11
They 'rent' space from publishers' web sites to place adverts; they set and/read cookie related
information and, in most cases, collect the IP address and possible other data that the browser
may reveal. Further, the ad network providers use the information gathered on Internet users'
surfing behaviour to build profiles and to select and deliver the ads to be displayed on the
basis of this profile. In this scenario, they clearly act as data controllers.
Regarding publishers:
Publishers, among others, rent out space on their websites for ad networks to place adverts.
They set up their web sites in a way that visitors' browsers are automatically redirected to the
webpage of the ad network provider (which will then send a cookie and serve tailored
advertising). This raises the question about their responsibility vis-à-vis the data processing.
As recently pointed out by the Article 29 Working Party
28
, whether a publisher can be
deemed to be a joint controller with the ad network provider will depend on the conditions of
collaboration between the publisher and the ad network provider. In this context, the Article
29 Working Party notes that in a typical scenario where ad network providers serve tailored
advertising, publishers contribute to it by setting up their web sites in such a way that when a
user visits a publisher's web site, his/her browser is automatically redirected to the webpage
of the ad network provider. In doing so, the user's browser will transmit his/her IP address to
the ad network provider which will proceed to send the cookie and tailored advertising. In
this scenario, it is important to note that publishers do not transfer the IP address of the visitor
to the ad network provider. Instead, it is the visitor's browser that automatically transfers such
information to the ad network provider. However, this only happens because the publisher has
set up its web site in such a way that the visitor to its own web site is automatically re-
directed to the ad network provider web site. In other words, the publisher triggers the
transfer of the IP address, which is the first necessary step that will allow the subsequent
processing, carried out by the ad network provider for the purposes of serving tailored
advertising. Thus, even if, technically the data transfer of the IP address is carried out by the
browser of the individual who visits the publisher web site, it is not the individual who
triggers the transfer. The individual only intended to visit the publisher's web site. He did
not intend to visit the ad network provider's web site. Currently this is a common scenario.
Taking this into account, the Article 29 Working Party considers that publishers have a
certain responsibility for the data processing, which derives from the national implementation
of Directive 95/46 and/or other national legislation
29
. This responsibility does not cover all
the processing activities necessary to serve behavioural advertising, for example, the
processing carried out by the ad network provider consisting of building profiles which are
then used to serve tailored advertising. However, the publishers' responsibility covers the first
stage, i.e. the initial part of the data processing, namely the transfer of the IP address that
takes place when individuals visit their web sites. This is because the publishers facilitate
such transfer and co-determine the purposes for which it is carried out, i.e. to serve visitors
with tailored adverting. In sum, for these reasons, publishers will have some responsibility as
data controllers for these actions. This responsibility cannot, however, require compliance
with the bulk of the obligations contained in the Directives.
28
Opinion 1/2010 on the concepts of "controller" and "processor", adopted on 16.02.2010.
29
The Article 29 Working Party notes that the obligation to inform and other possible obligations may also
derive from general principles of law (law of contracts and torts) as well as consumer protection laws
related to business-to-consumer commercial practices such as Directive 2005/29/EC of the European
Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial
practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC
and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the
European Parliament and of the Council (‘Unfair Commercial Practices Directive’