The Brave complaint and the ICO Update report into adtech and real time bidding

James Castro-Edwards, partner at Wedlake Bell LLP, looks at the ongoing complaint raised by the operators of the Brave browser against Google's alleged data protection violations

On 18th June, lawyers for the privacy-focussed Brave browser urged the Information Commissioner's Office (ICO) to join forces with the Irish data protection authority in its investigation of Google's alleged data protection violations.

This is the latest development in an ongoing complaint, launched last September in which Brave claims that Google's online advertising activities breach the GDPR.

In response to Brave's complaint (among others) on 20th June the ICO published its Update report into adtech and real time bidding.

The report explores the ‘behind the scenes' use of personal data that takes place in relation to adtech, which is controversial from a data protection perspective because of its large scale and complexity, and because individuals will frequently be unaware that it is taking place.

RTB and Adtech

The report focusses on two particular areas of online advertising; adtech and real-time bidding (‘RTB'). Adtech is a generic term for analytics and management tools that enable advertisers to identify target audiences and serve them with personalised advertisements.

The process includes collecting personal data about web visitors to build up a detailed profile of their preferences and interests. RTB is the process whereby advertisers bid for specific words or phrases that will appeal to their target audience.

Most internet users will have been - often unknowingly - part of this process, when they visit a site (e.g. a news or social networking site or online game) where they are served advertisements for products or services that have been tailored to their profile.

This ‘hidden personalisation' involves monitoring individuals' preferences in order to build up a detailed picture; however, individuals may have little idea of what is going nor any choice or control over how their personal data are used.

Concerns

The report identifies the following specific areas of concern:

1. The difficulty in establishing a lawful basis.

2. Unclear website privacy notices that do not fully explain the process to affected individuals.

3. Disproportionate, intrusive and unfair building and sharing of individuals' profiles, of which affected data subjects will be largely unaware.

4. RTB / adtech participants do not appear to fully understand their obligations under applicable law.

The ICO also expressed concern about the reliance on contractual agreements to protect personal data that has been collected, given the volume of personal data and the number third parties involved.

Implications for business

A fundamental aim of the GDPR is to give data subjects choice and control over how their personal data are used.

However many if not the majority of internet users are completely unaware that online advertising activities such adtech and RTB are taking place, let alone able to exercise any choice or control over how their personal data are used.

The ICO's investigation of the complex and pervasive online advertising ‘ecosystem' is in its early stages, but looks set to continue for some time and to involve other European data protection authorities.

Given the scale of the investigation and the findings to date, it seems likely that substantial changes to the way businesses may lawfully use online advertising techniques will follow. Operators in the online advertising sphere and users of their services should take stock of their activities and watch this space for developments.

James Castro-Edwards is a partner at Wedlake Bell LLP, and leads the firm's outsourced data protection officer service, ProDPO