Hide and Seek: Polish DPA agrees that people should be able to access their advertising profiles, but there’s no way to do so

Following Panoptykon’s General Data Protection Regulation (GDPR) complaint against one of the biggest Polish news website, Interia.pl – the Polish Data Protection Authority has confirmed that online publishers should give users access to their advertising profiles generated for the purposes of delivering behavioural ads.

The decision confirms that information about people inferred by tracking and profiling algorithms are indeed personal data, subject to all the protections provided by the GDPR. Despite this favourable decision, the website owner has claimed that they are unable to provide the user with their ad categories because they are generated by adtech companies and the website itself does not have access to them. This roadblock points to the wider problem of the digital advertising market: the dominance of advertising middlemen who track and profile people beyond the control of website publishers themselves, let alone that of users.

You should be able to control your digital profile

Panoptykon filed the complaint in January 2019, after an unsuccessful attempt to obtain the advertising profile generated about a user of one of the biggest Polish news websites – Interia.pl. The publisher claimed that it does not create such a profile, despite explicitly gathering consent for installing cookies which track users’ behaviour. In a decision from October 2021 the Polish DPA confirmed that an advertising profile comprised of categories attributed to the user based on the analysis of their online behaviour fulfils the definition of personal data and – following a GDPR access request – should be made available to the user. This ruling is momentous because many internet companies do not treat assumptions related to users’ demographics, interests or personal traits generated by algorithms as personal data.

The sticky web of advertising middlemen

Surveillance-based advertising consists of a system of interconnected intermediaries functioning behind the scenes and beyond the control of users, and – as it turns out – the control of publishers themselves. Website publishers serve as a gateway to this system by collecting ‘consent’ for tracking and profiling for advertising purposes (often without the option to refuse) by so-called ‘trusted partners’ – a myriad of advertising middlemen. Because users don’t know whom their data is ultimately shared with or which identifiers specific companies use to single them out (such as pseudonimised cookie IDs), they are practically unable to challenge this unending tracking. With an advertising system designed to be opaque, the rights granted by the GDPR to access, rectify or delete personal data, remain an illussion.

For these reasons Panoptykon decided that going after individual websites or adtech companies were meaningless. Instead in coalition with other organisations, led by Dr Johnny Ryan from the Irish Council for Civil Liberties, Panoptykon complained against standard-setters that dictate the rules of the game for the whole industry: Google and the Interactive Advertising Bureau (IAB). The latter case will soon be resolved, as the Belgian DPA has already prepared a draft decision, currently submitted for opinion to DPAs in other countries, which is expected to find that IAB Europe violated the GDPR. If this falls through, it could be a true deal-breaker for the toxic online advertising market and a quantum leap towards better protection of online privacy and development of ethical, GDPR-compliant innovations in advertising.

Karolina Iwańska

The article was published in EDRi-gram, 19 January 2022