Google & IAB Adtech Face New RTB Privacy Complaints

A new wave of complaints has been submitted to data protection authorities across the European Union, requesting they take enforcement measures against the adtech sector’s practices regarding the use of internet users’ data for targeted advertising.

These complaints contend that ads based on behavioral tracking are both detrimental and a violation of the law.

Previous complaints addressing the same Real-Time Bidding (RTB) programmatic advertising concerns were lodged throughout the EU in 2018 and 2019, but have not yet led to any significant regulatory outcomes.

Ireland initiated an investigation into Google’s ad exchange last year, and Belgium’s DPA is currently pursuing an investigation into a key industry tool utilized for obtaining consent for ad targeting – issuing a preliminary determination of non-compliance in October. However, legal proceedings to reach a conclusive judgment on the IAB Europe’s “Transparency and Consent” (TCF) framework are not scheduled until the following year.

(Related: The U.K.’s data protection agency is facing a legal challenge regarding its inaction on RTB complaints, despite consistently voicing concerns about the industry’s legal compliance.)

Both Google and the IAB continue to maintain that there are no issues with their adtech operations. Google stated last year that authorized buyers utilizing its systems are held to “strict policies and standards.” The IAB Europe disputed the Belgium DPA’s conclusions, asserting that its initial report “fundamentally misunderstands” the TCF technology. (Update: The IAB Europe has released a statement concerning the RTB complaints – which can be found at the conclusion of this article.)

The most recent GDPR complaints focus on how the RTB element of programmatic advertising disseminates internet users’ personal data to numerous entities participating in these rapid-paced auctions – arguing that this practice contradicts fundamental security requirements outlined in the General Data Protection Regulation (GDPR), as well as posing a significant threat to individual privacy.

A central tenet of the GDPR is security by design and default – with the regulation imposing legal obligations on those processing personal data to ensure individuals’ information is adequately protected.

The complaints, directed at Google and the IAB in their roles as RTB standard developers, have been filed by civil society organizations in six European nations – specifically: Asociatia pentru Tehnologie si Internet (ApTi), Romania; D3 – Defesa dos Direitos Digitais, Portugal; GONG, Croatia; Global Human Dignity Foundation, Malta; Homo Digitalis, Greece; and the Institute of Information Cyprus.

These efforts are being coordinated by a consortium spearheaded by the Civil Liberties Union for Europe (Liberties), the ORG (Open Rights Group) and the Panoptykon Foundation. 

“Real-time bidding, which forms the foundation of the online advertising industry, represents an infringement on people’s right to privacy,” explained Dr Orsolya Reich, senior advocacy officer at Liberties, in a supporting statement. “The GDPR has been in effect since 2018 and is intended to provide individuals with greater control over how their data is used online.

“Today, an increasing number of civil society groups are demanding an end to this intrusive advertising model and are urging data protection authorities to take a firm stance against these harmful and unlawful practices.”

The consortium is requesting a collaborative investigation by their respective national DPAs – and for regulators to align with ongoing adtech investigations in Ireland (regarding Google’s adtech) and Belgium (concerning the IAB Europe’s TCF framework).

The extent of progress made in the Irish DPC’s investigation of Google remains unclear – but it continues to face criticism for the lack of resolutions in cross-border GDPR cases, approximately two and a half years after the regulation’s technical implementation began.

A provision within the GDPR stipulates that cross-border cases (generally encompassing mainstream consumer technology) are referred to a leading agency for investigation. However, other agencies also remain involved as interested parties and must concur with any final decision reached.

This system has created a backlog of cases in certain EU locations, such as Ireland, where many technology companies have established their European headquarters. Consequently, there is concern that this one-stop-shop mechanism is introducing an impractical level of complexity to GDPR investigations – delaying decisions and enforcement actions to the point where the entire framework is jeopardized.

The Commission has acknowledged shortcomings in GDPR enforcement. This is most evident in its development of a comprehensive package of new digital regulations. However, its strategy for addressing the enforcement issue remains unclear, as EU Member States are expected to continue bearing responsibility for the majority of this additional oversight, just as they are currently responsible for funding their own DPAs. (And further complaints have been filed this year alleging a lack of resources allocated to GDPR enforcement by European governments.)

Ireland’s DPC is expected to issue its first cross-border GDPR decision in a case involving a Twitter security breach in the near future. However, its commissioner, Helen Dixon, indicated last year that the first such decisions would be released in early 2020 – meaning the gap between GDPR expectations and actual outcomes is now nearly twelve months behind schedule.

The consortium submitting the latest RTB complaints states in a press release that while some of the previous adtech complaints were directed to lead authorities, it is unaware of “any meaningful cooperation or joint operations between national authorities and the lead authorities”.

“This suggests that the cooperation and consistency mechanisms envisioned in the GDPR have not yet been fully implemented,” the group adds, advocating for a joint investigation into the RTB issue due to the technology’s uniform operation across borders – and “producing the same negative effects in all EU member states”, as they articulate.

However, it is uncertain how increased collaborative efforts – assuming that is genuinely the intention – would expedite GDPR enforcement. Nor is it clear how directing additional complaints to Ireland and Belgium would accelerate their current investigations.

It is likely that the primary goal is to maintain pressure on the regulators to take action.

When asked about the call for joint working, a Liberties spokesperson explained: “The issue is that Google and IAB are major players, standard-setters in the market, and they impact all Internet users. Given the geographical scope of the issues raised in the complaints, we believe it is preferable for supervisory authorities to act in unison, rather than working independently. This is why national partners are inviting their national DPAs to refer this complaint to the lead supervisory authorities already investigating Google’s and IAB’s compliance with the GDPR.”

Mariano delli Santi, legal and policy officer at the ORG, added in another supporting statement: “These new complaints demonstrate that the GDPR is functioning. Individuals are becoming increasingly aware of their rights and are demanding change. Now, it is up to the authorities to support this process and ensure that these laws are properly and consistently enforced against the widespread abuses of the adtech industry.”

As of the time of writing, the sole instance of enforcement against a tech giant under the updated regulation was a January 2019 decision by France’s CNIL to fine Google $57 million. This investigation was limited in scope to a national level, rather than being treated as a cross-border case.

Since then, Google has relocated its legal base in Europe to Ireland – and now falls under the lead jurisdiction of the DPC.

This arrangement appears to benefit large technology companies, allowing them to avoid the risk of faster investigations conducted by individual Member State agencies acting independently. (Therefore, it is noteworthy that TikTok is expanding its business infrastructure and workforce in Ireland – as it is also currently under scrutiny by CNIL… )

As previously mentioned, EU lawmakers have acknowledged that GDPR enforcement has been a weakness to date.

In a review of the two-year-old regulation this summer, the Commission highlighted a lack of consistently robust enforcement.

Last week, the values and transparency commissioner, Vera Jourova, also raised this issue as she presented the bloc’s plan to strengthen democratic values against a range of online risks, such as algorithmically amplified or microtargeted disinformation and election interference – acknowledging that GDPR alone is insufficient to address the numerous interconnected tech-related challenges.

“[After the Cambridge Analytica scandal] we stated that we were relieved that, following the implementation of GDPR, we were protected against such practices – that people had to provide consent and be aware of it – but we see that relying solely on consent or leaving it to citizens to provide consent may be a weak measure,” she said.

“Enforcement of privacy rules is not sufficient – that’s why we are introducing the European Democracy Action Plan with a vision for the coming year to establish rules for political advertising, where we are seriously considering limiting microtargeting as a method used for promoting political powers, political parties, or political individuals.”

The European Commission is currently developing an ambitious and interconnected package of digital regulations, aiming to stimulate a regional data economy and establish clear online rules to foster the necessary trust – and has stated its intention for this major digital policymaking effort to serve Europe for decades.

However, without effective enforcement of its Internet rulebook, it is uncertain whether the bloc’s digital strategy will achieve its intended results.

Update: Here is the IAB Europe’s statement on the latest RTB complaints: