It’s easy to lose sight of the issue amid the “he said, she said” volley of attacks in the Brave versus IAB Europe battle, but at its heart the case is about the very principle of behavioural advertising.
On Wednesday, 12 September 2018, a complaint was filed to the Irish data protection authority by Dr Johnny Ryan on behalf of Brave concerning the behavioural advertising industry as a whole. The complaint alleges that the practice of real time bidding (RTB) – the system that underpins behavioural advertising – fundamentally breaks data protection law. The complaint refers to specific tables in the technical specifications of the RTB bid request system used by advertising technology companies, and Google’s proprietary RTB system.
In RTB, every time a user visits a website, information about that user is sent to dozens of ad exchange companies or data brokers who in turn send it to potentially hundreds of advertisers. Those advertisers then bid for the ad space and the winner displays its advert to the user. This all happens in microseconds.
The problem, according to Brave, is that since personal data is broadcast to such a large number of companies, in effect the website publisher has no control over what happens to that data. Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. The only protection in place is contractual, which Brave says is inadequate. Brave is a secure browser that blocks ads and trackers and effectively helps make its users more anonymous online.
So where does IAB Europe come in? IAB Europe is the European-level association for the digital marketing and advertising ecosystem. Its members are technology and marketing companies. As part of its data protection guidance to those companies, it created the IAB Transparency and Consent Framework.
Ryan contends this framework is “deeply flawed” because it relies on “forced consent to 3rd party tracking” – something that would be illegal under the EU’s General Data Protection Regulation (GDPR).
“It is now clear the advertising industry cannot rely on IAB Europe for GDPR guidance,” said Ryan. “IAB Europe’s own website infringes the GDPR as soon as one visits it.
Since the original complaints, IAB has revised its framework, but Ryan remains unconvinced.
“Transparency and Consent Framework 2.0 does not solve the problems of RTB,” he told CPO. “RTB is a massive data breach. It fails the GDPR at the first test. Consent is not possible because nobody can say where the data in question will end up, or what will happen to them. Consent is a tool of data protection law. But if there is no protection of the data, then consent is irrelevant,” he continued.
“Publishers and advertisers trusted the IAB to provide guidance about the GDPR. It is now abundantly clear that this trust was misplaced. Transparency and Consent Framework has plagued Internet users in Europe, and exposed brands and publishers to legal hazard.”
“In early 2018, mine was a lonely voice warning that the IAB consent framework was unlawful and risky. Now everybody accepts this,” said Ryan.
That’s a big claim. But even if not “everybody” agrees with him, the UK’s data protection watchdog certainly does. Alongside Brave’s case in Ireland, an identical complaint was filed to the Information Commissioner’s Office (ICO) in the UK by Jim Killock of Open Rights Group (ORG).
As a response, in its 30-page report on the adtech industry, the ICO said it had real concerns about real-time bidding. In her foreword to the report, information commissioner Elizabeth Denham described the creation and sharing of personal data profiles on the adtech scale as “disproportionate, intrusive and unfair, particularly when people are often unaware it is happening.”
“We set out our concerns about sensitive data – known as ‘special category data’ in the General Data Protection Regulation – being shared and used without people’s consent. We list our concerns – that one visit to a website, prompting one auction among advertisers, can result in a person’s personal data being seen by hundreds of organisations, in ways that suggest data protection rules have not been sufficiently considered,” wrote Denham, concluding that the industry needs to make improvements to comply with the law.
This “special category data” may pertain to mental health, sexual health, infectious diseases, substance abuse, politics or ethnic identity. The average user has no way of knowing in real time what is being shared or inferred about them by whom.
While the Irish case continues, the UK ICO has said it will carry out another review in six months’ time.
But on 9 August, Brave reported that the Irish Data Protection Commission had informed Ryan that IAB Europe had ignored its questions concerning the complaint.
IAB Europe hit back saying that the claims it refused to respond to the DPC are “false and defamatory.” In an official statement, the organisation said it is in “continuous dialogue with the DPC on a number of different matters and is not refusing to respond to questions.”
“It is in the commercial interests of Brave Software to undermine efforts by its competitors in the online advertising space to comply with data protection law so that it can be perceived as a credible alternative with its publisher funding and advertising products,” added IAB Europe.
While the tit-for-tat war of words continues, users should be concerned that this model is the backbone of the current economic model of the internet – a model that look set to be shaken up considerably in the coming months.