Article 16.04.2019 3 min. read Text Image The Polish DPA decided that Panoptykon’s complaints against IAB Europe and Google, who are responsible for the functioning of targeted advertising, have a cross-border character, which means that they affect data subjects residing not only in Poland. In order to ensure a consistent application of the GDPR in the entire European Union, the Polish DPA referred our complaints to DPAs in Belgium and in Ireland where IAB and Google respectively have their European headquarters. This gives hope for a systemic change of how behavioural advertising works in the entire EU. What does it mean? Referring our complaints to DPAs in Belgium and in Ireland means that formally they will be in charge of considering them as the so-called lead authorities. The Belgian DPA has already recognised that it is indeed a lead authority. The Irish DPS, however, has not yet taken its position. The GDPR envisions such a consistency mechanism in cases which may affect data subjects from different Member States. It is surely the case here: real-time bidding concern not only Polish users, but also users from other European countries. Referring the complaints to Belgium and to Ireland doesn’t mean that the Polish DPA’s role ends. First, the Polish DPA will act as an intermediary between Panoptykon and lead authorities and will inform us about all developments. Second, the GDPR obliges the lead authority to cooperate with other DPAs involved. Before the Belgian or Irish DPA issues a decision, it must consult the draft decision with the Polish DPA and take its remarks into account. The Polish DPA will also have a right to raise an objection to the draft decision – if the objection is rejected the European Data Protection Board (comprised by representatives of supervisory authorities from all Member States) will issue a binding decision in the case. What are our complaints about? We complain about the functioning of systems which target ads to users. It happens through a bidding process during which user data is broadcast to hundreds of companies, often without users’ awareness or consent. IAB and Google have the biggest influence on how the entire online advertising ecosystem works – they create rules, issue guidelines and technical specifications. This is why the complaints were filed against them and not against multiple smaller companies which – often due to the lack of any viable alternative – comply with the rules created by IAB and Google. What are the key points of the complaints? Hundreds of companies which take part in real-time bidding have access to users’ personal data, without their awareness or consent. Neither the publisher which initiates the ad exchange or the creators of the systems have control over further use of broadcast data. The user whose data is broadcast to ad exchanges has no access to this data and is cannot enforce his or her rights under the GDPR (e.g. demand rectification or erasure). Data shared with companies within the OBA ecosystem is not necessary for the purposes of targeting ads. This data may also include special category data, such as health, sexual orientation, ethnic origin or political views. We filed our complaints on a symbolic date – 28 January – when we celebrate the European Data Protection Day. On the same day we publish a report in Polish about online tracking and profiling which explains how our behaviour profiles are created, what real-time bidding looks like, and what the consequences are. Text of the complaints (in Polish) Karolina Iwańska Support our fight for online freedom and privacy. Donate! Fundacja Panoptykon Author Previous Next See also Article Limits to harmful surveillance in online advertising? Joint statement ahead of the vote in the European Parliament next week “We don’t have to manipulate our customers or exploit their vulnerabilities to scale up” – European entrepreneurs and social organizations appeal to the MEPs to put an end to invasive and privacy-hostile practices related to surveillance-based advertising and thus open the market to ethical and… 13.01.2022 Text Article Hide and Seek: Polish DPA agrees that people should be able to access their advertising profiles, but there’s no way to do so Following Panoptykon’s General Data Protection Regulation (GDPR) complaint against one of the biggest Polish news website, Interia.pl – the Polish Data Protection Authority has confirmed that online publishers should give users access to their advertising profiles generated for the purposes of… 24.01.2022 Text Article GDPR and online advertising – Panoptykon consults IAB Poland’s code of conduct We have taken part in the public consultations of the draft code of conduct which is supposed to help apply the GDPR to the internet advertising sector. The code was prepared by the Polish office of the Internet Advertising Bureau. 23.10.2018 Text