The EPC, alongside other European and US news publishers associations, have written to Google’s CEO Sundar Pichai expressing their concerns over the new terms that Google have announced a month before the new EU GDPR (General Data Protection Regulation) come into force. Read below the full letter.
April 30, 2018
1600 Amphitheatre Parkway
Mountain View, CA 94043
Dear Mr. Pichai,
We are trade associations whose members include European-based and international news publishers. Our publisher members through longstanding commitment and substantial financial and human investment in gathering and reporting on the news serve a vital role to both their readers and society as a whole. We have no doubt that Google would agree that a vibrant news market is fundamental to and is an underpinning tenet of a healthy democratic society. Our publisher members have always supported their endeavors, wholly or partially, through advertising.
As our members work through their efforts to comply with the European General Data Protection Regulation (GDPR), we read with interest your recent announcement of terms for the continuing use of Google’s advertising services in the European Union, Google’s plans for complying with the GDPR, and what Google will be imposing on publishers and indeed on the Ad Tech vendors they work with.
We are writing to express concern about your approach and to outline questions for which publishers need answers. As the major provider of digital advertising services to publishers, we find it especially troubling that you would wait until the last-minute before the GDPR comes into force to announce these terms as publishers have now little time to assess the legality or fairness of your proposal and how best to consider its impact on their own GDPR compliance plans which have been underway for a long time. Nor do we believe that this meets the test of creating a fair, transparent and predictable business environment of the kind required by the draft Regulation COM (2018) 238 final published 26 April 2018.
The GDPR is intended to provide consumers with greater transparency and control over how their personal data is collected and used. As publishers with direct, trusted relationships with consumers, our members have a duty to make sure that obligation is met by them and their partners, such as Google. We acknowledge that determining a path towards compliance with the new law is something all companies must work out for themselves, and because each company processes personal data in different ways and has different purposes and interests in doing so, there is no one-size-fits-all solution for GDPR compliance. Indeed, our members vis-à-vis Google and others in the ad tech ecosystem have different purposes and interests for participating in that ecosystem — as publishers, digital advertising provides essential funding to support the gathering and reporting on the news, an activity that has longstanding, undisputed benefits to consumers and society as a whole.
Your proposal severely falls short on many levels and seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law.
Under your proposal, in providing certain digital advertising services to publishers, you assert that Google will be a controller of the personal data it receives from publishers and collects on publisher pages, and that Google will make unilateral decisions about how a publisher’s data is used. As a controller, Google will need its own legal basis to process that personal data under the GDPR. Your proposal notes that Google intends to rely on consent for its legal basis and you will require publishers to obtain legally valid consent on behalf of Google for its processing of personal data as a separate and independent controller which you directly benefit from, yet you decide how and when that data may be made available to others and do not provide any details about how the data will be used by Google. By imposing your own standard for regulatory compliance Google effectively prevents publishers from being able to choose which partners to work with.
Further, your proposal notes that Google may stop serving ads on publisher sites if you deem their consent mechanism to be insufficient. If Google then dictates how that mechanism would look and prescribes the number of companies a publisher can work with, this would limit the choice of companies that any one publisher can gather consent for, or integrate with, to a very small number defined by Google. This gives rise to grave concerns in terms of anti-competitive behavior as Google is in effect dictating to the market which companies any publisher can do business with. Finally, your attempt to shift full liability onto publishers for obtaining consent on your behalf as a separate and independent controller is troubling to us. As trade associations representing publishers around the world, we have grave concerns about this approach as follows:
Controller. Your Controller Terms (§ 4.1(a)) spell out that Google will be an independent controller with respect to any personal data that is processed by either party under the Google Controller Terms in connection with its provision or use (as applicable) of the Controller Services (“Controller Personal Data”). The terms further specify that Google will individually determine the purposes and means of its processing of Controller Personal Data. While Google may be considered a controller in certain circumstances which have yet to be fully disclosed, it should not be considered a controller over all data that it receives from publishers or collects on publisher pages in connection with advertising services provided to publishers. Your proposal should include full disclosure of the use and purposes of the data received and collected by Google to preserve a true partnership with publishers. Claiming such broad rights over all data in the ecosystem, without full disclosure and without providing publishers the option for Google to act as a processor for certain types of data, appears to be an intentional abuse of your market power.
Consent. Your proposal notes that Google will need affirmative, express consent as its legal basis to process data of European citizens. However, your plan is to require that publishers obtain on Google’s behalf broad and blanket consent for all “collection, sharing, and use of personal data for personalization of ads or other services from its users.” At the same time, you refuse to provide publishers with any specific information about how you will collect, share and use the data. Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular, and informed consent under the GDPR. If publishers agree to obtain consent on your behalf, then you must provide the publisher with detailed information for each use of the personal data for which you want publishers to ask for legally valid consent and model language to obtain consent for your activities.
At the same time, Google’s determination that it will rely on consent as its legal basis for the processing of personal data it receives from publishers and collects on publisher pages as an independent controller of that data, should not presuppose any legal basis or interest that our publisher members may have in collecting and using that same data as a controller as well. Some publishers may want to rely upon legitimate interest as a legal basis and since the GDPR calls for balancing several factors, it may be appropriate for publishers to process data under this legal basis for some purposes. Our members, as providers of the news, have different purposes and interests for participating in the digital advertising ecosystem. Yet, Google’s imposition of an essentially self-prescribed one-size-fits-all approach doesn’t seem to take into account or allow for the different purposes and interests publishers have.
Liability. Also, of concern is your attempt to transfer liability for consent to the publisher. Your proposal includes a contractual structure that improperly reallocates responsibility and liability to require the publishers to take the full brunt of a regulatory or private action penalties – penalties that could implicate up to four percent of global turnover for the prior financial year – should the publishers fail to obtain consent on Google’s behalf, despite the fact that the publishers must obtain such consent in the absence of sufficient information regarding Google’s intended practices. Given that your now-changed terms are incorporated by reference into many contracts under which publishers indemnify Google, these terms could result in publishers indemnifying Google for potentially ruinous fines. We strongly encourage you to revise your proposal to include mutual indemnification provisions and limitations on liability. While the exact allocation of liability should be negotiated by individual publishers, your current proposal represents a “take it or leave it” disproportionate approach.
In addition to the above concerns, we have identified a number of questions for which publishers require answers. While we expect there will be additional questions going forward and we have seen your most recent blog post, we would appreciate your prompt reply to the following questions.
- What specific activities does Google undertake that would make it a “controller” under the GDPR? Have you sought guidance from regulators to inform or confirm your decision? The more logical legal position would be as a processor of that data. Have you examined the tenability of this legal position? If so, why has this position been rejected in favour of being designated a controller of the data?
Given that you announced just recently a solution for serving “non-personalized” ads, we would appreciate clarification on the following questions:
- Is this solution meant to serve only contextual ads?
- Under this solution, will Google serve only in the role of processor?
- To what extent, will Google rely on legal bases other than consent to collect and use personal data?
- Is this solution intended for use when a consumer does not grant consent?
- With regard to any of Google’s services used by publishers, will you be explicit about the purposes for which Google requires consent from end users? The specification of purposes will need to meet the condition specified in GDPR Art.6.1.a (to the level of detailed needed).
- Your proposal notes that Google will not serve ads on sites with consent mechanisms that do not meet your criteria.
- In Google’s opinion, what constitutes a valid user experience for gaining consent?
- Do you envision a one-size-fits-all approach?
- How will you determine which sites must comply with the GDPR?
- Would you implement a warning system for publishers you deem out of compliance? Will any such system include human review prior to a decision?
- How would a publisher use your services to serve advertising without triggering the need for obtaining consumer consent?
- If publishers decide to utilize an industry-wide consent management platform, how could Google’s services be integrated? Specifically, will you commit to being listed as a vendor in the IAB Europe’s consent mechanism?
Given the rapidly approaching enforcement date of May 25, we would appreciate your prompt attention to our concerns. If you need any clarification, please feel free to reach out to Chris Pedigo, SVP for Digital Content Next, who can help coordinate a response from all of us.
Jason Kint, CEO, Digital Content Next
Angela Mills Wade, Executive Director, European Publishers Council
David Chavern, President and CEO, News Media Alliance
David Newell, CEO, News Media Association
 Even nonprofit members may serve sponsorship messages or underwriting acknowledgments that – although they are not advertisements – are provided through Google’s services.