On 28 January, EDRi member Panoptykon joined a complaint against Google and the Interactive Advertising Bureau (IAB) in Poland, after it had become clear that the advertising categories provided by these entities are enabling the processing of extremely sensitive data of European citizens. On 20 February, new evidence was published proving that the IAB was all along aware of the incompatibility of its systems with the General Data Protection Regulation (GDPR).
The background of the complaints
Besides Panoptykon’s complaint, proceedings have been launched with the national Data Protection Authorities (
IAB Europe’s response has been that it merely provides a technical standard, which might or might not be used by their members to violate privacy laws. Their statement was immediately countered by the complainants, who said that the IAB cannot claim to be a mere bystander because it organises and encourages a system through which personal data is broadcast billions of times a day without adequate security. The online tracking industry has attracted heavy criticism from civil rights groups in the past for its lobbying against
The AdTech Lobby’s myths that not even they themselves believe
On 20 February, new evidence was published proving that not even the IAB is believing their public statements regarding the GDPR compliance of their RTB system. In the e-mails disclosed in a freedom of information request, a document was attached admitting that it is “technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario” and that that would seem, “at least prima facie, to be incompatible with consent under GDPR”. Furthermore, the documents acknowledge that there is no technical way of limiting the ways in which personal data is used and shared after broadcasting it to thousands of vendors. This confession is further aggravated by the concrete technical examples of how sensitive the data shared through the system can be, and to what extent pseudonymisation (meaning data that is kept separate from identifiable elements) is lacking in daily practice.
The evidence presented comes with a surprising openness by the AdTech Industry about its likely lack of compliance with the GDPR. However, the argument that “only” organising the processing of personal data does not bring any responsibility for the subsequent uses of the system appeared grossly over-simplistic from the start, looking at European case law. Two recent decisions by the Court of Justice of the European Union (CJEU) suggest that the IAB’s counter argument will not hold: Wirtschaftsakademie and Tietosuojavaltuutettu.
Tietosuojavaltuutettu is particularly relevant to the question of Google’s and IAB’s responsibilities for the use of their RTB standards: the Court ruled that the global Jehova’s witnesses community is a joint controller of data processed solely by local member preachers, by virtue of its role as organiser and promoter of these activities. Clearly, this has an implication for the IAB and Google.
It is difficult to foresee an exact timeline for the complaint procedures, but the authorities are expected to act as soon as possible. After all, the complaint concerns the core mechanism that enables the secretive profiling of every single person that sets their foot online and the tracking of their private life.
Empowered through GDPR (and hopefully, soon, also by an ePrivacy Regulation), citizens and civil society now have the opportunity to reject the collection, broadcasting and ultimately capitalisation of the most private details of their lives. Surveillance Capitalism is starting to show signs of crumbling.
Panoptykon files complaints against Google and IAB (28.01.2019)
Complaints: Google infringes GDPR’s informed consent principle (05.12.2018)
How the online tracking industry “informs” policy makers (12.09.2018)
Five things the online tracking industry gets wrong (13.09.2017)
(Contribution by Yannic Blaschke, EDRi intern)