Another series of complaints has been filed with the European Union's data protection authorities calling for enforcement action against the adtech industry's misuse of Internet user information to target advertisements.
The complaints argue that behavioral ads are both harmful and illegal.
Previous complaints about the same real-time programmatic advertising (RTB) issue were filed across the EU in 2018 and 2019, but have not yet resulted in significant regulatory action.
Ireland has opened an investigation for Google Ad exchange last year. While The Belgian Data Protection Agency has launched an investigation into a flagship in the industry that can be used to obtain ad targeting consents. It was provisionally determined that the regulations were not being complied with October. However, litigation to reach a final judgment on the IAB Europe's Transparency and Consent (TCF) framework will not take place until next year.
(See also: UK Data Protection Agency faces a legal challenge for failing to respond to RTB complaints despite repeated concerns about the industry legality issue.)
Both Google and the IAB continue to deny problems with their adtech. Last year, Google said that authorized shoppers using their systems are subject to "strict guidelines and standards." While IAB Europe rejected the results of the Belgian data protection authority, it said in its preliminary report "fundamental misunderstanding (s)" of the TCF technology.
The latest GDPR Complaints are aimed at, like the RTB The programmatic advertising component broadcasts Internet users' personal information to numerous companies involved in these high-speed eyeballs eyes. This goes against the basic security requirements of the General Data Protection Regulation (GDPR) and is terrible for people's privacy.
A key principle of the GDPR is Security by Design and Standard – the regulation places legal requirements on personal data handlers to ensure that people's information is properly protected.
The complaints addressed to Google and the IAB in their capacity as RTB standard setters, were submitted by civil society groups in six European countries – namely: Asociatia pentru Tehnologie si Internet (ApTi), Romania; D3 – Defesa dos Direitos Digitais, Portugal; GONG, Croatia; Global Human Dignity Foundation, Malta; Homo Digitalis, Greece; and the Cyprus Information Institute.
They are made by a consortium led by the Union for Civil Liberties for Europe (Freedoms) that ORG (Open Rights Group) and the Panoptykon Foundation.
"Real-time bids, which are the bedrock of the online advertising industry, are an abuse of people's right to privacy," said Dr. Orsolya Reich, Senior Advocacy Officer at Liberties, in a supportive statement. “The GDPR has existed since 2018 and is there to give people a better say in what happens to their data online.
"Today, more and more civil society groups are saying enough with this invasive advertising model and calling on data protection authorities to fight back against the harmful and illegal practices they use."
The consortium is calling for a joint investigation by the respective national data protection authorities – and the supervisory authorities – to join the ongoing adtech investigations in Ireland (regarding Google's Adtech) and Belgium (regarding the IAB Europe TCF framework).
It is not clear how far the Irish DPA's investigation has progressed. However, it continues to be criticized because about 2.5 years after the regulation began to be technically applied, no decisions on cross-border GDPR cases were taken.
One mechanism in the GDPR means that cross-border cases (basically anything related to mainstream consumer technology) are referred to a lead authority for investigation. However, other agencies remain involved as interested parties and must agree to any final decision.
The system has created a bottleneck in certain EU locations such as Ireland in cases where many tech giants are headquartered in Europe. So the concern is that this one-stop-shop mechanism is adding an impracticable amount of friction to GDPR investigations – decisions and enforcement actions are delayed so much that the entire framework is at risk.
The Commission has recognized the weakness in enforcing the GDPR. Most obviously because it is working on a huge package of new digital regulations. The strategy to address the enforcement problem is less clear, however, as EU Member States are likely to continue to be responsible for most of this additional oversight, just as they are now responsible for providing their own data protection authorities. (Other complaints were filed this year accusing European governments of failing to obtain GDPR.)
Ireland's DPC is expected to make its first cross-border GDPR decision shortly on a case related to a security breach on Twitter. But last year her Commissioner Helen Dixon suggested that she make her first such decisions in early 2020 – so the gap between GDPR expectations and reality is almost 12 months late at this point.
The consortium filing the latest RTB complaints writes in a press release that while some of the previous adtech complaints have been forwarded to lead authorities, they are not aware of "any meaningful cooperation or joint operations between national authorities and lead authorities".
“This indicates that the cooperation and consistency mechanisms provided for in the GDPR are not yet fully implemented,” the group adds, calling for a joint investigation into the RTB problem, as the technology works in the same way across borders – and “the same produces negative effects in all EU Member States ”as they put it.
However, it is not clear how additional collaborative work – if really needed – would help expedite GDPR enforcement. It would also not work if additional complaints were passed on to Ireland and Belgium to speed up the ongoing investigation.
Most likely, pressure on regulators to act is to be kept on.
When asked to work together, a Liberties spokesman said: “The problem is that Google and IAB are big players and standard-setters on the market and affect all Internet users. Given the geographic scope of the issues raised in the complaints, we think it would be better if the regulators act together and not work alone in their corner. For this reason, the national partners are asking their national data protection authorities to forward this complaint to the lead supervisory authorities, which are already investigating Google and IAB's compliance with the GDPR. "
Mariano delli Santi, legal and political officer of the ORG, commented in a further reason: “These new complaints show that the GDPR works. The individual is increasingly aware of their rights and demands changes. It is now up to the authorities to support this process and ensure that these laws are properly and consistently enforced against the widespread abuses of the adtech industry. "
At the time of writing, the only remaining example of a tech giant's enforcement under the updated regulation was the January 2019 decision to fine Google a $ 57 million fine on the French CNIL. However, this investigation was limited to a national scope and was not treated as a cross-border case.
Since then, Google has moved its legal base in Europe to Ireland – now under the jurisdiction of the DPC.
This regulation seems to be appropriate for large technologies in order to avoid the risk of faster investigations carried out by individual agencies of the Member States acting alone faster. (So it's very interesting to see how TikTok is increasing its business infrastructure and workforce in Ireland – as it is now also on the CNIL radar …)
As mentioned earlier, EU lawmakers have admitted that enforcement of the GDPR has so far been a weakness.
During a review of the two-year-old regulation this summer, the Commission found a lack of generally strong enforcement.
Last week, Commissioner for Values and Transparency, Vera Jourouv, also raised the issue when she set out the bloc's plan to bolster democratic values against a range of online risks such as algorithmically enhanced or microtargeted disinformation and electoral disruption – the recognition of GDPR this alone is not enough to resolve myriad overlapping technical problems.
"(After the Cambridge Analytica scandal) we said we were relieved that after the GDPR went into effect we would be protected from this type of practice – that people had to give their consent and be aware of it – but we see that it could be a weak measure just to rely on consent or leave it to citizens to give consent, "she said.
"Enforcing data protection rules is not enough – that's why we come into the Action Plan for European Democracy with the vision for next year to include the rules for political advertising in which we seriously consider restricting microtargeting as a method of promoting political powers, political parties or political individuals. "
The European Commission is in the process of creating an ambitious and interlocking package of digital rules designed to boost a regional data economy and set firm online rules to build the trust needed – and has stated that these important digital policymaking efforts will serve Europe for decades.
Without effective enforcement of the Internet rulebook, however, it is not clear how the block's digital strategy is to be implemented as intended.