X
WINNER!
Digiday Technology Awards 2020 Best Data Management Platform DMP of the Year Learn More

Panel Recap: IAPP Europe “Further Processing of Cookie Data: Available Legal Bases Under the ePD/GDPR”

December 2, 2020

IAPP Europe Data Protection Congress, Europe’s most influential data protection conference, brings together experts to address the latest technologies, emerging challenges and evolving solutions for the current privacy industry. Held virtually this year, sessions ranged from advanced comparative analysis of regulations to emerging privacy issues associated with artificial intelligence to further processing of cookie data.

Taking the virtual stage was Lotame’s own Chief Privacy Officer and General Counsel Amy Yeung. Amy joined esteemed moderator and guests for a thoughtful discussion of “Further Processing of Cookie Data: Available Legal Bases Under the ePD/GDPR.”

Panelist: Rosa Barcelo, Partner, Squire Patton Boggs; Hielke Hijmans, Director, President of Litigation Chamber, Belgian Data Protection Authority; Herke Kranenborg, Professor, Maastricht University, Member, Legal Service European Commission; Amy Yeung, General Counsel and Chief Privacy Officer'

Moderator Rosa Barcelo set the stage for the conversation by explaining to the audience the requirements of the ePrivacy Directive. Individuals must provide consent to set cookies and read cookie IDs unless it is necessary for the provision of the service (e.g., cookies used for a shopping basket). As privacy laws evolve, several areas remain unclear despite guidance from the European Data Protection Board and decisions from the Court of Justice of the European Union. 

Panelists engaged in rousing debates around three key topics:

  1. The possibility to set cookies relying on the legal grounds of GDPR rather than those of the ePrivacy Directive
  2. The possibility to set cookies and process cookie data / IDs using Article 6(4) of the GDPR regarding further processing for a compatible purpose
  3. Conditional consent or cookie tracking walls, which require users to agree to cookies to access a given service a.k.a. “take it or leave it” 

Amy provided the business counterpoint to her fellow panelists. She drew on several real-world examples to explain the conundrum many companies across the digital advertising industry find themselves in today: improve privacy disclosures to consumers in order to gain consent versus focusing (or refocusing) on privacy by design of operations throughput. Amy advocated for a data minimization approach to protect the consumer and the consumer experience but highlighted the challenges in a path-dependent system, where midstream improvements require partnership and active involvement of many companies, such as when a data collection purpose hasn’t been clearly designed or outlined on the front end. 

In often lively conversation, panelists discussed how principles on paper have good intentions but, as Amy illustrated, may have unintended negative effects down the road. Amy challenged privacy professionals everywhere to spend more time on defining “what is identity” versus “what are identifiers.” Using a COVID contact tracing example, she explained how the practice gathers a stream of identifiers that carry minimal identity. Contact tracing embeds pseudonymization and data minimization to deliver an inherently useful, non-PII tool to both health professionals and consumers. “This is data privacy by design,” she explained, “as there is accuracy but not to the individual, combined with short-term storage limitations that layer in true confidentiality.” 

To listen to the session in full, visit IAPP Europe’s event page: Speaking invitations for Amy Yeung should be directed to mktg@lotame.com.