Brave Writes to All 28 EU Member States, Defending ePrivacy Regulation’s “Privacy By Design and By Default”
17 July 2018: Brave wrote to the governments of each of the twenty eight Member States of the European Union yesterday and today to express its concern about privacy.
European governments are currently considering proposals to reduce the level of privacy protection in the new ePrivacy Regulation. Today, they will discuss whether to remove the Article 10 “Privacy By Design and By Default” protections. They will also consider whether to dilute Article 8’s prohibition against making access to a service conditional on consent for non-essential processing (“cookie walls”).
The Council of Ministers is weighing not only how best to protect privacy, but also publisher sustainability and the future of the Digital Single Market. We believe these things are compatible. Brave’s letter is principled and pragmatic. It makes an argument for keeping strong privacy protections in the ePrivacy Regulation, and gives economic reasons for doing so.
The letter also calls attention, perhaps for the first time, to flawed research that may have unduly influenced the Council. The research in question purported to show how heavily publishers depend on tracking-based advertising for their revenue, whereas in fact its authors included Google and Facebook’s own enormous tracking-based advertising revenue without saying so.
European Governments have been told by our colleagues in the adtech industry that tracking is necessary for websites such as newspapers to earn advertising revenue. This is not the case. Publisher revenue is not contingent on a lax approach to personal data.
As innovators, we believe that privacy enhancement is change for the better. We encourage like-minded colleagues in industry to read this letter, and to consider joining with us to call for strong privacy protections in the ePrivacy Regulation.
Re: Industry concern about the removal of Article 10, and dilution of Article 8, in the ePrivacy Regulation
We write to support the privacy protections in the proposed ePrivacy Regulation, and to express our concern about two items:
1. We believe that it would be a mistake to remove the Article 10 “Privacy By Design and By Default” protections.
2. We also believe that it would be a mistake to dilute Article 8’s prohibition against making access to a service conditional on consent for non-essential processing (“cookie walls”), which the proposed changes to Recital 20 (and Recital 21 in the previous text) would do.
These changes would harm the online economy, and the protection of fundamental freedoms.
As technology and online industry leaders with a strong commitment to the Digital Single Market, we believe that the protection of the fundamental rights to privacy and data protection enshrined in the European Charter is entirely compatible with sophisticated advertising technology – provided that that technology handles personal data correctly. It is not tenable for any publisher, adtech vendor, or trade body, to claim that they must track people in order to generate revenue from advertising.
The economic benefit of behavioral tracking to publishers’ advertising businesses is questionable. IAB Europe, an adtech/targeting industry trade body, recently funded a lobbying study on “The economic value of behavioral targeting in digital advertising” that claimed that European publishers rely on tracking for their advertising revenue. However, IHS Markit, which produced the study for IAB Europe, recently confirmed in writing to us that the report inflated publisher revenue that results from this dangerous form of advertising, because it included Google and Facebook’s revenues as “publisher revenue”, without disclosing this in the report – despite the fact that these two companies are not publishers, and now have taken 71% of online advertising spending in Europe.
Publishers fare better when not using this form of advertising. “Behavioral” ads only earn publishers 25-40% of the money spent on an advertising campaign, whereas other online advertising (such as “network” or the more lucrative “direct sold” advertising) earn a publisher between 70% and 95% of a marketer’s ad budget. This is the cost of the “adtech tax”. It not only harms fundamental freedoms, but is eroding publisher revenue over time.
For example, when The Guardian bought ads on its own site through an auctioning system for behaviorally targeted ads, it received only 30% in revenue of the sum it paid as a buyer. The majority of this money goes not to publishers, but to adtech firms.
For these reasons, we are convinced that making access to a service conditional on consent for online behavioral advertising, as may be suggested by the proposed change to Recital 21, is counter productive.
Online behavioral advertising (known as “RTB”) is a data breach.
It is also worth bringing to your attention the infringement of fundamental freedoms that is caused by tracking-based advertising. Every time a behaviorally targeted ad is served on a website, the system that selects the ad broadcasts the website visitor’s personal data to hundreds or thousands of companies.
These personal data include the URL of every page a user is visiting, their IP address (from which geographical position may be inferred), details of their device, and various unique IDs that may have been stored about the user previously to help build up a long term profile about him or her.
This is a vast and ongoing data breach – as is evident if one reads the publicly available “openRTB specification” that dictates how this system works. It is a data protection free zone.
Despite the grace period leading up to the GDPR, the adtech industry has built no adequate controls to enforce data protection among the many companies that receive data.
We would be delighted to provide further information, or to meet and brief you, to assist in your deliberations.
The digital economy requires a foundation of trust to enable innovation and growth. The enormous growth of adblocking (to 615 million active devices by late 2017) across the globe proves the terrible cost of inadequately regulating the tracking-based advertising system. Therefore, we urge you to restore the “cookie wall” prohibition in Recital 20, and to restore the Privacy by Design protections in Article 10, as you convene at the WP TELE meeting on 17 July.
Dr Johnny Ryan
Chief Policy & Industry Relations Officer
Brave has filed a GDPR complaint v Google for infringing the GDPR “purpose limitation” principle. Enforcement would be tantamount to a functional separation of Google’s business.
Brave’s submission to the UK Competition & Markets Authority shows how to fix the RTB market and end Google’s advertising monopoly.
Brave uncovers widespread surveillance of UK citizens by private companies embedded on UK council websites
Brave has uncovered widespread surveillance of UK citizens by private companies embedded on UK council websites. “Surveillance on UK council websites”, a new report from Brave, reveals the extent of private companies’ surveillance of UK citizens when they seek help for addiction, disability, and poverty from their local government authorities.