A war of words – in the form of automotive analogies – has erupted between privacy advocates and the Interactive Advertising Bureau over a General Data Protection Regulation (GDPR) complaint filed over ad exchanges.
The complaint alleged information slurped on internet users and processed through Real-Time Bidding (RTB) systems was "highly intimate" and improperly protected as it is transmitted to advertisers.
The two systems named in the complaint, filed with three data protection agencies, are the Interactive Advertising Bureau's (IAB) openRTB and Google's Authorized Buyers.
But the IAB has hit back, saying that the complaint is "fundamentally misdirected" at IAB Europe, likening it to holding road builders accountable for people speeding or parking illegally.
It also claimed the challenge fails to demonstrate a breach in European data protection law, but rather finds only that it is possible to use its system to break that law.
Shortly afterwards, the complainants – the Open Rights Group, privacy researcher Michael Veale, Brave browser bod Johnny Ryan and Katarzyna Szymielewicz of the Polish group Panoptykon Foundation – issued their own rebuttal.
They argued that the IAB was trying to wiggle out of being classed as a data controller, but that it has responsibilities for the systems it defines and promotes.
"Using IAB's own metaphor... it is clear that IAB is the authority that sets the traffic rules for its private roads," the group said.
In its statement, the IAB took issue with two aspects of the complaint. First is that it shouldn't be the one on the receiving end of the challenge.
Its argument is that the technical standards it draws up for RTB systems are to "facilitate" online advertising processes only. Its Transparency & Consent Framework aims to help companies meet legal requirements – but the responsibility to comply "lies with individual companies".
"A technical standard may be misused to violate the law or used in a legally compliant way, just as a car may be driven faster than the speed limit or driven at or below that limit," it said.
"The mere fact that misuse is possible cannot reasonably be used as evidence that it is actually happening. And the whole purpose of the Transparency & Consent Framework is to ensure it does not."
Gripe to UK, Ireland, Poland: Ad tech industry inhales, then 'leaks' sensitive info on our health, politics, religionREAD MORE
However, the complainants countered that the IAB was taking an "overly restrictive interpretation of how a data controller is defined" and that it "cannot seek to avoid accountability" for its own system.
"IAB are a liable controller. IAB defines the structure of the OpenRTB system. Both the IAB and Google structures could – and should – be remedied to have due regard to the rights of data subject. Whether the structure is so remedied is within the IAB and Google’s control," the group said.
Ryan told El Reg earlier in the week that ad auctions could operate safely if the companies removed personal data – which includes unique user IDs, latitude and longitude and postcodes – from bid requests.
At the moment, the IAB "strongly recommends" such information is included and, the complainants said, does so "in the knowledge that it is unable to exercise any control over what happens to personal data broadcast billions of times a day by its system".
The second issue the IAB has with the complaint is related to fresh evidence submitted earlier this week, which relates to the lists of categories that people are lumped into.
Some of these, it said, constitute special category data – which require greater protections – as they refer to health conditions, religion and sexual preferences.
But the IAB said this doesn't show that individual companies actually use the taxonomies of data that would qualify as special category data.
"Nor can it be considered to prove or demonstrate that any companies making use of those taxonomies are doing so without complying with applicable EU data protection or other law," IAB Europe said.
"The complaints are akin to attempting to hold road builders accountable for traffic infractions, such as speeding or illegal parking, that are committed by individual motorists driving on those roads.
"The complainants' purported finding that EU data protection law is being breached is comparable to someone pointing out that an automobile is technically capable of exceeding the speed limit, or parking in a restricted area, and adducing this fact as 'evidence' that it actually does."
The complainants, though, insisted that the data is "broadcast billions of times a day" through the IAB's system and that "it cannot claim to be a bystander".
"By defining and promoting the system, it plays a role in determining the purposes and means of how that data is processed," they said. "It has the responsibility when those rules conflict with the law."
Ultimately, the decision will come down to the three data protection agencies – in the UK, Ireland and Poland – considering the challenges. ®