Tactics Google and other large online-ad players use in digital ad auctions violate European Union privacy law, investigators for Belgium’s privacy regulator wrote in an internal report, a preliminary finding with implications across the continent.
European privacy regulators are homing in on the electronic auctions that happen in milliseconds to determine which ads show up when you load a webpage. In that time, hundreds of potential advertising bidders can find out information about you, including your location, birthday and whether you have been reading about sexually-transmitted diseases or alt-right politics.
That process constitutes an illegal data breach under Europe’s General Data Protection Regulation, investigators at the Belgian data-protection authority wrote in a new internal report viewed by The Wall Street Journal.
The report focuses on the European arm of the Interactive Advertising Bureau, an online ad trade group that the investigators said is responsible for how its member companies buy, sell and use individuals’ data in digital ad transactions.
IAB Europe is based in Belgium, so the country claims jurisdiction over the group; if that position is upheld by other EU privacy regulators and potentially in court, Belgium’s regulator would have authority over how companies across the EU conduct ad auctions.
That could impact a large segment of the digital ad economy. Some 6.7 billion euros, equivalent to $7.85 billion, were spent last year on real-time, online ad bidding, according to IAB Europe. Global players, including Google—by far the dominant force in online advertising—would have to choose whether to update their sites world-wide to meet the European standard or create a separate approach for Europe.
IAB Europe Chief Executive Townsend Feehan said the complaints that appeared to trigger the probe “contained some gross misunderstandings of the scope and functionality” of IAB Europe’s ad-auction protocol and role in ad auctions.
In a blog post Friday, IAB Europe also disputed the data-protection authority’s interpretation that it is a data controller with respect to member companies that implement its framework. IAB Europe called it “regrettable” that the authority had brought an enforcement action, rather than engaged in dialogue to reform the trade group’s framework.
The report is the product of the data-protection authority’s investigation into complaints submitted by activists led by Johnny Ryan, senior fellow at the Irish Council for Civil Liberties and the Open Markets Institute.
“We are plagued by consent pop-ups, tens of times a day,” Mr. Ryan said. “Supposedly this is to comply with the GDPR, but these findings confirm what I have said for over two years: These pop-ups are a thin legal veneer over a vast data breach.”
The Belgian data-protection authority declined to comment, citing a policy against commenting on active cases.
The report is far from the final word in the case. Belgium’s investigators have forwarded their report to the agency’s so-called litigation chamber as evidence. The litigation chamber will hear the case and could take into next year to issue a decision.
The Belgian agency’s decision will be subject to consultation from its EU counterparts, with any disputes decided by a body comprising the privacy regulators in all 27 EU member states.
Google uses IAB Europe’s framework for auctions it runs to place ads on other companies’ websites, but maintains its own framework for ads on its own properties. Google’s practices for digital-ad auctions is the subject of a separate investigation by Ireland’s privacy regulator because the company’s headquarters are in Ireland.
unit also is under heavy scrutiny in the U.S., where the Justice Department has moved toward bringing a suit against the tech giant and state attorneys general have pursued their own probe.
A core problem the Belgian report identifies in online-ad bidding systems is how they collect personal data in circumstances when a user hasn’t consented to share it. The ad companies use an exemption in the GDPR privacy law that allows collection of personal information in limited circumstances when a company has a “legitimate interest” to do so. The Belgian investigators, however, say that shouldn’t apply to personalized advertising.
The Belgian investigators also took issue with the collection of “sensitive category” data about users—such as race, sexuality, health status or political leaning—without their consent.
The internal Belgian report is the latest step in European regulators’ scrutiny of the digital-ad industry. The U.K. data watchdog issued a warning about real-time bidding in June 2019.
Write to Patience Haggin at firstname.lastname@example.org and Sam Schechner at email@example.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8