Article 28.01.2019 3 min. read Text Image On the International Data Protection Day, 28 January 2019, Panoptykon Foundation filed complaints against Google and IAB Europe under the General Data Protection Regulation (GDPR) to the Polish Data Protection Authority (DPA). The complaints are related to the functioning of online behavioural advertising (OBA) ecosystem. The complaints focus on the role of Google and the Interactive Advertising Bureau (IAB) as organisations that set standards for other actors involved in the OBA market. They should therefore be treated as data controllers responsible for GDPR infringements. Arguments used by Panoptykon are based on complaints concerning the same issue by Brave and Open Rights Group (ORG), as well as on evidence provided by a report by Johnny Ryan. The key facts and observations of the complaints are: data shared by companies within the OBA ecosystem are not necessary for the purposes of serving targeting ads; companies sharing data have no control over its further use by a potentially unlimited number of other actors that have access to real-time bidding software; users have no access to their data and no tools of controlling its further use by a (potentially unlimited) number of actors; those failures are not incidental because they result from the very design of the OBA ecosystem - lack of transparency and the concept of bid request, which, by definition, leads to data "broadcasting". Prior to making these complaints, Panoptykon carried its own investigation of the OBA ecosystem in Poland, which confirmed allegations made by Brave and ORG in their complaints, as well as Johnny Ryan's testimony. Between May and December 2018 Panoptykon sent a number of data access requests to various actors involved in the OBA ecosystem (including Google and leading data brokers) in order to check whether users are able to verify and correct their marketing profiles. In most cases companies refused to provide personal data to users based on alleged difficulty with their identification. This argument - made by key players in the OBA ecosystem - confirms that it has been designed to be obscure. Key identifiers used by data brokers to single out users and target ads are not revealed to data subjects that are concerned. It is a "catch 22" situation that cannot be reconciled with GDPR requirements (in particular the principle of transparency). Along with its complaints, Panoptykon published a report in Polish summarising its investigation of the OBA ecosystem, which included interviews with key actors operating on Polish market, and evidence collected by sending data access requests. Donate to support our work for better privacy and freedom online! Licence: CC BY-SA 4.0 Fundacja Panoptykon Author Topic advertising profiling personal data Previous Next See also Article Discrimination in datafied world Data-driven technologies are not neutral. A decision to collect, analyse and process specific kind of information is structured and motivated by social, economic and political factors. Those data operations may not only violate the right to privacy but also lead to discrimination and oppression of… 10.07.2018 Text Article Hide and Seek: Polish DPA agrees that people should be able to access their advertising profiles, but there’s no way to do so Following Panoptykon’s General Data Protection Regulation (GDPR) complaint against one of the biggest Polish news website, Interia.pl – the Polish Data Protection Authority has confirmed that online publishers should give users access to their advertising profiles generated for the purposes of… 24.01.2022 Text Article Belgian authority finds IAB Europe’s consent pop-ups incompatible with the GDPR Following a number of complaints filed in 2018 and 2019, including by Panoptykon and Bits of Freedom, and coordinated by the Irish Council for Civil Liberties, the Belgian Data Protection Authority has found that the consent system developed and managed by the adtech industry body IAB Europe, and… 16.02.2022 Text
