Google accused of using GDPR to impose unfair terms on publishers

A group of European and international publishers have accused Google of using an incoming update to the European Union’s data protection framework to try to push “draconian” new terms on them in exchange for continued access to its ad network — which many publishers rely on to monetize their content online.

Google trailed the terms as incoming in late March, while the new EU regulation — GDPR — is due to apply from May 25.

“[W]e find it especially troubling that you would wait until the last-minute before the GDPR comes into force to announce these terms as publishers have now little time to assess the legality or fairness of your proposal and how best to consider its impact on their own GDPR compliance plans which have been underway for a long time,” they write in a letter to the company dated April 30. “Nor do we believe that this meets the test of creating a fair, transparent and predictable business environment of the kind required by the draft Regulation COM (2018) 238 final published 26 April 2018 [an EU proposal which relates to business users of online intermediation services].”

The GDPR privacy framework both tightens consent requirements for processing the personal data of EU users and beefs up enforcement for data protection violations, with fines able to scale as high as four per cent of a company’s global annual turnover — substantially inflating the legal liabilities around the handling of any personal data which falls under its jurisdiction.

And while the law is intended to strengthen EU citizens’ fundamental rights by giving them more control over how their data is used, publishers are accusing Google of attempting to use the incoming framework as an opportunity to enforce an inappropriate “one-size fits all” approach to compliance on its publisher customers and their advertisers.

“Your proposal severely falls short on many levels and seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law,” the coalition of publishers write to Google.

One objection they have is that Google is apparently intending to switch its status from that of a data processor of publishers’ data — i.e. the data Google receives from publishers and collects from their sites — to a data controller which they claim will enable it to “make unilateral decisions about how a publisher’s data is used”.

Though for other Google services, such as its web analytics product, the company has faced the opposite accusation: i.e. that it’s claiming it’s merely a data processor — yet giving itself expansive rights to use the data that’s gathered, rather like a data controller…

The publishers also say Google wants them to obtain valid legal consent from users to the processing of their data on its behalf — yet isn’t providing them with information about its intended uses of people’s data, which they would need to know in order to obtain valid consent under GDPR.

“[Y]ou refuse to provide publishers with any specific information about how you will collect, share and use the data. Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular, and informed consent under the GDPR,” they write.

“If publishers agree to obtain consent on your behalf, then you must provide the publisher with detailed information for each use of the personal data for which you want publishers to ask for legally valid consent and model language to obtain consent for your activities.”

Nor do individual publishers necessarily want to have to use consent as the legal basis for processing their users personal data (other options are available under the law, though a legal basis is always required) — but they argue that Google’s one-size proposal doesn’t allow for alternatives.

“Some publishers may want to rely upon legitimate interest as a legal basis and since the GDPR calls for balancing several factors, it may be appropriate for publishers to process data under this legal basis for some purposes,” they note. “Our members, as providers of the news, have different purposes and interests for participating in the digital advertising ecosystem. Yet, Google’s imposition of an essentially self-prescribed one-size-fits-all approach doesn’t seem to take into account or allow for the different purposes and interests publishers have.”

They are also concerned Google is trying to transfer liability for obtaining consent onto publishers — asserting: “Given that your now-changed terms are incorporated by reference into many contracts under which publishers indemnify Google, these terms could result in publishers indemnifying Google for potentially ruinous fines. We strongly encourage you to revise your proposal to include mutual indemnification provisions and limitations on liability. While the exact allocation of liability should be negotiated by individual publishers, your current proposal represents a ‘take it or leave it’ disproportionate approach.”

They also accuse Google of risking acting in an anti-competitive manner because the proposed terms state that Google may stop serving ads on on publisher sites if it deems a publisher’s consent mechanism to be “insufficient”.

“If Google then dictates how that mechanism would look and prescribes the number of companies a publisher can work with, this would limit the choice of companies that any one publisher can gather consent for, or integrate with, to a very small number defined by Google. This gives rise to grave concerns in terms of anti-competitive behavior as Google is in effect dictating to the market which companies any publisher can do business with,” they argue.

They end the letter, which is addressed to Google’s CEO Sundar Pichai, with a series of questions for the company which they say they need answers to — including how and why Google believes its legal relationship to publishers’ data would be a data controller; whether it will seek publisher input ahead of making future changes to its terms for accessing its advertiser services; and how Google’s services could be integrated into an industry-wide consent management platform — should publishers decide to make use of one.

Commenting in a statement, Angela Mills Wade, executive director of the European Publishers Council and one of the signatories to the letter, said: “As usual, Google wants to have its cake and eat it. It wants to be data controller — of data provided by publishers — without any of the legal liability — and with apparently total freedom to do what they like with that data. Publishers have trusted relationships with their readers and advertisers — how can we get consent from them without being in a position to tell them what they are consenting to? And why should we be legally liable for any abuses when we have no control or prior knowledge? By imposing their own standard for regulatory compliance, Google effectively prevents publishers from being able to choose which partners to work with.”

The other publishers signing the letter are Digital Content Next, News Media Alliance and News Media Association.

We put some of their questions to Google — and the company rejected that it’s seeking additional rights over publishers’ data, sending us the following statement:

Guidance about the GDPR is that consent is required for personalised advertising. We have always asked publishers to get consent for the use of our ad tech on their sites, and now we’re simply updating that requirement in line with the GDPR. Because we make decisions on data processing to help publishers optimize ad revenue, we will operate as a controller across our publisher products in line with GDPR requirements, but this designation does not give us any additional rights to their data. We’re working closely with our publisher partners and are committed to providing a range of tools to help them gather user consent.

A spokesperson for the company also noted that, under GDPR, controller status merely reflects that an involved entity is more than a data processor for a specific service, also pointing out that Google’s contracts define the limits of what can be done with data in such instances.

The spokesperson further emphasized that Google is not asking publishers to obtain consent from Google’s users, but for their own users on their own sites and for the use of ad tech on those sites — noting this could be one of Google’s ad products or someone else’s.

In terms of timing the Google rep added the company would have liked to put the new ad policy out earlier but said that guidance on consent from the EU’s Article 29 Working Party only came out in draft in December, noting also that this continues to be revised.