GDPR Compliance in the age of Emerging Technologies

Adtech is a term used to describe tools that analyse and manage information (including personal data) for online advertising and automate the processing of advertising transactions. Real-Time Bidding is a particular type of online advertising that ensures the buying and selling of advertising inventory in real time. In essence, it implies open auctions among advertisers. Real-Time Bidding involves many data processing operations that may result in a high risk to the rights and freedoms of individuals. Moreover, users are rarely aware of the effective functioning of this activity and how their personal data are affected. Indeed, operations like profiling, large-scale processing and tracking of location and/or behaviour, usage of new technologies are included; this happens in really short time (i.e. milliseconds). That said, there is a need to address the risks generated by the special features of Real-Time Bidding, that involves, for instance, careful analysis of the appropriate legal grounds, carrying out DPIAs and provide an elevate degree of transparency in processing such a great amount of personal data. Unfortunately, the dynamics of these processing operations and the technologies that are already in place in this sector, require a deeper comprehension by the regulators at EU level. Therefore, it is recommended that policy makers commit themselves to better understand the functioning of this type of adtech and how concretely address the relevant privacy issues..

The challenge with emerging technologies is that they continue to develop in ways that outstrip the EU's and member states’ ability to legislate effectively. While GDPR has somewhat stemmed the tide in terms of setting up a regulatory framework, its inflexibility is likely to create challenges in the future, particularly as these technologies are primarily being developed outside of Europe and thus outside of the reach of EU legislation. The EU and the EC in particular should thus focus its efforts on developing forward-looking and flexible legislation that can help create a far-reaching framework for governing the use of new technologies, so that as new capabilities are developed and become widespread, they can be effectively governed within an existing structure, instead of requiring reactionary legislation. The European Union should also boost investment in fostering a wide use of digital technologies across the economy and society and in securing them through investments in cybersecurity research and development. Its goal should be to support the procurement of advanced cybersecurity equipment, tools and data infrastructures, so as to promote the deployment of the latest security solutions across industries. Doing so can help foster the best use of knowledge and increase European capacity and skills related to cybersecurity. In particular, EC programmes should focus on reinforcing the capabilities within Member States for a uniformly high level of security of network and information systems across the EU. This will enable the EU to take advantage of emerging technologies such as blockchain and potentially help the EU spur on the development of technological champions, such as those currently found in Silicon Valley..

We believe that the future EC programmes should continue their support for research on the design and development of privacy enhancing technologies for compliance with the GDPR and the upcoming e-privacy regulations. As the use of such technology in different situations (with different requirements) and the integration of different security and privacy primitives are not straightforward, the EC should also foster training programmes accordingly. ..