EU: The future of surveillance-based advertising | Fieldfisher
Skip to main content

EU: The future of surveillance-based advertising



This article was first published by DataGuidance in their Insights section at EU: The future of surveillance-based advertising | Insights | DataGuidance.

Targeted advertising has been facing increased pressure from civil society and regulators in the past few years. While some have publicly called authorities to flex their enforcement muscles and regulate better targeted advertising, others are demanding an outright ban. This comes at a time when the whole adtech sector is subject to major technical changes, leaving the whole sector in uncertain times.

From 'personalised' ads to 'surveillance-based' ads

The public discourse around advertising has dramatically shifted over the last few years. While online advertising was commonly referred to as 'behavioural', 'personalised', or 'targeted', its opponents now denounce it as being surveillance-based. The term 'surveillance', which has traditionally applied to governments, is now being used in a business context. Surveillance-based ads refers to the personalised selection and display of ads to a specific user, based on the collection of a large volume of data about that user, ranging from geolocation data to inferred interests. Ads are micro targeted through cross-device tracking, profiling, the combination of online and offline data, and the matching of datasets.

Ten years ago, the regulators' understanding of adtech was very limited. In fact, the opinion of the European Data Protection Board's predecessor on advertising[1] failed to grasp the existence of all the intermediaries that operate between website or app publishers and advertisers. The reality was – and since then has become – much more complex, with many types of different ad intermediaries.

More recently regulators have sharpened their understanding of the adtech sector. For instance, the UK ICO launched an investigation into real-time bidding[2], while the French data protection authority ('CNIL') involved its research lab to study the advertising ecosystem and understand its implications for individuals' personal data[3].

Some regulators have expressed their concerns about the adtech sector[4]. They accuse online advertising of many systemic flaws, and in particular, of inherently violating the general principles of data protection, such as the principles of transparency, data minimisation, storage limitation, and confidentiality. Besides privacy concerns, broader issues are also regularly raised, such as discrimination due to underlying biases, misinformation, and manipulation.

Online advertising facing increasing (and yet limited) regulatory scrutiny

Complaints against targeted advertising are piling up and authorities have started opening up investigations. A few major sanction decisions have recently called into question surveillance-based ads, however, most of these GDPR decisions touch upon limited aspects of targeted advertising, namely the legal ground used for data processing and transparency requirements.

Other decisions are adopted based on the national implementation of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), for unlawfully using advertising cookies. However, such cookie sweeps only focus on the use of cookies via a publisher's website, which is only the tip of the iceberg. In fact, authorities fail to analyse the underlying data flows between ad intermediaries and subsequent data processing that occurs after the cookie has been dropped.

Overall, recent enforcement actions have not satisfied many of the opponents of surveillance-based advertising.

The DSA: From enhanced transparency and accountability….

The draft DSA[5] precisely intends to address the lack of transparency and the complex functioning of the adtech ecosystem by imposing online platforms to disclose certain information about the ads displayed, to both users and the broader public. Specifically, all online platforms would have to clearly: (i) identify each specific ad showed to users as such; (ii) identify the advertiser; and (iii) share 'meaningful information' about the criteria used to determine the display of the ad (including when this is based on profiling)[6]. On top of that, 'very large online platforms' (i.e. with at least 45 million monthly active users in the EU) would be required to maintain publicly available repositories, which must set out further information, for example for how long the ad was displayed and whether the ad targeted particular groups of users[7]. In other words, transparency would apply on a per-app basis. This means that the process of selecting and displaying ads – which happens in milliseconds – would have to be adjusted to report such information along the advertising chain.

The draft DSA also intends to ensure the accountability of the very large online platforms. In particular, these platforms are required to analyse the significant systemic risks that derive from their services, including how advertisement influences those risks[8] and implement mitigation measures to limit those risks (e.g. limiting the display of ads)[9]. It also leaves some space for self-regulation as it allows for the drafting of industry-wide codes of conduct.

…to a blanket ban?

If the DSA were adopted in its current form, it would significantly impact the ad-tech sector, even outside of the EU, since it would also apply to service providers established outside of the EU if their users (businesses or individuals) have their place of establishment or residence in the EU. However, the European Commission's ('the Commission') proposal is not going far enough for some members of the European Parliament, who strongly support an outright ban (see for example the 20 MEPS that are part of the Tracking-Free Ads Coalition)[10]. Before the Commission published the draft DSA, the European Parliament passed a resolution to invite the Commission to adopt stricter transparency and accountability rules but also to 'assess options for regulating targeted advertising, including a phase-out leading to a prohibition[11]'. The DSA's rapporteur recently suggested that 'targeted, micro-targeted and behavioural ads' should be switched off by default – unless users give their GDPR consent to it[12]. In any case, platforms should not be allowed to carry out advertising activities that can lead to or create a risk that leads to 'pervasive tracking', which includes 'disproportionate combination of data collected by platforms, or disproportionate processing of special categories of data that might be used to exploit vulnerabilities[13]'.

In its Opinion on the draft DSA[14], the European Data Protection Supervisor ('EDPS') considered that enhanced transparency was not enough and recommended a 'phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking' in view of the privacy risks[15].

The Norwegian Consumer Council ('NCC') reiterated this call by stating that increased transparency cannot fix the inherent flows of surveillance-based advertising[16]. According to the NCC, a ban is an appropriate preventive measure to force structural changes in this data-driven industry[17]. Nevertheless, it would need to be complemented by effective enforcement of the existing legislative framework (i.e. the GDPR, the ePrivacy Directive[18], and the Unfair Commercial Practice Directive[19])[20].

It is unclear at this stage how the draft DSA will evolve, as discussions are still ongoing within the EU institutions, including in the Council.

In addition, while support for a ban is making the headlines, the adtech industry has started reacting[21] and will necessarily try to make its voice heard during the EU legislative process.

Banning third-party cookies in a cookie-less world?

These developments come at a time when Big Tech companies have made competing announcements to respond to users' demand for more privacy, which have made the future of online tracking more uncertain that ever.

Whilst new forms of online advertising may emerge due to these active market developments, it is unclear at this stage if these new practices will be considered as intrusive or 'pervasive' as the existing advertising model that is causing the calls for an outright ban. Should a ban be adopted, it will necessarily be difficult to draw a distinction between what is and is not 'pervasive' in practice.

[1] See the Article 29 Working Party's Opinion 2/2010 on Online behavioural advertising.
[5] Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC, COM/2020/825 final, 15 December 2020, available at:
[6] Ibidem, Article 24 ('Online advertising transparency') and Recital 52.
[7] Ibidem, Article 30 ('Additional online advertising transparency').
[8]  Ibidem, Article 26 ('Risk assessment').
[9]  Ibidem, Article 27 ('Mitigation of risks)
[11] European Parliament resolution of 20 October 2020 with recommendations to the Commission on a Digital Services Act: adapting commercial and civil law rules for commercial entities operating online (2020/2019(INL)), paragraph 17, available at:
[12] Draft Report on the proposal for a regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC, COM(2020)0825 – C9-0418/2020 – 2020/0361(COD), Article 13d(1), 28 May 2021, available at:
[13] Ibidem, Articles 13d(1) and 13d(3).
[14] Opinion 1/2021 on the Proposal for a Digital Services Act, EDPS, 10 February 2021, Opinion 1/2021 on the Proposal for a Digital Services Act, available at: (see in particular section 3.8 (pages 15 et seq) on online advertising transparency)
[15] Ibidem, paragraph 69.
[16] 'Time to ban surveillance-based advertising, The case against commercial surveillance online', June 2021, ForbrukerRadet, available at:
[17]  Ibidem, page 16.
[18] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002,
[19] Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council, OJ L 149, 11.6.2005.
[20]  Ibidem, page 4.
[21]  See for instance, 'Open Letter On The Digital Services Act (DSA) And Digital Advertising – Signed by Over 45 Industry Players And Major Industry Associations', available at: