By: Jim Killock (Open Rights Group) Johnny Ryan (Brave) Katarzyna Szymielewicz (Panoptykon Foundation) Michael Veale (University College London)
We have taken note of media reports regarding an update to complaints made by ad-blocking browser developer Brave and Polish activist group Panoptykon Foundation to a number of European data protection authorities.
In addition to complaints in Ireland and Poland, the IAB should be aware that complaints have also been made to the UK Information Commissioner in this matter, by Jim Killock, Executive Director of the Open Rights Group, and Michael Veale of University College London.
As with previous submissions made by Brave et al., we believe that: (1) the complaints are fundamentally misdirected at IAB Europe or the IAB Tech Lab; and (2) they fail to demonstrate any breach of EU data protection law.
Technical standards developed by IAB Tech Lab are intended to facilitate the effective and efficient functioning of technical online advertising processes, such as real-time bidding. IAB Europe’s Transparency & Consent Framework helps companies engaged in online advertising to meet certain requirements under EU data protection and privacy law, such as informing users about how their personal data is processed. The responsibility to use technologies and do business in compliance with applicable laws lies with individual companies.
The IAB proceed on a misunderstanding of the law and the facts. The complaints have detailed widespread and significant breaches of the data protection regime, in the initial complaints as submitted by our legal team, Ravi Naik of ITN Solicitors with the assistance of a leading QC. Those initial complaints from Sept 2018 have been built on with the further material served on 28 January 2018, Data Protection Day.
Furthermore, the IAB proceed on the basis of an overly restrictive interpretation of how a data controller is defined. Much like Google tried to avoid liability for search before the ECJ, IAB cannot seek to avoid accountability for their own system.
The facts make clear that IAB are a liable controller. IAB defines the structure of the OpenRTB system. Both the IAB and Google structures could – and should – be remedied to have due regard to the rights of data subject. Whether the structure is so remedied is within the IAB and Google’s control.
The IAB system provides for the inclusion of personal data in the bid request, some of which are very intimate indeed. Indeed, the IAB explicitly recommends the inclusion of personal data in the bid request. For example, it “strongly recommends” that ID codes that are unique to the person visiting a website should be included.  It even goes so far as to warn companies using its system that they will earn less money if they do not include these personal data. 
The IAB does this in the knowledge that it is unable to exercise any control over what happens to personal data broadcast billions of times a day by its system. An internal IAB TechLab document from May 2018 confirms that “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding” once an ad auction broadcast has been made.  The same document notes that “thousands of vendors” receive these data. 
The Content Taxonomy Mapping document cited by the complainants does not, as Brave and Panoptykon seem to contend, demonstrate that taxonomies of data types that would qualify as special categories of personal data (and are subject to stricter protections under EU data protection law) are used by individual companies; nor can it be considered to prove or demonstrate that any companies making use of those taxonomies are doing so without complying with applicable EU data protection or other law.
The categorised content content is used by a person, the categories stick to that person, and become personal data. This helps other players profile "the human using the device", as IAB puts it.
The example bid requests in Google’s developer documentation (Google also uses the IAB RTB standard) speak for themselves. They contain the following personal data: 
pseudonymized user IDs, that can be “matched” against for re-identification,
GPS coordinates (latitude and longitude),
machine and operating system version details,
and categories (“publisher verticals”).
The IAB’s own documentation includes an example bid request that contains the personal data of a young female, using a specific iPhone 6s, reading a loading URL, and with several IDs that allow ad auction companies to identify her.  The bid request also shows her GPS coordinate at this instant. (Would a woman on her own on a street at night be comfortable knowing that her GPS coordinates were being sent to random parties?)
The complaints are akin to attempting to hold road builders accountable for traffic infractions, such as speeding or illegal parking, that are committed by individual motorists driving on those roads. Using this analogy, the complainants’ purported finding that EU data protection law is being breached is comparable to someone pointing out that an automobile is technically capable of exceeding the speed limit, or parking in a restricted area, and adducing this fact as “evidence” that it actually does. A technical standard may be misused to violate the law or used in a legally compliant way, just as a car may be driven faster than the speed limit or driven at or below that limit. The mere fact that misuse is possible cannot reasonably be used as evidence that it is actually happening. And the whole purpose of the Transparency & Consent Framework is to ensure it does not.
The IAB has failed to protect people’s data, which are broadcast billions of times a day, using the system that it defines and encourages its members to use. It cannot claim the to be a bystander. By defining and promoting the system, it plays a role in determining the purposes and means of how that data is processed. Using IAB’s own metaphor - which presents them as road builders or car producers who cannot be held liable for traffic infractions - it is clear that IAB is the authority that sets the traffic rules for its private roads. It has the responsibility when those rules conflict with the law.
1 AdCOM Specification v1.0, Beta Draft”, IAB TechLab, 24 July 2018 (URL:https://github.com/InteractiveAdvertisingBureau/AdCOM/blob/master/AdCOM%20BETA%201.0.md).
2 “AdCOM Specification v1.0, Beta Draft”, IAB TechLab, 24 July 2018 (URL:https://github.com/InteractiveAdvertisingBureau/AdCOM/blob/master/AdCOM%20BETA%201.0.md).
3 Pubvendors.json v1.0: Transparency & Consent Framework”, IAB TechLab, May 2018.
5 Authorized Buyers Real-Time Bidding Proto”, Google, 23 January 2018 (URL:https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide).
6 AdCOM Specification v1.0, Beta Draft”, IAB TechLab, 24 July 2018 (URL:https://github.com/InteractiveAdvertisingBureau/AdCOM/blob/master/AdCOM%20BETA%201.0.md).