Google and IAB: Knowingly enabling intrusive profiling
On 28 January, EDRi member Panoptykon joined a complaint against Google and the Interactive Advertising Bureau (IAB) in Poland, after it had become clear that the advertising categories provided by these entities are enabling the processing of extremely sensitive data of European citizens. On 20 February, new evidence was published proving that the IAB was all along aware of the incompatibility of its systems with the General Data Protection Regulation (GDPR).
The background of the complaints
Besides Panoptykon’s complaint, proceedings have been launched with the national Data Protection Authorities (DPAs) in Ireland by Johnny Ryan of the browser company Brave, and in the United Kingdom by Jim Killock of EDRi member Open Rights Group (ORG), and by Michael Veale of University College London. The complainants agree that the “Real-Time Bidding” (RTB) standards that Google and the IAB define for the online advertising auction industry infringe Article 1(5)(f) of the General Data Protection Regulation (GDPR), because they broadcast highly sensitive personal data to thousands of companies. Bid requests are necessary in order to solicit bids from advertisers for the opportunity to show an ad to a person. However, the complainants argue that this can be accomplished safely with non-personal data. Instead, the IAB and Google standards permit labels such as “cancer”, “sexual health” (IAB), “substance abuse”, “eating disorder”, “right-” and “left-wing politics” (Google) to be broadcast along with unique identifiers and other personal data in bid requests. These data are protected as “special category” personal data in Article 9 of the GDPR.
IAB Europe’s response has been that it merely provides a technical standard, which might or might not be used by their members to violate privacy laws. Their statement was immediately countered by the complainants, who said that the IAB cannot claim to be a mere bystander because it organises and encourages a system through which personal data is broadcast billions of times a day without adequate security. The online tracking industry has attracted heavy criticism from civil rights groups in the past for its lobbying against privacy enhancing technologies, for instance regarding their huge influence in the ePrivacy Regulation and in the context of the implementation of the Do Not Track Signal.
The AdTech Lobby’s myths that not even they themselves believe
On 20 February, new evidence was published proving that not even the IAB is believing their public statements regarding the GDPR compliance of their RTB system. In the e-mails disclosed in a freedom of information request, a document was attached admitting that it is “technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario” and that that would seem, “at least prima facie, to be incompatible with consent under GDPR”. Furthermore, the documents acknowledge that there is no technical way of limiting the ways in which personal data is used and shared after broadcasting it to thousands of vendors. This confession is further aggravated by the concrete technical examples of how sensitive the data shared through the system can be, and to what extent pseudonymisation (meaning data that is kept separate from identifiable elements) is lacking in daily practice.
The evidence presented comes with a surprising openness by the AdTech Industry about its likely lack of compliance with the GDPR. However, the argument that “only” organising the processing of personal data does not bring any responsibility for the subsequent uses of the system appeared grossly over-simplistic from the start, looking at European case law. Two recent decisions by the Court of Justice of the European Union (CJEU) suggest that the IAB’s counter argument will not hold: Wirtschaftsakademie and Tietosuojavaltuutettu.
Tietosuojavaltuutettu is particularly relevant to the question of Google’s and IAB’s responsibilities for the use of their RTB standards: the Court ruled that the global Jehova’s witnesses community is a joint controller of data processed solely by local member preachers, by virtue of its role as organiser and promoter of these activities. Clearly, this has an implication for the IAB and Google.
It is difficult to foresee an exact timeline for the complaint procedures, but the authorities are expected to act as soon as possible. After all, the complaint concerns the core mechanism that enables the secretive profiling of every single person that sets their foot online and the tracking of their private life.
Empowered through GDPR (and hopefully, soon, also by an ePrivacy Regulation), citizens and civil society now have the opportunity to reject the collection, broadcasting and ultimately capitalisation of the most private details of their lives. Surveillance Capitalism is starting to show signs of crumbling.
Panoptykon files complaints against Google and IAB (28.01.2019)
Complaints: Google infringes GDPR’s informed consent principle (05.12.2018)
How the online tracking industry “informs” policy makers (12.09.2018)
Five things the online tracking industry gets wrong (13.09.2017)
(Contribution by Yannic Blaschke, EDRi intern)