IAB Europe would like to address the recent complaints filed against IAB Tech Lab's OpenRTB system to data protection authorities in the UK by Open Rights Group executive director Jim Killock and privacy research Michael Veale; in Ireland by Johnny Ryan of ad-blocking browser Brave; and in Poland by Panoptykon Foundation president Katarzyna Szymielewicz. These complaints allege that programmatic advertising using real-time auctions, and specifically the IAB Tech Lab’s OpenRTB protocol, are inherently incompatible with EU data protection law. Moreover, the complaints allege that the mere use of OpenRTB inevitably entailed large-scale, uncontrolled release of users’ personal data without their being aware or able to do anything about it. The complaints also took aim directly at IAB Europe’s Transparency & Consent Framework (TCF), claiming that the TCF facilitates the purported breaches.
These claims are not only false but are intentionally damaging to the digital advertising industry and to European digital media that depend on advertising as a revenue stream.
Digital Advertising Complying with GDPR.
Most recently, one of the complainants released communications between IAB Europe and the European Commission from April 2017, in which IAB Europe highlighted challenges for the digital media and advertising industry to operate under the proposed combination of GDPR and ePrivacy rules in the context of discussions for an update to said ePrivacy rules. IAB Europe commented that "it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario” -- a circumstance that was true at the time, but has changed since.
The complainants attempt to twist this statement to mean an admission that their claims have merit. However, as the claimants are aware, in the years since this statement was made, IAB Europe has worked with its members making up a cross-section of the media and advertising industry to offer solutions to this challenge by developing and releasing the IAB Europe Transparency & Consent Framework (TCF) in April 2018.
The TCF provides a way to provide transparency to users about how, and by whom, their personal data is processed. It also enables users to express choices. Moreover, the TCF enables vendors engaged in programmatic advertising to know ahead of time whether their own and/or their partners’ transparency and consent status allows them to lawfully process personal data for online advertising and related purposes. IAB Europe’s submission to the European Commission in April 2017 showed that the industry needed to adapt to meet higher standards for transparency and consent under the GDPR. The TCF demonstrates how complex challenges can be overcome when industry players come together. But most importantly, the TCF demonstrates that real-time bidding is certainly not “incompatible with consent under GDPR”.
The OpenRTB protocol is a tool that can be used to determine which advertisement should be served on a given web page at a given time. Data can inform that determination. Like all technology, OpenRTB must be used in a way that complies with the law. Doing so is entirely possible and greatly facilitated by the IAB Europe Transparency & Consent Framework, whose whole raison d’être is to help ensure that the collection and processing of user data is done in full compliance with EU privacy and data protection rules.
The complaints lobbed against OpenRTB and the TCF take the view that their inherent incompatibility with the law stems from a hypothetical possibility for personal data to be processed unlawfully in the course of programmatic advertising processes. This hypothetical possibility arises because neither OpenRTB nor the TCF are capable of physically preventing companies using the protocol to unlawfully process personal data. But the law does not require them to.
The GDPR does not prohibit processing of personal data, but it sets out the conditions under which processing of personal data is lawful. None of the conditions is the absolute technical impossibility for data to be processed unlawfully. There are many instances in daily life where the law provides for requirements, breaches of which are punished by sanctions after the fact, rather than requiring that breaches are technically impossible even to arise. Automobiles are not required to integrate functionality that absolutely prevents them from exceeding the speed limit. Instead, drivers are educated and trained in traffic rules, and drivers who violate speed limits are sanctioned with fines and/or deprived of their permits.
An online service (such as a website or an app) or an advertising technology company that shares or otherwise processes personal data without a lawful basis to do so, is in breach of the law. Companies who are found to do so will face consequences, such as being subject to enforcement action by data protection authorities, and as a consequence be fined up to 4% of its annual turnover or EUR 20 million (whichever is larger) under the GDPR. Relying on a combination of technical and legal controls, companies processing personal data in connection with online advertising can process personal data in full compliance with the law, just like drivers of automobiles can control their vehicle and prevent it from breaching the law.
IAB Europe has consistently tried to outline the counter arguments and correct information, mentioned above, to the claimants. However, they have consistently chosen to ignore the facts, bringing more inaccurate information to support their case. Their errors of omission could therefore be characterised as either misrepresentations or just fabrications.
For any further press enquiries, please contact
Helen Mussard, Marketing & Business Strategy Director, IAB Europe