Ad Network Identity Crisis: When am I a Controller or a Processor?

What Am I?

The General Data Protection Regulation (GDPR) is privacy legislation that brings a great deal of risk liability for any business or person working with what is defined as “personal data.” GDPR has raised more questions than answers when it answers, especially when it comes to the controller processor relationship. Adding to the complexity is the constantly shifting title shift based on activity and motivation for working with personal data. And no industry has more questions than the advertising networks that link website publishers renting space on their sites with advertisers looking to put their ads in front of an audience to get them to click and find out more about their offers. Operating beneath this surface is a host of intermediary service providers operating on behalf of the advertisers to perform bidding services. As data is transferred between the various parties, serious questions arise around who holds the liability under GDPR.

Ad Network Overview

On one side you have the website publisher looking to sell advertising impression space on a website. The publisher is motivated to sell that impression space to the advertiser willing to pay the highest price. Connecting publishers to the advertising exchange are the Supply-Side Platform (SSP) where they can post information about their audience, available impression space, and terms. The SSP connects publisher inventory to the Demand-Side Platform (DSP) where advertisers are looking for site space with the highest traffic levels for their demographic interest segments. Advertisers often contract with Account Based Marketing (ABM) service providers to monitor space purchasing opportunities and execute bids. The whole thing takes fractions of a second and that operates as an online auction. 

When a publisher posts a bid, they transfer enough information about the person, content, geo-location, and site category to allow the advertisers or their ABM agents to evaluate whether they want to bid and define their pricing thresholds. Much of this information is defined as personal data under GDPR Recital 30 and other privacy regulations because it contains the visitors IP address, geolocation, and potentially cookie identifiers. Because this whole transaction happens in fractions of a second, the regulatory question becomes who is the controller and who is the processor.

Controller Processor Relationship Under GDPR

Under GDPR Article 4(6) a controller is a natural or legal person determining the “why” and “how” personal data is processed. To process personal data, a controller must cite a specific lawful purpose for doing so under Article 6. For the sake of this article, the most common lawful purposes are consent and legitimate interest as defined under Art.6(1)(a) and (1)(f). Meanwhile, a processor is defined under Article (4)(8) as the natural or legal person processing data on behalf of the controller. Controller-processor role responsibility can change depending on how the parties interact with the data under their control.

Identifying controllership is subject to test laid out by Working Party 29 in Opinion 1/2010 on the concepts of "controller" and “processor”.

1. Do they determine the “how and “why” of processing? This is a factual determination of why is this processing taking place and who initiated it.
2. What is the functional relationship between the parties? Under this determination, there are three types of control based on competence, explicit legal competence, implicit competence, and factual influence. Explicit and Implicit competence is rooted in a legal right to process and is not applicable to the ad exchange environment. Factual influence is a determination based on a factual review of the circumstance, primarily based on an assessment of the contract between the parties.
3. What are the purposes and means of processing? This is a dynamic definition, meaning it can shift, linked to the processing activity. The purpose is defined as “an anticipated outcome that is intended or guides your planned actions”. Means is defined as “how a result is obtained or an endeavor achieved. Basically, why is the processing happening and what is the role of possible connected actors. 

Processors, on the other hand, are subject to a two-part test:

1. Are they a separate legal entity with respect to the controller?
2. Are they processing data on the controller’s behalf? And this is a critical test. Under this analysis motivation for processing is analyzed by looking into whether they are serving someone else’s interest that has been the controller. This determination hinges on a look at the agreement between the parties.

Case law most on is the Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González decision as there is a great application of these tests. Under this decision, Google’s relationship to the webpages is very similar to that of ad network parties listed here, in that Google is an indexing engine whose purpose for processing personal data is motivated by their interest in providing search engine services and the website publishers are motivated to provide access to personal data. In that relationship, the website owners are a controller and Google is a processor because they failed the Court’s Article 6, 7, and 8 analysis.

Application

The easiest way to identify which party plays which role is to place lines between their transactions, relationships, and motivations. The below table is based on the test laid out by Working Party 29 in Opinion 1/2010 on the concepts of "controller" and “processor” and Google Spain SL, Google Inc. v Agencia. Where there is a transition from a processor to a controller, the Working Party Opinion indicates that can happen where a processor acts outside their contractual scope, whether the data transfer is for the receiving parties direct use, or they contract for a transfer of responsibility. Where it comes to any transfers triggering a controllership status a separate Article 6 analysis of lawful purpose is required as all civil, administrative, or criminal laws apply and may include personal liability for corporate executives.