The Polish DPA decided that Panoptykon’s complaints against IAB Europe and Google, who are responsible for the functioning of targeted advertising, have a cross-border character, which means that they affect data subjects residing not only in Poland. In order to ensure a consistent application of the GDPR in the entire European Union, the Polish DPA referred our complaints to DPAs in Belgium and in Ireland where IAB and Google respectively have their European headquarters. This gives hope for a systemic change of how behavioural advertising works in the entire EU.
What does it mean?
Referring our complaints to DPAs in Belgium and in Ireland means that formally they will be in charge of considering them as the so-called lead authorities. The Belgian DPA has already recognised that it is indeed a lead authority. The Irish DPS, however, has not yet taken its position. The GDPR envisions such a consistency mechanism in cases which may affect data subjects from different Member States. It is surely the case here: real-time bidding concern not only Polish users, but also users from other European countries.
Referring the complaints to Belgium and to Ireland doesn’t mean that the Polish DPA’s role ends. First, the Polish DPA will act as an intermediary between Panoptykon and lead authorities and will inform us about all developments. Second, the GDPR obliges the lead authority to cooperate with other DPAs involved. Before the Belgian or Irish DPA issues a decision, it must consult the draft decision with the Polish DPA and take its remarks into account. The Polish DPA will also have a right to raise an objection to the draft decision – if the objection is rejected the European Data Protection Board (comprised by representatives of supervisory authorities from all Member States) will issue a binding decision in the case.
What are our complaints about?
We complain about the functioning of systems which target ads to users. It happens through a bidding process during which user data is broadcast to hundreds of companies, often without users’ awareness or consent. IAB and Google have the biggest influence on how the entire online advertising ecosystem works – they create rules, issue guidelines and technical specifications. This is why the complaints were filed against them and not against multiple smaller companies which – often due to the lack of any viable alternative – comply with the rules created by IAB and Google.
What are the key points of the complaints?
- Hundreds of companies which take part in real-time bidding have access to users’ personal data, without their awareness or consent.
- Neither the publisher which initiates the ad exchange or the creators of the systems have control over further use of broadcast data.
- The user whose data is broadcast to ad exchanges has no access to this data and is cannot enforce his or her rights under the GDPR (e.g. demand rectification or erasure).
- Data shared with companies within the OBA ecosystem is not necessary for the purposes of targeting ads. This data may also include special category data, such as health, sexual orientation, ethnic origin or political views.
We filed our complaints on a symbolic date – 28 January – when we celebrate the European Data Protection Day. On the same day we publish a report in Polish about online tracking and profiling which explains how our behaviour profiles are created, what real-time bidding looks like, and what the consequences are.