On the International Data Protection Day, 28 January 2019, Panoptykon Foundation filed complaints against Google and IAB Europe under the General Data Protection Regulation (GDPR) to the Polish Data Protection Authority (DPA). The complaints are related to the functioning of online behavioural advertising (OBA) ecosystem.
The complaints focus on the role of Google and the Interactive Advertising Bureau (IAB) as organisations that set standards for other actors involved in the OBA market. They should therefore be treated as data controllers responsible for GDPR infringements.
Arguments used by Panoptykon are based on complaints concerning the same issue by Brave and Open Rights Group (ORG), as well as on evidence provided by a report by Johnny Ryan. The key facts and observations of the complaints are:
- data shared by companies within the OBA ecosystem are not necessary for the purposes of serving targeting ads;
- companies sharing data have no control over its further use by a potentially unlimited number of other actors that have access to real-time bidding software;
- users have no access to their data and no tools of controlling its further use by a (potentially unlimited) number of actors;
- those failures are not incidental because they result from the very design of the OBA ecosystem - lack of transparency and the concept of bid request, which, by definition, leads to data "broadcasting".
Prior to making these complaints, Panoptykon carried its own investigation of the OBA ecosystem in Poland, which confirmed allegations made by Brave and ORG in their complaints, as well as Johnny Ryan's testimony. Between May and December 2018 Panoptykon sent a number of data access requests to various actors involved in the OBA ecosystem (including Google and leading data brokers) in order to check whether users are able to verify and correct their marketing profiles.
In most cases companies refused to provide personal data to users based on alleged difficulty with their identification. This argument - made by key players in the OBA ecosystem - confirms that it has been designed to be obscure. Key identifiers used by data brokers to single out users and target ads are not revealed to data subjects that are concerned. It is a "catch 22" situation that cannot be reconciled with GDPR requirements (in particular the principle of transparency).
Along with its complaints, Panoptykon published a report in Polish summarising its investigation of the OBA ecosystem, which included interviews with key actors operating on Polish market, and evidence collected by sending data access requests.
Licence: CC BY-SA 4.0