Go to the profile of Commission Factory
May 28, 2018 · 12 min read

GDPR: What It Means for Affiliate Marketing in APAC

GDPR has been a hot topic for some time and now it is finally upon us. But what do the regulations mean for those of us outside of the EU?


We've all heard of GDPR by now and if not, it's the reason you've been getting so many emails about privacy policy updates - most of which in themselves have been unnecessary if not illegal. But in an effort to stay compliant companies are going over and above to ensure they don't get into trouble.

Whilst the GDPR is focused on citizens of the EU it may have far reaching implications for Australian retailers, affiliates and networks. If you are doing business in the EU or if your business processes personal information of individuals in the EU then you need to ensure that your business complies with the new regulations.

What is the GDPR?

The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will take effect on 25 May 2018 and imposes strict obligations on businesses in relation to governance, consent, profiling and data portability.

The GDPR includes requirements that resemble those in the Australian Privacy Act 1988, and additional measures that similarly aim to foster transparent information handling practices and business accountability around data handling. The introduction of clear, uniform data protection laws is intended to build legal certainty for businesses and enhance consumer trust in online services.

The GDPR is designed to empower EU consumers and their rights about how their data may be used. For digital industries such as our own and that of online retailers this takes on heightened importance because the definition of what is considered personal data has been expanded to include anything that can single out an individual but isn’t necessarily overtly personally identifiable. So, while an email address is obviously personal data, the scope also includes pseudonymous identifiers such as an IP address or order ID.

In order to process this data, businesses will need to choose a legal basis, of which there are six.

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interest
  5. Public Task
  6. Legitimate Interest

For some companies it will be obvious but for many digital marketing companies they will need to typically pick either ‘consent’ or ‘legitimate interest’.

Commission Factory is using legitimate interest as a legal basis for processing data.

Does the GDPR Affect My Business?

Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities), may need to comply with the GDPR if they:

  • have an establishment in the EU (regardless of whether they process personal data in the EU), or
  • do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU.

The GDPR applies to the data processing activities of businesses, regardless of size, that are data processors or controllers with an establishment in the EU. Generally speaking, a controller says how and why personal data is processed and a processor acts on behalf of the controller.

Where a business has ‘an establishment’ in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.

The GDPR also applies to the data processing activities of processors and controllers outside the EU, regardless of size, where the processing activities are related to:

  • offering goods or services to individuals in the EU (irrespective of whether a payment is required)
  • monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU

Australian businesses that may be covered by the GDPR include:

  • an Australian business with an office in the EU
  • an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
  • an Australian business whose website mentions customers or users in the EU
  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

Comparison Table

  EU GDPR Australian Privacy Act
Who does this apply to? Data processing activities of businesses, regardless of size, that are data processors or controllers Most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.
What does it apply to? Personal data – any information relating to an identified or identifiable natural person: Art 4(1) Personal information (PI) – information or an opinion about an identified individual, or an individual who is reasonably identifiable: s 6(1)
Jurisdictional link Applies to data processors or controllers:
  • with an establishment in the EU, or
  • outside the EU, that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU: Art 3
Applies to businesses:
  • incorporated in Australia, or
  • that ‘carry on a business’ in Australia and collect PI from Australia or hold PI in Australia: s 5B
Accountability and governance Controllers generally must:
  • implement appropriate technical and organisational measures to demonstrate GDPR compliance and build in privacy by default and design: Arts 5, 24, 25
  • undertake compulsory data protection impact assessments: Art 35
  • appoint data protection officers: Art 37
APP entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and to enable complaints: APP 1.2

Businesses are expected to appoint key roles and responsibilities for privacy management and to conduct privacy impact assessments for many new and updated projects
Consent Consent must be:
  • freely given, specific and informed, and
  • an unambiguous indication of the data subject's wishes which, by a statement or by a clear affirmative action, signifies agreement to processing: Art 4(11)
Key elements:
  • the individual is adequately informed before giving consent, and has the capacity to understand and communicate consent
  • the consent is given voluntarily
  • the consent is current and specific: OAIC’s APP GLs
Data Breach notifications Mandatory DBNs by controllers and processors (exceptions apply): Arts 33-34 From 22 February 2018, mandatory reporting for breaches likely to result in real risk of serious harm
Individual rights Individual rights include:
  • right to erasure: Art 17
  • right to data portability: Art 20
  • right to object: Art 21
No equivalents to these rights.
However, business must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose: APP 11.2. Where access is given to an individual’s PI, it must generally be given in the manner requested: APP 12.5
Overseas transfers Personal data may be transferred outside the EU in limited circumstances including:
  • to countries that provide an ‘adequate’ level of data protection
  • where ‘standard data protection clauses’ or ‘binding corporate rules’ apply
  • approved codes of conduct or certification in place: Chp V
Before disclosing PI overseas, a business must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information: APP 8 (exceptions apply). The entity is accountable for a breach of the APPs by the overseas recipient in relation to the information: s 16C (exceptions apply)
Sanctions Administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher): Art 83  Powers to work with entities to facilitate compliance and best practice, and investigative and enforcement powers: Parts IV and V

How will this affect the affiliate industry?

We do not anticipate this update to the GDPR will effect affiliate marketers or online retailers adversely and is largely a move to formulate and regulate data protection laws that have existed for a number of years already.

For Commission Factory and our affiliates the nature of the personal data processed is non-sensitive and largely technical and unlike other channels that make use of personal data to build consumer profiles and behaviours to target through ads.

By stating our data collection legal basis as "Legitimate Interest" we are attempting to minimise the burdens of compliance for our publishers and we do not need to ask publishers to obtain any Data Consent for us.

For affiliates that do not operate, market or collect information in the EU or it's residents it is not feasible to require consent. EU residents accessing a website outside of the EU is not under your control. Simply being able to access your site from the EU is not enough to establish that it is doing business in the EU and the level of engagement is a factor.

Make sure you have contact details where individuals can contact you with privacy related queries. Controllers and processors must, in certain circumstances, appoint a data protection officer to monitor and advise on compliance with the GDPR and with internal privacy policies and procedures. It has been described as a ‘privacy champion’ role that includes the role of a business advisor on the responsible and innovative use of personal data. This was already a requirement under Australian Privacy Protection laws and should be implemented regardless.

Is Commission Factory a Controller or Processor?

Commission Factory much like our partner Awin and after legal counsel have opted ourselves as a joint data controller with the Advertisers and Publishers. This is not to say that this position is the same with all affiliate networks as some have opted for the position of processor and every business that handles data must decide what role they play in the processing of that data.

Commission Factory is a Controller because we have decided the economic model and jointly make decisions with our affiliates on what data to process to deliver the advertiser’s affiliate marketing campaign.

Which route you take can be determined by asking "How" and "Why". If you as a digital marketing company decide "Why data should be processed" and "How it should be processed to achieve the intended purpose", or potentially both, then you fall under the definition of a "Controller".

A Processor does not determine the How and Why and can make limited decisions about how to go about processing data for the purposes determined by the controller.

In the affiliate marketing model the Advertiser will always fall under the Controller status. This is because only they can decide ‘why’ to process data and make decisions such as "Lets participate in affiliate marketing and pay for referred sales in return for a commission".

The reason for not choosing the route of a Processor stems from the impracticalities that are associated with it. For example if Commission Factory or our affiliates were to try to work within the constraints of a data processor role, we would need to get any new data processing approved by each respective advertiser in advance every time. We would also require written instruction from Advertisers each time they would like to make use of bug fixes, updates, upgrades, or additional features of our products or services. This would be burdensome.

Because Commission Factory is a pureplay affiliate network, we use limited personal data for tracking referrals to advertiser websites, the consequent transactions and our reporting, but we never reuse this data to build behavioural user profiles or for other marketing purposes. We also don’t collect any other data for:

  1. Building behavioural user profiles
  2. Behaviourally retargeting
  3. Marketing for any other purposes

By avoiding this type of processing, we can rely on legitimate interest to justify processing and avoid requirements for Data Consent from publishers or advertisers to legally track transactions.

What now?

Whilst the GDPR is predominantly an EU directive and data protection act it is still prudent to ensure that you are covered and seek advice on what your obligations are.

Given some of the similarities with the Privacy Act and the GDPR, Australian business may already have some of the measures in place required by the GDPR. Despite this, it is essential to ensure you evaluate all your practices and governance structures in light of the GDPR regulations and seek legal advice where necessary to ensure strict compliance.

From our standpoint as a network we will be rolling out optional consent tools and adding cookie consent to all of our websites for data brevity but Publishers are free to obtain consent in whichever way they see fit.

Some affiliate remuneration models such as cashback and reward publishers, may not need a Cookie Consent for affiliate cookies because affiliate cookies are necessary for a cashback or rewards-based type of service to work.

Did you enjoy this article? Don’t forget to share.