Strategising on GDPR complaints to take on the AdTech industry

By Martha Dark, 30th April 2019

The Digital Freedom Fund recently hosted a two-day strategy meeting in Berlin. Attended by 48 lawyers, activists and change makers from across Europe, it was a fantastic opportunity to collaborate, strategise and plan around ongoing and planned litigation. DFF played an important role in bringing this group of people together and in designing an agenda focused on assisting collaborative efforts to bring effective digital rights litigation across Europe.

The meeting was participant led and outcome driven. Attendees had the opportunity to ‘pitch’ their work or idea around digital rights litigation to the other participants and NGOs present. I had the pleasure of attending and didn’t wait long to make the most of this meeting structure.

My colleague at Open Rights Group, Jim Killock, is one of the complainants in ongoing complaints before multiple European Data Protection Authorities. These complaints have been made against Google and others in the AdTech sector, and concern the huge, ongoing data breaches that affect virtually anyone who uses the Internet.

What is the issue? When you visit a website and you are shown a “behavioural” ad on a website, your personal data (this can be what you are reading or watching, your location, your IP address) is broadcast to multiple companies. These websites do this to solicit potential advertisers’ bids for the attention of the specific individual visiting the website – so they share this data widely. This all happens in the moment that it takes for your webpage to load and this is known as a ‘bid request’.

The problem is that this system constitutes a data breach. This broadcast/bid request does not protect an Internet user’s personal data from unauthorized access. Article 5(1) of the General Data Protection Regulation (GDPR) requires personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” Some of these companies are failing to protect the data in line with this legal principle/obligation.

So far Jim and his co-complainants have brought complaints before the UK Information Commissioner’s Office (here) and the Irish Data Protection Commission (here) about the practice described above.

Given this issue is far wider reaching than the UK and Ireland, and impacts Internet users on a global scale, the team are looking to partner with organisations that might bring co-ordinated complaints before Data Protection Authorities in certain jurisdictions. The strategy meeting, hosted by DFF, provided the opportunity to discuss the possibility of multiple complaints with lawyers and experts from across Europe.

The Poland-based Panoptykon Foundation has already brought a similar complaint to the Polish Data Protection Authority. Katarzyna Szymielewicz (President of The Panoptykon Foundation) also attended the strategy meeting and we were grateful for the opportunity to hold sessions and side meetings there with the aim of engaging with other potential partners from across Europe who may also be interested in joining our efforts to raise this issue effectively before a number of Data Protection Authorities. 

At the strategy meeting, Katarzyna held a series of fifteen-minute lightning talks on how the real time bidding process works, how it fails to comply with the GDPR and what the most concerning data protection issues are arising from it. Since the strategy meeting we have entered into conversations with multiple NGOs across Europe and we are exploring working together to bring further complaints across the continent.

The DFF meeting was a fantastic opportunity for us to move our work forward effectively in order to get the input of our colleagues and to build stronger litigation with the community.

About the author: Martha Dark is Chief Operating Officer of the UK based NGO Open Rights Group.