Data protection regulation and Google’s Privacy Sandbox commitments

[jwrosewell]

Introduction

This issue summarises the position that Google committed to in February 2022 with the CMA and which binds Google's engagement in the W3C and elsewhere.

This overarching position statement will in time be linked to from specific proposal issues and comments and is provided here to avoid repetition across many proposals.

As this is a proposal that has already been accepted by Google can the chairs @cwilso and @yoavweiss who are affiliated with Google mark it as accepted?

Analysis

Google has committed to the UK Competition and Markets Authority that it will develop the Privacy Sandbox according to a set of Development and Implementation Criteria:

a. “Impact on privacy outcomes” and “compliance with” data protection regulated, defined with reference to data protection legislation, the latter defined under the UK framework which, at least for now, remains equivalent to EU data protection law;
b. “Impact on competition in digital advertising” and in particular the risk of distortion between Google and others;
c. “Impact on publishers… and advertisers” including publishers’ ability to generate revenue, and advertisers’ ability to obtain cost-effective advertising;
d. “Impact on user experience” including advertising relevance, transparency over Personal Data use, and user control; and
e. Technical feasibility, complexity, and cost.

These principles are designed to address three concerns from the CMA’s investigation. In summary these were:

(1) Competitive distortion in ad inventory and ad tech by restricting others from tracking while retaining tracking for Google
(2) Competitive distortion from self-preference of Google’s own advertising products and services and owned and operated ad inventory
(3) Denying Chrome web users “substantial choice in terms of whether and how the Personal Data is used for” targeting.

The main obligation on Google is to trigger a standstill before removing Third Party Cookie support in Chrome. There are also several data handling restrictions which bind after the retirement of Third Party cookies, which are designed to prevent distortions via data handling.

During the design phase, there are several CMA- and public-facing obligations in the Commitments. The core public-facing obligations on Google are to:

• Provide information on the commitments, including that it will apply the Criteria in “design, development and implementation” of the Privacy Sandbox and engage with the CMA to that effect.
• Disclose timings and key information material to publishers, advertisers and ad tech providers to allow “influence” in the proposals and to allow “adjustment of their business models.”
• Provide a process for stakeholder engagement with public feedback on design, development and implementation via a dedicated microsite.
• Additionally, provide quarterly reports which must account for reasonable views and suggestions applying the Criteria.
• Proceed via W3C processes where relevant.
• Instruct staff not to contradict the commitments, and accordingly train them.

The quarterly reports must detail progress, timing, substantive responses to feedback as to information received via the microsite including taking into account reasonable views. They must also, where relevant, give information on the testing procedures agreed with the CMA.

Finally, there is a cross-cutting obligation not to discriminate against rivals in design, development, and implementation of the Privacy Sandbox, or to use competitively sensitive information, throughout the life of the Commitments.

What does this mean for data protection law?

1. Google has agreed to apply data protection law where relevant. The Criteria speak to “compliance with” data protection law. This means that, if there is such an argument, it should proceed via the application of law.
2. There is an additional reference to “impact on privacy outcomes”. This requires an evidence-based approach. Google is thus prohibited from using vague or unsubstantiated privacy claims. They should proceed via objective evidence.
3. Such improvements are to be weighed against their competitive impact with particular attention to publisher and advertiser interests.
4. Google is required to provide users with a degree of choice and transparency over Personal Data use in its proposals.
5. The non-discrimination obligation means that Google should take a similar approach to its own products and others’ from a data protection perspective, including at the design stage. This is because applying a double standard would violate the non-discrimination obligation. Thus, as Google has cited GDPR in relation to its own First Party Sets, it must also apply the same framework to proposals from others.

Can Google go beyond Data Protection law?

In this framework, it is open to Google to exceed data protection law in its own advertising products. For example, they could use less data than is legally permitted, or require more safeguards than are legally required.

However, this would be only as regards their advertising systems. As regards the browser, there is a serious risk of the competition concerns arising if the browser were used to require others to go beyond what is legally required. This would effectively tie such products to the browser, and other products could not operate even if legally compliant. This would be lost competition even though the law permits their operation.

Can Google require others to go beyond Data Protection law?

Google cannot require others to go beyond Data Protection law unless it is doing so via the agreed framework of the Commitments.

Such a requirement would have to be assessed according to the agreed criteria, notably:

• “Compliance with” the law: whether the competing company complies is an express criterion.
• “Privacy outcomes”: there would need to be substantive evidence of an improvement, to be weighed against any lost competition on a tailored basis with consideration of less restrictive alternatives to achieving the same “outcome” since the result must be “outcome” based.
• There must not be discrimination between Google’s and others’ products, so a broadly similar approach to compliance should be applied to each use case.

This can be thought of as decisions in series:

(1) Is the competing product legally compliant and responsible in terms of “privacy outcomes”?
(2) If so, the competition ought not to be lost or the aim of the commitments will not be fulfilled.

[miketaylr]

We are committed to achieving the purpose of the Privacy Sandbox commitments accepted by the CMA in February 2022. We encourage feedback on how to better achieve that purpose through our technical proposals, and we will report publicly on feedback we receive as set out in the commitments. We are in constant dialogue with the CMA on these issues, and members of the web ecosystem are also welcome to discuss these issues with the CMA. In fact, as previously mentioned by the CMA in public and in its communications to Mr Rosewell, the CMA is the sole public body responsible for monitoring Google’s compliance with the commitments accepted on 11 February 2022 in relation to Google’s Privacy Sandbox proposals. We therefore hope that everyone will understand when we decline to participate in public discussions on legal or internal aspects of compliance with the commitments, or to detail our direct exchanges with the CMA.

[yoavweiss]

Closing as non-technical