Incompatible: The GDPR in the Age of Big Data | Tal Zarsky

Tal Zarsky (Haifa); Incompatible: The GDPR in the Age of Big Data; Seton Hall Law Review, Vol. 47, No. 4(2), 2017; 2017-08-22; 26 pages; ssrn:3022646.
Tal Z. Zarsky is Vice Dean and Professor, Haifa University, IL.

tl;dr → the opposition is elucidated and juxtaposed; the domain is problematized.
and → “Big Data,” by definition, is opportunistic and unsupervisable; it collects everything and identifies something later in the backend.  Else it is not “Big Data” (it is “little data,” which is known, familiar, boring, and of course has settled law surrounding its operational envelope).

Abstract

After years of drafting and negotiations, the EU finally passed the General Data Protection Regulation (GDPR). The GDPR’s impact will, most likely, be profound. Among the challenges data protection law faces in the digital age, the emergence of Big Data is perhaps the greatest. Indeed, Big Data analysis carries both hope and potential harm to the individuals whose data is analyzed, as well as other individuals indirectly affected by such analyses. These novel developments call for both conceptual and practical changes in the current legal setting.

Unfortunately, the GDPR fails to properly address the surge in Big Data practices. The GDPR’s provisions are — to borrow a key term used throughout EU data protection regulation — incompatible with the data environment that the availability of Big Data generates. Such incompatibility is destined to render many of the GDPR’s provisions quickly irrelevant. Alternatively, the GDPR’s enactment could substantially alter the way Big Data analysis is conducted, transferring it to one that is suboptimal and inefficient. It will do so while stalling innovation in Europe and limiting utility to European citizens, while not necessarily providing such citizens with greater privacy protection.

After a brief introduction (Part I), Part II quickly defines Big Data and its relevance to EU data protection law. Part III addresses four central concepts of EU data protection law as manifested in the GDPR: Purpose Specification, Data Minimization, Automated Decisions and Special Categories. It thereafter proceeds to demonstrate that the treatment of every one of these concepts in the GDPR is lacking and in fact incompatible with the prospects of Big Data analysis. Part IV concludes by discussing the aggregated effect of such incompatibilities on regulated entities, the EU, and society in general.

Rebuttal

<snide><irresponsible>Apparently this was not known before the activists captured the legislature and affected their ends with the force of law. Now we know. Yet we all must obey the law, as it stands and as it is written. And why was this not published in an EU-located law journal, perhaps one located in … Brussels?</irresponsible></snide>

Contents

  1. INTRODUCTION AND ROAD MAP
  2. A BRIEF PRIMER ON BIG DATA AND THE LAW
  3. THE GDPR’S INCOMPATIBILITY
    FOUR EXAMPLES

    1. Purpose Limitation
    2. Data Minimization
    3. Special Categories
    4. Automated Decisions
  4. CONCLUSION: WHAT’S NEXT FOR EUROPE?

Mentioned

  • Big Data (contra “little data”)
  • personal data
  • Big Data Revolution
  • evolution not revolution
    no really, revolution not evolution
  • The GDPR is a regulation “on the protection of natural persons,”
  • EU General Data Protection Regulation (GDPR)
  • EU Data Protection Directive (DPD)
  • IS GDPR different than DPD?  Maybe not.  Why? c.f. page 10.
  • Various attempts at intuiting bright-line tests around the laws are recited.
    It is a law, but nobody knows how it is interpreted or how it might be enforced.
  • statistical purpose
  • analytical purpose
  • data minimization
  • pseudonymization
  • reidentification
  • specific individuals
  • <quote>n the DPD, article 8(1) prohibited the processing of data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life,” while providing narrow exceptions.85 This distinction was embraced by the GDPR.</quote>
  • Article 29 Working Party
  • on (special) category contagion
    “we feel that all data is credit data, we just don’t know how to use it yet.”
    c.f. page 19; attributed to Dr. Douglas Merrill, then-founder, ZestFinance, ex-CTO, Google.
  • data subjects
  • automated decisions
  • right to “contest the decision”
  • obtain human intervention
  • trade secrets contra decision transparency
    by precedent, in EU (DE), corporate rights trump decision subject’s rights.
  • [a decision process] must be interpretable
  • right to due process [when facing a machine]

Definitions

Big Data is…

  • …wait for it… so very very big
    …thank you, thank you very much. I will be here all week. Please tip your waitron.
  • The Four Five “Vs”
The Four Five “Vs”
  1. The Volume of data collected,
  2. The Variety of the sources,
  3. The Velocity,
    <quote>with which the analysis of the data can unfold,</quote>,
  4. The Veracity,
    <quote>of the data which could (arguably) be achieved through the analytical process.</quote>,
  5. The Value, yup, that’s five.
    … <quote>yet this factor seems rather speculative and is thus best omitted.</quote>,
Erudition

The Brussels Effect

  • What goes on in EU goes global,
  • “Europeanization”
  • Law in EU is applied world-wide because corporate operations are universal.
Erudition

Aspects

  • purpose limitation,
  • data minimization,
  • special categories,
  • automated decisions.

References

There are 123 references, across 26 pages of prose, made manifest as footnotes in the legal style. Here, simplified and deduplicated.

Previously filled.

Pre-Conference AdTech Summarization | Gubbins

; Things you should know about AdTech, today; In His Blog, centrally hosted on LinkedIn; 2017-08-30; regwalled (you have to login to linkedin).

Occasion

Boosterism in front of the trade shows
  • Exchange Wire #ATSL17
  • Dmexco
  • Programmatic IO

Mentions

  • There be consolidation in the DSP category.
  • There will be more DSPs not less fewer.
  • Owned & Operated (O&O)
  • preferential deals
  • private equity companies
  • party data & a GDPR compliant screen agnostic ID
  • no “point solutions.”
  • Doubleclick Bid Manager (DBM), Google
  • Lara O’Reilly; Some Article; In Business Insider (maybe); WHEN?
    tl;dr → something about how Google DSP DBM guarantee “fraud-free” traffic.
  • Ads.txtAuthorized Digital Sellers, IAB Tech Lab
  • Claimed:
    comScore publishers are starting to adopt Ads.txt

Buy Side

Deal Flow
  • Sizmek acquired Rocket Fuel, (unverified) $145M.
  • Tremor sells its DSP to Taptica for $50M.
  • Singtel acquired Turn for $310M.
No flow, yet
  • Adform
  • MediaMath
  • DataXu
  • AppNexus

Sell Side

  • Header Bidding (HB)
    • Replaces the SSP category
    • <quote>effectively migrated the sell sides narrative & value prop of being a yield management partner to that of a feet on the street publisher re-seller.</quote>
  • QBR (Quarterly Business Result?)
  • Prebid.js
  • With server bidding, too.
  • Supply Path Optimization (SPO)
    • Brian O’Kelley (AppNexus); Article; In His Blog; WHEN?
      Brian O’Kelley, CEO, AppNexus.
    • Article; ; In ExchangeWire; WHEN?
  • Exchange Bidding in Dynamic Allocation (EBDA), Google
Exemplars
The Rubicon Project
a header tag, compatible with most wrappers, no proprietary wrapper, only Prebid.js
Index Exchange
a header tag, compatible with most wrappers, a proprietary wrapper
OpenX
a header tag that, compatible with many (not ‘most’) wrappers, a proprietary wrapper
AppNexus
a header, compatible with many (not ‘most’) wrappers, a proprietary wrapper (that is better than OpenX’s which is not enterprise grade)
PubMatic
a header tag, compatible with many (not ‘most)’ wrappers, a proprietary wrapper.
Other
  • TrustX
    • with
      • Digital Content Next
      • IPONWEB
      • ANA
    • Something about a transparent marketplace.
  • Something about another supply network
    • German
    • trade press in Digiday
Mobile
  • No header bidding, yet.
  • Mobile equals Adware (“in app”)
    • but Apps don’t have “browsers.”
    • but App browsers don’t have “pages” with “headers.”
    • though Apps have SDKs (libraries).
Video
  • RTL acquires SpotX
  • <quote>One could argue video is the perfect storm for header bidding, limited quality supply & maximum demand, the ideal conditions for a unified auction…</quote>
Talking Points
  • The industry is currently debating the pros & cons of running header bidding either client or server side (A lot boils down to latency V audience match rates)
  • Google offer their own version of header bidding, this is referred to as EBDA (Exchange Bidding in Dynamic Allocation) and is available to DFP customers.
  • Facebook recently entered header bidding by launching a header tag that enables publishers to capture FAN demand via header bidding on their mobile traffic.
  • Criteo entered header bidding by offering publishers their header tag (AKA Direct Bidder) that effectively delivers Criteos unique demand into the publisher’s header auction, at a 1st rather than cleared 2nd price.
  • Amazon have launched a server to server header bidding offering for publishers that delivers unique demand and the ability to manage other S2S demand partners for the publisher.
Extra Credit
  • <quote>senior AdTech big wigs</quote>
  • programmatic auction process
  • 1st v 2nd price
  • 2nd price was for waterfall
  • 1st price will be for unified (header bidding)

General Data Protection Regulation’ (GDPR)

  • 2018-05
  • Consent must be collected.
  • Will make 2nd party data marketplaces economical.
  • The salubrious effect.
  • Publishers have a Direct Relationship with consumers.
    this is argued as being “better.”
  • Industry choices
    • collect holistic consent
      <quote>one unified [process] of consumer [outreach] rather than one for every vendor</quote>
    • individual vendor consent
      <quote>for every cookie or device ID that flows through the OpenRTB pipes we have spent the last 10 years laying.</quote>

Viewability & Brand Safety

  • IAB
  • MRC

Talking Points

  • Moat was sold to Oracle for reported number of $800M.
  • PE Firm Providence Equity bought a % of Double Verify giving them a reported value of $300M.
  • Integral Ad Science remains independent, for now

Telcos

  • Telcos have what everybody in AdTech wants:
    • accurate data
    • privacy compliant data
    • scaled data
    • 1st party data.
  • Telcos want what AdTech & publishing companies have:
    • programmatic sell and buy side tools
    • content creation functions
    • distribution at scale.
    • diversification of revenues

Talking Points

  • Verizon buys AOL & Yahoo to form Oath, a publisher, a DSP, a DMP.
  • Telenor buys TapAd, a cross-device DMP-type-thing
  • Altice buys Teads, a streaming video vendor)
  • Singtel buys Turn, a DSP
  • AT&T needs a line in this list; might want to buy Time Warner which is a movie studio, media holding copmany, a cable operator, an old owner of AOL.
Shiny
Smartpipe
Raised $18.75M, Series A. Why?
ZeoTap
Raised $20M, through Series B, Why?

Data Management Platform (DMP)

  • Not a pure-play business.
    • A division, not a business.
    • An interface, not a division.
  • Everyone wants to own one.
Deciderata
  • Should DMP’s also be in the media buying business?
  • What are DMP’s doing to stay relevant for a world without cookies?
  • Do DMP’s plan to build or buy device graph features / functions?
  • For platforms that process & model a lot of 1st, 2nd & 3rd party data, how will they be affected by the pending GDPR?
Talking Points
  • Adobe bought Tube Mogul, a video DSP, for $540M (based on information &amp belief).
  • Oracle bought Moat, a verification feature, for $800M
  • Oracle bought Crosswise, a cross-device database, for <unstated/>
  • Salesforce bought Krux, a DMP, FOR $700M

Lotame remains independent, for now

ID Consortium’s & Cross-Device Players

Claims
Probabilistic “won’t work”
<quote>The GDPR may make it very difficult for a number of probabilistic methods to be applied to digital ID management.</quote>
Walled Garden
They … <quote>are using their own proprietary cross-screen deterministic token / people based ID that in many cases only works within their O&O environments.</quote>
Universal ID
Is desired. <quote>CMO’s & agencies in the future will not be requesting a cleaner supply chain, but a universal ID (or ID clearing house) that will enable them to manage reach, frequency & attribution across all of the partners they buy from.</quote>
Initiatives
The DigiTrust
<quote>This technology solution creates an anonymous user token, which is propagated by and between its members in lieu of billions of proprietary pixels and trackers on Web pages.</quote>
Claim: “Many” leading AdTech companies are already working with the DigiTrust team. [Which?]
AppNexus ID Consortium
  • Scheme: people-based ID.
  • Launch: 2017-05
  • Trade Name: TBD
    • Index Exchange
    • LiveRamp
    • OpenX
    • Live Intent
    • Rocket Fuel
Standalones
  • Adbrain
  • Screen6
  • Drawbridge

Blockchain

BUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ!

  • Blockchain is slow, too slow, way too slow
    Blockchain can handle 10 tps.
  • Does not work in OpenRGB
  • NYIAX
    • New York City
Referenced
  • Some Q&A; In AdExchanger
    tl;dr → interview of Dr Boris WHO?, IPONWEB; self-styled “the smartest man in AdTech and he concurs”

Artificial Intelligence

  • Is bullshit.
  • c.f.(names dropped)
    • Deepmind
    • Boston Dynamics

Omitted

  • DOOH
  • Audio
  • Programmatic TV
  • Over The Top (OTT)
  • MarTech != AdTech

Previously filled.