Google and IAB adtech targeted with more RTB privacy complaints

Another batch of complaints has been filed with European Union data protection agencies urging enforcement action against the adtech industry’s abuse of Internet users’ information to target ads.

The complaints argue that behavioural ads are both harmful and unlawful.

Earlier complaints over the same Real-Time Bidding (RTB) programmatic advertising issue were filed across the EU in 2018 and 2019 but have yet to result in any substantive regulatory action.

Ireland did open a probe into Google’s ad exchange last year. While Belgium’s DPA has been progressing an investigation into a flagship industry tool that’s used for gathering consents to ad targeting — making a preliminary finding of non-compliance in October. But litigation to reach a final verdict on the IAB Europe’s ‘Transparency and Consent’ (TCF) framework won’t take place until next year.

(Related: The UK’s data protection agency is facing a legal challenge over its failure to act on RTB complaints, despite repeatedly expressing concern about the industry’s lawfulness problem.)

Both Google and the IAB continue to deny any problems with their adtech. Last year Google said authorised buyers that use its systems are subject to “stringent policies and standards”. While the IAB Europe rejected the Belgium DPA’s findings — saying its preliminary report “fundamental misunderstand[s]” the TCF tech.

The latest GDPR complaints target how the RTB component of programmatic advertising broadcasts Internet users’ personal data to scores of entities involved in these high speed eyeball auctions — arguing it runs counter to core security requirements in the General Data Protection Regulation (GDPR), as well as being horrible for people’s privacy.

A key principle of the GDPR is security by design and default — with the regulation placing legal requirements on personal data handlers to make sure people’s information is properly secured.

The complaints, which target Google and the IAB in their capacity as RTB standard setters, have been filed by civil society groups in six European countries — namely: Asociatia pentru Tehnologie si Internet (ApTi), Romania; D3 – Defesa dos Direitos Digitais, Portugal; GONG, Croatia; Global Human Dignity Foundation, Malta; Homo Digitalis, Greece; and the Institute of Information Cyprus.

They’re being coordinated by a consortium led by the Civil Liberties Union for Europe (Liberties), the ORG (Open Rights Group) and the Panoptykon Foundation

“Real-time bidding, which is the bedrock of the online advertising industry, is an abuse of people’s right to privacy,” said Dr Orsolya Reich, senior advocacy officer at Liberties, in a supporting statement. “The GDPR has been in place since 2018 and it is there precisely to give people a greater say about what happens to their data online.

“Today, more civil society groups are saying enough with this invasive advertising model and are asking data protection authorities to stand up against the harmful and unlawful practices they use.”

The consortium is asking for a joint investigation by their respective national DPAs — and for regulators to join with ongoing adtech investigations in Ireland (into Google’s adtech) and Belgium (into the IAB Europe’s TCF framework).

It’s not clear how far the Irish DPC’s investigation of Google has progressed — but it continues to face criticism for the lack of decisions on cross-border GDPR cases, some 2.5 years after the regulation technically begun being applied.

A mechanism in the GDPR means cross-border cases (basically anything related to mainstream consumer tech) get passed to a lead agency to investigate. However other agencies also remain involved, as interested parties, and must agree with any final decision made.

The system has led to a bottleneck of cases in certain EU locations, such as Ireland, where many tech giants base their European HQ. So the concern is this one-stop-shop mechanism is adding an unworkable level of friction to GDPR investigations — delaying decisions and enforcement action so much it risks the entire framework.

The Commission has acknowledged weakness in GDPR enforcement. Most obviously because it’s working on a massive package of new digital regulations. Though its strategy for fixing the enforcement problem is less clear as EU Member States look set to remain responsible for the bulk of this additional oversight, just as they’re responsible for resourcing their own DPAs now. (And yet more complaints have been filed this year accusing European governments of a GDPR resourcing failure.)

Ireland’s DPC is slated to issue its first cross-border GDPR decision in a case that relates to a Twitter security breach very shortly. But last year its commissioner, Helen Dixon, suggested it would come with its first such decisions early in 2020 — so the gap between GDPR expectation and reality is running almost 12 months late at this point.

The consortium filing the latest RTB complaints writes in a press release that while some of the earlier adtech complaints were referred to lead authorities it has no knowledge of “any meaningful cooperation or joint operations between national authorities and the lead authorities”.

“This suggests that cooperation and consistency mechanisms as envisioned in the GDPR are yet to be implemented fully,” the group adds, calling for a joint investigation into the RTB issue because the technology functions in the same way across borders — and “produces the same negative effects in all EU member states”, as they put it.

However it’s not clear how extra joint working — if indeed that’s really what’s being called for — would help to speed up GDPR enforcement. Nor how referring additional complaints to Ireland and Belgium would work to speed up their current investigations.

Most likely, the intent is to keep up pressure on the regulators to act.

Asked about the call for joint working, a Liberties spokesman told us: “The problem is that Google and IAB are big players, standard-setters in the market, and they affect all Internet users. Given the geographical scope of the issues raised in the complaints, we think it’s better for supervisory authorities to act in unison, not to be working alone in their corner.  This is why national partners are inviting their national DPAs to refer this complaint to the lead supervisory authorities who are already investigating Google’s and IAB’s compliance with the GDPR.”

Commenting in another supporting statement, Mariano delli Santi, legal and policy officer at the ORG, added: “These new complaints show that the GDPR is working. Individuals are increasingly aware of their rights, and they demand change. Now, it is up to the authorities to support this process, and make sure these laws are properly and consistently enforced against the widespread abuses of the adtech industry.”

At the time of writing, the only extant example of enforcement against a tech giant under the updated regulation was a January 2019 decision to fine Google $57M by France’s CNIL. That investigation was limited to having a national scope, though, rather than being treated as a cross-border case.

Since then Google has shifted its legal base in Europe to Ireland — so now falls under the lead jurisdiction of the DPC.

This arrangement appears to suit big tech, enabling it to avoid the risk of speedier investigations conducted by single Member State agencies acting faster alone. (So it’s very interesting to see TikTok ramping up its business infrastructure and headcount in Ireland — as it’s also now on CNIL’s radar… )

As noted earlier, EU lawmakers have conceded GDPR enforcement has been a weakness thus far.

In a review of the two year old regulation this summer the Commission highlighted a lack of universally vigorous enforcement.

Last week the values and transparency commissioner, Vera Jourouv, also raised the problem as she set out the bloc’s plan to bolster democratic values against a range of online risks, such as algorithmically amplified or microtargeted disinformation and election interference — acknowledging GDPR alone isn’t enough to fix myriad intersecting tech-fuelled problems.

“[After the Cambridge Analytica scandal] we said that we are relieved that after GDPR came into force we are protected against this kind of practice — that people have to give consent and be aware of that — but we see that it might be a weak measure only to rely on consent or leave it for the citizens to give consent,” she said.

“Enforcement of privacy rules is not sufficient — that’s why we are coming in the European Democracy Action Plan with the vision for the next year to come with the rules for political advertising, where we are seriously considering to limit the microtargeting as a method which is used for the promotion of political powers, political parties or political individuals.”

The European Commission is in the progress of drafting an ambitious and interlocking package of digital regulations, that it wants to fuel a regional data economy and set firm online rules to engender the necessary trust — and has said it wants this major digital policymaking effort to serve Europe for decades.

But without effective enforcement of its Internet rulebook it’s not clear how the bloc’s digital strategy will deliver as intended.