Data Protection Stories  , Data Protection Stories

Building collective momentum to challenge the ad tech industry

How digital rights orgs are changing the ad tech ecosystem with the help of the GDPR


The Issue

The online ad tech industry is made up of an invasive system of profiling and real-time bidding. Detailed profiles of users built from their browsing history, IP address, and/or location are broadcast in real-time to hundreds of potential advertisers with each visit on the web. Advertisers then bid for ad space based on what they know about the user.

The Role of the GDPR

Representatives from civil society organizations have been filing complaints against ad tech companies to data protection authorities across over a dozen jurisdictions in the EU. These complaints outline the unlawful, large-scale, systemic data breaches that occur with real-time bidding—a clear violation of the GDPR.

Key Takeaways

With parallel complaints in so many countries, there is the potential to create a massive shift in online advertising in the EU. The GDPR has created new avenues for civil society organizations to collaborate and pool their efforts in the fight to advance privacy rights.

Published June 27, 2019

The invasive world of ad tech

Our experience on the Internet today is shaped by an opaque, invasive and quietly booming advertising technology (ad tech) industry. The online advertising industry is built on a system of profiling and real-time bidding. Browser cookies collect information about a user, which, over time, makes up a rich profile about them that can be used to target ads. When a user visits a website with ad space, this detailed profile built from their browsing history, IP address, and/or location is broadcast in real-time to hundreds of potential advertisers, who then bid for ad space based on what they know about the user.

The information contained in user profiles can be quite invasive. In some cases, users are labelled with sensitive categories based on their religious beliefs, ethnicity, sexual orientation, or private health conditions, putting their rights and freedoms—such as the right to freedom from discrimination—at risk. People are typically the targets of such bid requests without their awareness or consent. There is little oversight on how this data is used, and data brokers in this ecosystem are known to use information for other purposes besides targeting ads.

Panoptykon: Investigating Ad Tech in Poland

The way the ad tech industry currently works raises serious privacy concerns, and several digital rights groups have begun exploring how the GDPR—the EU’s General Data Protection Regulation—could change the landscape of online behavioural advertising (OBA) in the EU. One of the teams working on this issue is the Panoptykon Foundation, a Polish privacy rights NGO.

Panoptykon focuses on protecting digital rights in our growing surveillance society. Their Executive Director, Katarzyna Szymielewicz, played an early role in European data protection reform, and the organization was curious to see how this much-awaited legislation might affect, or strengthen, their privacy mission. Following the implementation of the GDPR in May 2018, Panoptykon launched a seven-month investigation into the OBA ecosystem in Poland.

They started their investigation by exploring what information was contained in the user profiles created by ad tech companies, with a particular interest in learning more about the marketing categories people are placed in. Leveraging their right of access (Art. 15) under the GDPR, members of the Panoptykon team sent subject access requests to over twenty online advertising brokers, requesting individuals’ marketing profiles. These brokers operate in notoriously opaque ways, collecting and selling extensive data, but sharing little information about their inner workings. Of the several requests filed, the team received only two partial datasets in return. The others either never responded or refused due to an “alleged difficulty with their identification.”

Under the GDPR, these subject access requests should have been honored. As the responses came in, the Panoptykon team saw how there was no standard for how to respond; the GDPR hadn’t changed anything about how the tech ecosystem operated. They contemplated taking the brokers to court, filing complaints for non-response. Before they had the chance to do so, they were approached by a team from the private web browser Brave.

Teaming up to file complaints against Google and IAB 

While Panoptykon was investigating the ad ecosystem in Poland, other groups in the EU were doing similar work. In September 2018, Dr. Johnny Ryan (Brave), Jim Killock (Open Rights Group), and Michael Veale (University College London) filed simultaneous complaints against several ad tech companies to data protection authorities (DPAs) in the UK and Ireland. Their complaints outlined how ad tech companies, including hugely influential players such as Google and the Interactive Advertising Bureau (IAB), violated the GDPR by broadcasting individuals’ intimate personal data to attract real-time bids from advertisers. Because these broadcasts are not protected against unauthorized access to user data, they constitute a large-scale, unlawful data breach under the GDPR.

After being approached by Brave, Panoptykon joined these complaints, using the GDPR to file complaints against Google and IAB Europe to the Polish DPA in January 2019. The complaint positioned Google and IAB as data controllers, given their role as highly influential players that set standards around how the OBA ecosystem works. The Polish DPA recently decided that Panoptykon’s complaint was a cross-border issue, and referred the complaint to DPAs in Belgium and Ireland, where IAB and Google’s European headquarters are located, respectively. The cross-border nature of the complaint points to the potential for this effort to impact the ad tech ecosystem in the EU more broadly: Ireland’s Data Protection Commission has since opened an investigation into Google, and a decision on whether major players in ad tech like Google will face fines will be made this summer.

Building collective momentum against the ad tech industry 

These complaints now make up part of a wider campaign called Fix AdTech.  In May 2019, parallel complaints were filed to DPAs in Spain, the Netherlands, Belgium, and Luxembourg. These complaints, again, focused on the data breach associated with real-time bidding and were filed by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch), David Korteweg (Bits of Freedom) and Jef Ausloos (University of Amsterdam), Pierre Dewitte (University of Leuven), and Jose Belo (Exigo Luxembourg), respectively. Earlier this June, the Civil Liberties Union for Europe filed a series of complaints around real-time bidding to DPAs in nine additional jurisdictions. By raising similar complaints in multiple countries, DPAs will be encouraged to cooperate as they interpret the complaints and apply the GDPR.

These complaints are situated in a broader movement of civil society organizations working on addressing various issues in the ad tech industry, including Privacy International, noyb, and the Electronic Frontier Foundation. Given the growing number of parallel efforts, there is the potential to create a massive shift in online advertising in the EU.  Indeed, DPAs are beginning to show responses: the Information Commissioner’s Office in the UK just released a report on real-time bidding last week, highlighting various concerns around the ad tech industry’s failure to comply with the GDPR.

Karolina Iwańska, a lawyer at Panoptykon, says that with complaints in so many jurisdictions, the focus should now be on the European Data Protection Board, which has more power than an individual DPA to set new standards in the EU. Meanwhile, she says it is also important to work on mapping out alternatives to the current ad tech system. The Fix Ad Tech campaign suggests the removal or truncation of personal data as an avenue to make online advertising safer, but Iwańska says that this is just one technical solution that does not address all of ad tech’s current problems. She emphasized that understanding how to create a safer, more secure ad tech industry will not be possible without coordination and cooperation across many stakeholders, including both publishers and advertisers.

Though it is too early to say to what degree changes in data protection legislation will transform the ad tech ecosystem, the Fix Ad Tech campaign highlights how the GDPR has created new avenues for civil society organizations to pool their efforts strategically in the fight to advance privacy rights.