Legal battle over online behavioural advertising widening

On the International Data Protection Day, 28 January 2019, Panoptykon Foundation filed complaints against Google and Interactive Advertising Bureau (IAB) Europe under the General Data Protection Regulation (GDPR) to the Polish Data Protection Authority (DPA), joining the ad auction complaints already being examined in the UK and in Ireland. The complaints are related to the functioning of online behavioural advertising (OBA) ecosystem, in particular the fact that massive amounts of personal data (including sensitive information) are leaked in the real time bidding process.

Context

Every time a user visits a website that is connected with the ad auction ecosystem, his personal data is broadcast in a bid request to tens or hundreds of companies. Bid requests contain categories that reflect what content this particular user was reading or watching, as well as his recent search query. These categories can be benign, such as “bowling” or “gadgets”, but also extraordinarily sensitive.

For example, one category is “IAB7-28 Incest/Abuse Support”. This could enable ad auction companies to target and profile a person as an incest or abuse victim. Other categories relate to sensitive and embarrassing health conditions, religious denomination, sexual orientation, etc. Google runs its own category list, which includes equally sensitive insights such as “eating disorders”, “left-wing politics”, or “scientology”.

Arguments

Complaints focus on the role of Google and the Interactive Advertising Bureau (IAB) as organisations that set standards for other actors involved in the OBA market. They should therefore be treated as data controllers responsible for GDPR infringements. Arguments used by Panoptykon are based on complaints filed in the UK and Ireland in September 2018 by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave

Key facts and observations of the complaints:

• data shared by companies within the OBA ecosystem are not necessary for the purposes of serving targeting ads; in particular there are no legal grounds to share sensitive data of internet users, which – in accordance with taxonomies defined by IAB and Google – may be included in bid request;

• companies sharing data have no control over its further use by a potentially unlimited number of other actors that have access to real-time bidding software;

• users have no access to their data and no tools of controlling its further use by a (potentially unlimited) number of actors;

• those failures are not incidental because they result from the very design of the OBA ecosystem - lack of transparency and the concept of bid request, which, by definition, leads to data "broadcasting".

Responses

In response to the complaint, IAB made a point that it is not in control of personal data that flow through the ad auction ecosystem. Purportedly their role is limited to defining technical protocol, which other companies choose to implement, at their discretion. According to IAB it is the responsibility of these companies to ensure that whatever personal data they pass or receive via the bidstream complies with the particular restrictions of their jurisdiction.

Brave, ORG and Panoptykon are not convinced with this argument. It is true that the technical protocol defined by IAB does not force companies to share personal data of their users but the very task of this protocol is to enable and facilitate the flow of personal data. In fact, the only way for companies to benefit (economically) from joining the ad auction is to provide personal data, as defined by the protocol.

The IAB “AdCOM” specification suggests that personal identifiers “about the human user of the device” are “strongly recommended” to be involved in a bid request. Whilst not technically “required” as defined within the specification, the inclusion of data is said to be “recommended” in bid requests “when their omission would not break the object, but would dramatically diminish its value.”

IAB also purports that its taxonomy has nothing to do, as such, with processing sensitive data of individuals because its only task is to mark up content on the website. Claimants acknowledge that, indeed, IAB and Google taxonomy is used to categorise content. But – they argue in response – when labelled content is used by a person, certain labels stick to this particular user and become his personal data.

There is nothing wrong with categorising content. But while it is acceptable for a library to mark an area with the words "substance abuse", it would not be acceptable for a library to mark a person who enters that section with those words too. Online, these labels about what users read, watch, and listen to can stick to them for a long time.

Prior investigation and report

Prior to making complaints, Panoptykon carried its own investigation of the OBA ecosystem in Poland, which confirmed allegations made by Brave and ORG in their complaints, as well as Johnny Ryan's testimony. Between May and December 2018, Panoptykon sent a number of data access requests to various actors involved in the OBA ecosystem (including Google and leading data brokers) in order to check whether users are able to verify and correct their marketing profiles.

In most cases companies refused to provide personal data to users based on alleged difficulty with their identification.This argument - made by key players in the OBA ecosystem - confirms that it has been designed to be obscure. Key identifiers used by data brokers to single out users and target ads are not revealed to data subjects that are concerned. It is a "catch 22" situation that cannot be reconciled with GDPR requirements (in particular the principle of transparency).

Along with its complaints, Panoptykon published a report in Polish summarising its investigation of the OBA ecosystem, which included interviews with key actors operating on the Polish market, and evidence collected by sending data access requests.