-1:30 p.m. EST.
Photo by ADTeasdale from Flickr