Situation: Do AdTech companies violate the GDPR?
Regulators in Europe are faced with a stream of complaints about companies operating in the field of advertising technologies. We discuss the situation - the causes and potential consequences.
Photo - ev - Unsplash
Appeals are related to RTB (Real-Time Bidding) technology. It is needed for the auction of advertisements and is based on the OpenRTB protocol. Such organizations as IAB , Google, MediaMath and DataXu are involved in its development. To display targeted advertising, the RTB system identifies website visitors by browsers, social media accounts and cookies. Representatives of large European organizations and universities note that RTB mechanisms violate the requirements of the General Data Protection Regulations (GDPR) and can lead to massive leaks of PD.
')
At the end of May, complaints were received by regulators of Spain, the Netherlands, Belgium and Luxembourg. They were sent by representatives of the non-profit organization Eticas Foundation, Bits of Freedom, as well as the universities of Amsterdam and Leuven.
At the beginning of the year, similar complaints were registered by regulators in the UK, Poland and Ireland. They were sent by the developers of the Brave browser, employees of the University of London and representatives of the Open Rights Group, which deals with the observance of human rights and freedoms in the digital world.
When a user opens a site page, the RTB system (and similar sites) analyzes its personal data (cookies, etc.) and sends them to hundreds of advertisers. Further, special algorithms on the side of companies decide whether to show advertising to this person or not, and set a price for displaying a banner. The site visitor will see the banner of the company that offered the highest amount.
Such "auctions" daily process a huge number of transactions. The system Authorized Buyers, owned by Google, works with 8 million websites and 2 thousand organizations. The second most popular service AppNexus from AT & T performs 130 billion transactions with personal data daily. At the same time, according to the estimates of The New Economics Foundation, one page can transmit information about the user to 164 more sites ( p.4 ).
Experts point out that this whole situation contradicts the fifth article of the GDPR. It allows processing PD only if it provides reliable protection against their loss or compromise. The user must know who uses his data and why. In the current environment to ensure the fulfillment of these requirements is impossible.
There are already precedents - in May, Twitter discovered a bug in the AdTech system. The company accidentally disclosed the location of some iOS users via RTB mechanisms (although no sanctions were applied to the company for this violation).
Photo - Franki Chamaki - Unsplash
Another problem is the inability to control the content of the behavioral profiles that make up the advertising platform. Some tags that the system “attaches” to users may disclose information that was not intended as public by the user — for example, data on potential health problems. Now the AdTech-industry has no special mechanisms by which it is possible to limit the collection of data or to prohibit their processing on the side of individuals, as required by article 18 of the GDPR .
IAB says that complaints about the work of companies providing AdTech-tools only harm the development of the digital industry and have no reason to. According to them, the principles of RTB work are fully consistent with the GDPR - in order to meet the requirements of the legislation, the IAB association developed a special framework last year. With its help, site visitors can find out which sites process their personal data. Google uses a list of rules and regulations to protect PDs that are mandatory for the organization itself and its partners working in the field of programmatic marketing.
But at the beginning of the year, an anonymous source at IAB said that the company’s management was aware of violations of the General Regulations’s programmatic advertising requirements. According to them, to fix the situation "technically impossible." Lawyers and public figures called this news evidence of numerous violations of European legislation by AdTech companies.
Several trials are already underway. In May, the Irish regulator launched an investigation into Quantcast. The company is accused of illegally collecting personal data and compiling behavioral profiles. Although Quantcast representatives say that there are no violations on their part, and all business processes are carried out in accordance with the law. Google is also under investigation due to PD leaks in the Authorized Buyers service - the company runs the risk of getting another fine in the amount of 4% of annual turnover.
Most likely, the Irish Data Protection Commission and other regulators admit violations of the GDPR. In addition, measures can be taken at the level of the European Commission, which will complicate the work of AdTech companies throughout the European Union.
Photo - ev - Unsplash
What are the complaints?
Appeals are related to RTB (Real-Time Bidding) technology. It is needed for the auction of advertisements and is based on the OpenRTB protocol. Such organizations as IAB , Google, MediaMath and DataXu are involved in its development. To display targeted advertising, the RTB system identifies website visitors by browsers, social media accounts and cookies. Representatives of large European organizations and universities note that RTB mechanisms violate the requirements of the General Data Protection Regulations (GDPR) and can lead to massive leaks of PD.
')
At the end of May, complaints were received by regulators of Spain, the Netherlands, Belgium and Luxembourg. They were sent by representatives of the non-profit organization Eticas Foundation, Bits of Freedom, as well as the universities of Amsterdam and Leuven.
At the beginning of the year, similar complaints were registered by regulators in the UK, Poland and Ireland. They were sent by the developers of the Brave browser, employees of the University of London and representatives of the Open Rights Group, which deals with the observance of human rights and freedoms in the digital world.
What does not suit RTB
When a user opens a site page, the RTB system (and similar sites) analyzes its personal data (cookies, etc.) and sends them to hundreds of advertisers. Further, special algorithms on the side of companies decide whether to show advertising to this person or not, and set a price for displaying a banner. The site visitor will see the banner of the company that offered the highest amount.
Such "auctions" daily process a huge number of transactions. The system Authorized Buyers, owned by Google, works with 8 million websites and 2 thousand organizations. The second most popular service AppNexus from AT & T performs 130 billion transactions with personal data daily. At the same time, according to the estimates of The New Economics Foundation, one page can transmit information about the user to 164 more sites ( p.4 ).
Experts point out that this whole situation contradicts the fifth article of the GDPR. It allows processing PD only if it provides reliable protection against their loss or compromise. The user must know who uses his data and why. In the current environment to ensure the fulfillment of these requirements is impossible.
There are already precedents - in May, Twitter discovered a bug in the AdTech system. The company accidentally disclosed the location of some iOS users via RTB mechanisms (although no sanctions were applied to the company for this violation).
Photo - Franki Chamaki - Unsplash
Another problem is the inability to control the content of the behavioral profiles that make up the advertising platform. Some tags that the system “attaches” to users may disclose information that was not intended as public by the user — for example, data on potential health problems. Now the AdTech-industry has no special mechanisms by which it is possible to limit the collection of data or to prohibit their processing on the side of individuals, as required by article 18 of the GDPR .
What do experts say
IAB says that complaints about the work of companies providing AdTech-tools only harm the development of the digital industry and have no reason to. According to them, the principles of RTB work are fully consistent with the GDPR - in order to meet the requirements of the legislation, the IAB association developed a special framework last year. With its help, site visitors can find out which sites process their personal data. Google uses a list of rules and regulations to protect PDs that are mandatory for the organization itself and its partners working in the field of programmatic marketing.
But at the beginning of the year, an anonymous source at IAB said that the company’s management was aware of violations of the General Regulations’s programmatic advertising requirements. According to them, to fix the situation "technically impossible." Lawyers and public figures called this news evidence of numerous violations of European legislation by AdTech companies.
Experts expect that regulators from Spain, Belgium and Luxembourg, who received complaints against RTB this year, will soon begin to issue fines.
Several trials are already underway. In May, the Irish regulator launched an investigation into Quantcast. The company is accused of illegally collecting personal data and compiling behavioral profiles. Although Quantcast representatives say that there are no violations on their part, and all business processes are carried out in accordance with the law. Google is also under investigation due to PD leaks in the Authorized Buyers service - the company runs the risk of getting another fine in the amount of 4% of annual turnover.
What's next
Most likely, the Irish Data Protection Commission and other regulators admit violations of the GDPR. In addition, measures can be taken at the level of the European Commission, which will complicate the work of AdTech companies throughout the European Union.
Additional reading from our blogs and social networks:
Inspection of electronic devices at the border - a necessity or a violation of human rights?
How to protect a virtual server on the Internet
Snapshots: why do we need "snapshots"
Source: https://habr.com/ru/post/457128/
All Articles