Article 28.01.2019 3 min. read Text Image On the International Data Protection Day, 28 January 2019, Panoptykon Foundation filed complaints against Google and IAB Europe under the General Data Protection Regulation (GDPR) to the Polish Data Protection Authority (DPA). The complaints are related to the functioning of online behavioural advertising (OBA) ecosystem. The complaints focus on the role of Google and the Interactive Advertising Bureau (IAB) as organisations that set standards for other actors involved in the OBA market. They should therefore be treated as data controllers responsible for GDPR infringements. Arguments used by Panoptykon are based on complaints concerning the same issue by Brave and Open Rights Group (ORG), as well as on evidence provided by a report by Johnny Ryan. The key facts and observations of the complaints are: data shared by companies within the OBA ecosystem are not necessary for the purposes of serving targeting ads; companies sharing data have no control over its further use by a potentially unlimited number of other actors that have access to real-time bidding software; users have no access to their data and no tools of controlling its further use by a (potentially unlimited) number of actors; those failures are not incidental because they result from the very design of the OBA ecosystem - lack of transparency and the concept of bid request, which, by definition, leads to data "broadcasting". Prior to making these complaints, Panoptykon carried its own investigation of the OBA ecosystem in Poland, which confirmed allegations made by Brave and ORG in their complaints, as well as Johnny Ryan's testimony. Between May and December 2018 Panoptykon sent a number of data access requests to various actors involved in the OBA ecosystem (including Google and leading data brokers) in order to check whether users are able to verify and correct their marketing profiles. In most cases companies refused to provide personal data to users based on alleged difficulty with their identification. This argument - made by key players in the OBA ecosystem - confirms that it has been designed to be obscure. Key identifiers used by data brokers to single out users and target ads are not revealed to data subjects that are concerned. It is a "catch 22" situation that cannot be reconciled with GDPR requirements (in particular the principle of transparency). Along with its complaints, Panoptykon published a report in Polish summarising its investigation of the OBA ecosystem, which included interviews with key actors operating on Polish market, and evidence collected by sending data access requests. Donate to support our work for better privacy and freedom online! Licence: CC BY-SA 4.0 Fundacja Panoptykon Author Topic advertising profiling data protection Previous Next See also Article Hide and Seek: Polish DPA agrees that people should be able to access their advertising profiles, but there’s no way to do so Following Panoptykon’s General Data Protection Regulation (GDPR) complaint against one of the biggest Polish news website, Interia.pl – the Polish Data Protection Authority has confirmed that online publishers should give users access to their advertising profiles generated for the purposes of… 24.01.2022 Text Article GDPR and online advertising – Panoptykon consults IAB Poland’s code of conduct We have taken part in the public consultations of the draft code of conduct which is supposed to help apply the GDPR to the internet advertising sector. The code was prepared by the Polish office of the Internet Advertising Bureau. 23.10.2018 Text Article Three layers of your digital profile Your online profile is not always built on facts. It is shaped by technology companies and advertisers who make key decisions based on their interpretation of seemingly benign data points: what movies you choose watch, the time of day you tweet, or how long you take to click on a cat video. 18.03.2019 Text
