On the ground | Privacy and data protection | Data protection standards | Online tracking industry / AdTech

Panoptykon files complaints against Google and IAB

By Panoptykon Foundation (guest author) · January 28, 2019

On the International Data Protection Day, 28 January 2019, EDRi member Panoptykon filed complaints against Google and the Interactive Advertising Bureau (IAB) under the General Data Protection Regulation (GDPR) to the Polish Data Protection Authority (DPA). The complaints are related to the functioning of online behavioural advertising (OBA) ecosystem.

The complaints focus on the role of Google and IAB as organisations that set standards for other actors involved in the OBA market. They should therefore be treated as data controllers responsible for GDPR infringements.

Arguments used by Panoptykon are based on complaints concerning the same issue by EDRi member Open Rights Group (ORG) and Brave, as well as on evidence provided by a report by Johnny Ryan. The key facts and observations of the complaints are:

  1. data shared by companies within the OBA ecosystem are not necessary for the purposes of serving targeting ads;
  2. companies sharing data have no control over its further use by a potentially unlimited number of other actors that have access to real-time bidding software;
  3. users have no access to their data and no tools for controlling its further use by a (potentially unlimited) number of actors;
  4. those failures are not incidental because they result from the very design of the OBA ecosystem – lack of transparency and the concept of bid request, which, by definition, leads to data “broadcasting”.

Prior to making these complaints, Panoptykon carried its own investigation of the OBA ecosystem in Poland, which confirmed allegations made by ORG and Brave in their complaints, as well as Johnny Ryan’s testimony. Between May and December 2018 Panoptykon sent a number of data access requests to various actors involved in the OBA ecosystem (including Google and leading data brokers) in order to check whether users are able to verify and correct their marketing profiles.

In most cases, companies refused to provide personal data to users based on alleged difficulty with their identification. This argument – made by key players in the OBA ecosystem – confirms that it has been designed to be obscure. Key identifiers used by data brokers to single out users and target ads are not revealed to data subjects that are concerned. It is a “catch 22” situation that cannot be reconciled with GDPR requirements (in particular the principle of transparency).

Along with its complaints, Panoptykon published a report summarising its investigation of the OBA ecosystem, which included interviews with key actors operating on the Polish market, and evidence collected by sending data access requests.

Panoptykon Foundation

Panoptykon files complaints against Google and IAB Europe (28.01.2019)

(Contribution by EDRi member Panoptykon Foundation, Poland)