Article 28.01.2019 3 min. read Text Image On the International Data Protection Day, 28 January 2019, Panoptykon Foundation filed complaints against Google and IAB Europe under the General Data Protection Regulation (GDPR) to the Polish Data Protection Authority (DPA). The complaints are related to the functioning of online behavioural advertising (OBA) ecosystem. The complaints focus on the role of Google and the Interactive Advertising Bureau (IAB) as organisations that set standards for other actors involved in the OBA market. They should therefore be treated as data controllers responsible for GDPR infringements. Arguments used by Panoptykon are based on complaints concerning the same issue by Brave and Open Rights Group (ORG), as well as on evidence provided by a report by Johnny Ryan. The key facts and observations of the complaints are: data shared by companies within the OBA ecosystem are not necessary for the purposes of serving targeting ads; companies sharing data have no control over its further use by a potentially unlimited number of other actors that have access to real-time bidding software; users have no access to their data and no tools of controlling its further use by a (potentially unlimited) number of actors; those failures are not incidental because they result from the very design of the OBA ecosystem - lack of transparency and the concept of bid request, which, by definition, leads to data "broadcasting". Prior to making these complaints, Panoptykon carried its own investigation of the OBA ecosystem in Poland, which confirmed allegations made by Brave and ORG in their complaints, as well as Johnny Ryan's testimony. Between May and December 2018 Panoptykon sent a number of data access requests to various actors involved in the OBA ecosystem (including Google and leading data brokers) in order to check whether users are able to verify and correct their marketing profiles. In most cases companies refused to provide personal data to users based on alleged difficulty with their identification. This argument - made by key players in the OBA ecosystem - confirms that it has been designed to be obscure. Key identifiers used by data brokers to single out users and target ads are not revealed to data subjects that are concerned. It is a "catch 22" situation that cannot be reconciled with GDPR requirements (in particular the principle of transparency). Along with its complaints, Panoptykon published a report in Polish summarising its investigation of the OBA ecosystem, which included interviews with key actors operating on Polish market, and evidence collected by sending data access requests. Donate to support our work for better privacy and freedom online! Licence: CC BY-SA 4.0 Fundacja Panoptykon Author Topic advertising profiling personal data Previous Next See also Article Limits to harmful surveillance in online advertising? Joint statement ahead of the vote in the European Parliament next week “We don’t have to manipulate our customers or exploit their vulnerabilities to scale up” – European entrepreneurs and social organizations appeal to the MEPs to put an end to invasive and privacy-hostile practices related to surveillance-based advertising and thus open the market to ethical and… 13.01.2022 Text Article Three layers of your digital profile Your online profile is not always built on facts. It is shaped by technology companies and advertisers who make key decisions based on their interpretation of seemingly benign data points: what movies you choose watch, the time of day you tweet, or how long you take to click on a cat video. 18.03.2019 Text Article Discrimination in datafied world Data-driven technologies are not neutral. A decision to collect, analyse and process specific kind of information is structured and motivated by social, economic and political factors. Those data operations may not only violate the right to privacy but also lead to discrimination and oppression of… 10.07.2018 Text