GDPR grievances are spreading like cumulus clouds across Europe. Next stop: Poland.
On Monday, the Panoptykon Foundation, a digital rights watchdog in Poland, filed a complaint to the Polish Data Protection Authority (Urząd Ochrony Danych Osobowych or UODO), arguing that data used by Google and other ad tech vendors violates the General Data Protection Regulation (GDPR) every time they run a programmatic auction or place a personalized ad.
The complaint also targets the IAB Tech Lab, which sets industry norms around targeting.
Panoptykon points to Article 5 of the GDPR, which states that an entity isn’t allowed to process personal data unless it’s able to protect that data from accidental loss.
The complaint contends that data loss always happens with real-time bidding (RTB). Whenever someone visits a website, that person’s browsing history is appended to a unique identifier and a bid request with that information is broadcast, often without the user’s knowledge, to numerous ad tech companies for the purpose of placing personalized ads.
Some of these data types also appear in the content classification lists curated by Google and the IAB Tech Lab, which the ad tech industry uses to block or target certain content categories.
“You can’t just scatter someone’s data to the wind – and that’s exactly what this is,” said Johnny Ryan, chief policy officer at web browser Brave.
Ryan and two other privacy advocates – Michael Veale, a technology and policy researcher at University College London, and Jim Killock of the UK’s Open Rights Group – were the first to file complaints with privacy regulators in the UK and Ireland last September accusing ad tech companies in general – Google in particular – of committing systematic data breaches under the GDPR every time they place a personalized ad through a programmatic auction.
Panoptykon’s analogous complaint brings Poland into the fray, which is one of the EU’s 10 most populous countries with 38 million people.
But Poland is an interesting market to bring this complaint for another reason: The UODO appears ready to dive into the arcane intricacies of ad tech.
Before issuing the complaint, Panoptykon consulted with the Polish data protection authority’s legal and communications teams “to make sure that the people who will be dealing with our complaint have a deep understanding of the problem we are bringing up,” said Katarzyna Szymielewicz, Panoptykon’s president and co-founder.
The purpose of the suits is to trigger an EU-wide investigation into ad auction systems and their impact on user privacy. But if they're successful, it’s not necessarily the end of ad tech.
Companies could correct the problem by removing personal data from the RTB process, Ryan said. If browsing data isn’t appended to tracking cookies and/or other details that could identify a person, the data isn’t personal and you can collect it all day long.
Then there's the ad tech counterargument: Cutting those connections makes the data far less useful.
There’s a line, however, between what’s useful and what’s considered legal under GDPR.
Under GDPR, companies are prohibited from processing certain categories of personal data except in specific and limited circumstances, like information that reveals a person’s racial or ethnic origin or data concerning someone’s health, sexual orientation or political opinions.
But Google’s current list of targeting verticals includes parameters like “Gay-Lesbian-Bisexual-Transgender,” “Sexually Transmitted Diseases” and “Eating Disorders.” The IAB Tech Lab list includes “Special Needs Kids,” “Cancer” and “Substance Abuse.”
The IAB Tech Lab, however, disagrees with the classification of its classifications, noting in a statement that "the Content Taxonomy, OpenRTB and other protocols are not themselves subject to GDPR, which regulates how organizations use such technologies to process or direct the processing of personal data for specific purposes."
Companies "choose to use IAB Tech Lab's Content Taxonomy and OpenRTB real-time bidding protols to categorize editorial content, provide relevant advertising, protect brand and consumer safety and more," the Tech Lab said in its statement. "These standards enable media organizations and other businesses to communicate and work with each other in ways that were not possible prior to their release – benefiting consumers who receive content and services as a result. OpenRTB, as with HTTP or Wi-Fi, is a protocol that companies across the world can choose to use pursuant to applicable laws, regulations, and consumer preferences."
Regardless, data regulators in Ireland, the United Kingdom and Poland were all sent copies of the taxonomies as evidence of an additional GDPR violation.
“The way in which data is broadcast to hundreds or thousands of actors shows disregard for the overarching principle of security,” Veale said.
But even if the data was secure, “relying on weak consent mechanisms undermines the strengthened requirements in the GDPR while transferring data to thousands of unknown actions for the purposes of nudging individuals without their knowledge,” Veale said.
On the consent-or-lack-thereof front, Google was recently fined 50 million euros by the French data protection authority for failing to collect valid consent from its users under GDPR. The CNIL based its ruling on complaints filed by two nonprofit groups, La Quadrature du Net and None Of Your Business, which claimed, successfully in the CNIL’s view, that Google doesn’t have a legal basis for processing the personal data of its users.
To mix metaphors, the clouds are gathering and the dominos have started to fall.
“If other DPAs follow this line of GDPR interpretation when dealing with the much less transparent and even more misleading OBA [online behavioral advertising] ecosystem, we have a chance for strong decisions and high fines forcing this market to apply data protection standards,” Szymielewicz said. “This is the result that we hope for.”
Story updated on 1/28/19 at 5:45 p.m. to reflect change from IAB to IAB Tech Lab, and the addition of an statement from the IAB Tech Lab.