IAB Europe hits back over data protection complaints

IAB EuropeIAB Europe has responded to recent complaints filed against IAB Tech Lab’s OpenRTB system to data protection authorities in the UK by Open Rights Group executive director Jim Killock and privacy research Michael Veale; in Ireland by Johnny Ryan of ad-blocking browser Brave; and in Poland by Panoptykon Foundation president Katarzyna Szymielewicz.

The complainants allege that programmatic advertising using real-time auctions, and specifically the IAB Tech Lab’s OpenRTB protocol, are inherently incompatible with EU data protection law. Moreover, the complaints allege that the mere use of OpenRTB inevitably entailed large-scale, uncontrolled release of users’ personal data without them being aware of, or able to do anything about, it. The complaints also took aim directly at IAB Europe’s Transparency & Consent Framework (TCF), claiming that the TCF facilitates the purported breaches.

In a statement issued by IAB Europe marketing and business strategy director Helen Mussard, IAB Europe said the claims are “not only false, but are intentionally damaging to the digital advertising industry and to European digital media that depend on advertising as a revenue stream.”

Most recently, one of the complainants released communications between IAB Europe and the European Commission from April 2017, in which IAB Europe highlighted challenges for the digital media and advertising industry to operate under the proposed combination of GDPR and ePrivacy rules in the context of discussions for an update to said ePrivacy rules. IAB Europe commented that “it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario”. This is a circumstance that it acknowledges was true at the time, but has changed since.

IAB Europe said the complainants have attempted to twist this statement to mean an admission that their claims have merit. However, it adds, as the claimants are aware, in the years since this statement was made, IAB Europe has worked with its members making up a cross-section of the media and advertising industry to offer solutions to this challenge by developing and releasing the IAB Europe Transparency & Consent Framework (TCF) in April 2018.

It noted that the TCF provides a way to provide transparency to users about how, and by whom, their personal data is processed. It also enables users to express choices. Moreover, the TCF enables vendors engaged in programmatic advertising to know ahead of time whether their own and/or their partners’ transparency and consent status allows them to lawfully process personal data for online advertising and related purposes.

It goes on to say that its submission to the European Commission in April 2017 showed that the industry needed to adapt to meet higher standards for transparency and consent under the GDPR. The TCF demonstrates how complex challenges can be overcome when industry players come together. But most importantly, the TCF demonstrates that real-time bidding is certainly not “incompatible with consent under GDPR”.

IAB Europe’s statement goes on to say that the OpenRTB protocol is a tool that can be used to determine which advertisement should be served on a given web page at a given time, and that data can inform that determination. “Like all technology, OpenRTB must be used in a way that complies with the law,” the statement says. “Doing so is entirely possible and greatly facilitated by the IAB Europe Transparency & Consent Framework, whose whole raison d’être is to help ensure that the collection and processing of user data is done in full compliance with EU privacy and data protection rules.

“The complaints lobbed against OpenRTB and the TCF take the view that their inherent incompatibility with the law stems from a hypothetical possibility for personal data to be processed unlawfully in the course of programmatic advertising processes. This hypothetical possibility arises because neither OpenRTB nor the TCF are capable of physically preventing companies using the protocol to unlawfully process personal data. But the law does not require them to.”

The statement compares the complaint to a driver exceeding the speed limit, making the point that it is not a breach of the law for a car maker to make a car that is capable of exceeding the speed limit. Rather, it is down to the driver to ensure they drive within the law. If not, they will face sanctions, just as any online service that processes personal data without a lawful basis to do so will also face sanctions.

“Relying on a combination of technical and legal controls, companies processing personal data in connection with online advertising can process personal data in full compliance with the law, just like drivers of automobiles can control their vehicle and prevent it from breaching the law,” IAB Europe’s statement says.

It concludes by saying that it has consistently tried to outline the counter arguments and correct information to the claimants, but that they have consistently chosen to ignore the facts. “Their errors of omission could therefore be characterised as either misrepresentations or just fabrications,” the statement concludes.