Viaccess.Orca SaaS Director of Product Marketing Ludo Rubin takes a look at the potential impact on OTT and online video businesses of the EU General Data Protection Regulation, which is due to come into force on May 25, 2018
Were you aware that your online video and OTT business will face a significant change in less than a year? New data privacy regulations, in particular The EU’s General Data Protection Regulation (GDPR) will come into effect on May 25, 2018, replacing the current EU Data Protection directive (user-friendly GDPR documentation here).
This will have a significant impact on how data-focused OTT, Telco and online content providers will operate, as long as they serve EU customers within or outside the EU. For clarification of the GDPR in a more readable format, have a look at these articles here or here.
These are five of the most important points in the new GDPR data privacy regulation:
- Online identifiers like IP addresses, cookies or device identifiers are now considered personal data, and are entering into the scope of a new GDPR regulation that TV and OTT providers must comply with (GDPR Art 4 /Recital 30)
They are heavily used in the industry for targeted advertising, content recommendation, analytics and for the video delivery itself. Maybe more importantly, non-personal data used in conjunction with other data is also considered personal if it can identify information about an individual. This is stricter than current regulations.
Personal data collection must still follow existing requirements, especially being limited in time and purpose, while data integrity, accuracy, relevancy and legally justified processing must be ensured. OTT service providers are now accountable for demonstrating compliance with these principles (GDPR Art. 5).
At the same time, the GDPR is providing a new opportunity to have more relaxed limitations with regards to personal data; this is called pseudonymization. In contrast to anonymization (GDPR Recital 26) where personal data is entirely wiped out and can be irreversibly not re-identified (although this is not always effective), pseudonymization is a type of partial encryption technique so that without the encryption key, personal data cannot be re-linked to a particular individual. Pseudonymization of data enhances security, allows use of data more freely, and benefits organizations with regard to their compliance obligations under the GDPR (GDPR Art. 4).
We can easily foresee the development of pseudonymization techniques, although precise guidance from the GDPR is missing at this point.
- The legal justification of personal data processing is now stricter for OTT service providers (“data controllers”)
In the case of consent given by the customer, it is valid only if customers give it freely, based on clear and specific information for each processing operation needed, and not bundled as it was before.
With consent, OTT service providers must guarantee additional rights for the customers, mainly the right to be forgotten (“withdraw consent”) and the right to data portability (“obtain and reuse personal data for other services”).
The “legitimate interests” justification (GDPR Recital 29) which is in favor of many OTT service providers has been narrowed by the GDPR, especially when balancing their rights with children’s rights.
- OTT service providers have higher responsibility over data processing activities performed by their third party suppliers (“Processor”) with specific rules of engagement between them (GDPR/Art 26)
Processors in this case may be a cloud TV platform provider, an Infrastructure-as a Service provider such as Amazon AWS, Microsoft Azure, Google Cloud; or any sub-contractor that is processing data for an OTT service provider, i.e. a marketing agency. This makes outsourcing arrangements more complex, particularly for cloud, and may have an impact on OTT service costs. Note that controllers and processor(s) must now support higher liability risks of GDPR non-compliance.
After a slow reaction, the big cloud players have started to embrace the GDPR; Google assuring that Google Cloud platform will be fully compliant, Amazon pledging to be fully compliant for all its AWS services and Microsoft, declaring that Azure and many of its other cloud services will comply. This was expected, but what about the other third parties, especially in the marketing space?
- Artificial Intelligence-based applications are now under scrutiny as automated individual decision making, heavily based on AI and machine learning algorithms, is now more controlled (GDPR/Art 13, 14, 15 and 22)
OTT and TV companies are using Al-based applications for many processes including fraud management, personalized content recommendations, personalized marketing offers, and increasingly for programmatic advertising. They are leveraging user profiling to predict the content piece that a customers’ will like the most; the personalized offer that will prevent churn or the most impactful ad to serve.
The GDPR wants, in particular, to guarantee transparency and equal rights when algorithms operate. Consequently OTT operators are required to obtain explicit consent from customers to collect and process personal data, and be ready to share some information with them about the logic involved and the significance and envisaged consequences of such algorithms.
This may have a significant impact on many AI apps with strong requirements for non-discriminatory data selection, and on the interpretability of such algorithms before and after execution - the explanation must be human-friendly. Self-learning algorithms like deep learning might be the most at risk, as they process new data and existing results without any human intervention - making them opaque. Again pseudonymization could help, but probably not for all applications.
- Data Privacy is required to be a standard core component of any application or any service - from the start (GDPR Art. 25)
Any service or product must take data protection risks into account from the design phase through its entire life cycle (“Data Protection by Design”). In addition, it must be set by default in a manner that only the minimum personal data is collected and lawfully processed (“Data Protection by default”).
This will have a significant impact on software functionalities, architectures and development processes for any OTT service component. Some of the most obvious examples are that new data and security infrastructure will have to enable pseudonymization; new business logic will need to support the up-to-date rights that are given to customers, and updated customer portals will be required.
Internal training, product and process documentation and extensive audits (data mapping, gap analysis, and impact assessments) will need to be finalized by May 25, 2018. This may be a considerable challenge as suppliers and third party application vendors will all need to be involved at the same time.
Data privacy is now considered an increasingly serious matter by the European authorities. Many other obligations are mentioned in the GDPR. One of them, the 72 hour-period to notify relevant authorities in case of a data breach (look here for some recent cases of data breaches), is worrying many, as businesses would face immediate public damage to their reputations, in addition to encouraging claim compensation from individuals from whom data has been stolen.
OTT service providers have to pick up the pace to set new processes, technologies and legal procedures in order to be ready on time. “Only 38% of all respondents have a comprehensive plan in place to determine how they will comply with GDPR” was recently mentioned by Compuware, a major IT vendor, in its annual report on GDPR readiness(reporthere). Businesses, especially OTT service providers found in violation of the GDPR regulation can expect administrative fines of up to 4% of annual global turnover, or €20 million!
While the GDPR is meant to guarantee transparency and trust between individuals and their businesses, OTT service providers and their suppliers can take the opportunity of GDPR to innovate and differentiate, and become their true “trusted” partners to their customers.
Ludo Rubin is Director of Product Marketing for Viaccess-Orca (Orange Group), a leading provider of content protection, OTT and TV platform solutions. Ludo has been building, launching and marketing Software/SaaS products for 20 years and still loves it.