It has been recently reported by the Belgian Data Protection Authority (“BGDA”), that the system of online tracking that is used by Google is prone to General Data Protection Regulation (“GDPR”) violations. The system, better known as Transparency and Consent Framework (“TCF”), was introduced by the Interactive Advertisement Bureau (“IAB”) and is used to track online advertising on websites. However, the BGDA stated that the system allows various firms and data controllers to exchange sensitive information about subjects or people, even in the absence of a proper consent framework. The premise of this alert has been taken by complaints filed with the BGDA regarding violations of GDPR by the usage of the TCF.
Background
Various advertising technology or ad-tech companies use a system known as Real-Time Bidding (“RTB”), through which such ad-tech companies are able to broadcast the data of various individuals to gather bids from potential advertisers, post which such individuals are shown advertisement according to their ‘behaviours’ on a particular website. For example, the data may relate to a specific community of people or a location that is then used to solicit advertisements for travel bookings. Now the TCF was introduced by the IAB to assure or persuade various regulators that the RTB was GDPR compliant. However, it was recently reported that the RTB was used for profiling purposes and revealed the data of persons diagnosed with AIDS and even targeted the LGBT community to influence the 2019 Polish elections, hence posing serious civil rights violations and privacy breaches.
Why is RTB so harmful?
RTB is in constant use in the background of various applications and websites. Working on a round the clock basis, Google sends intimate or sensitive data to almost 968 companies. Such companies then target profiles based on behaviours to solicit advertisements. The RTB market in itself was worth app. EUR 6.7 billion in 2019. This is clear evidence of the bulk processing of data that is occurring through such ‘data brokers’. Now Article 9 of the GDPR, prescribes a ‘special category of data’ which includes genetic data, race, sexual orientation, health data, all of which are being processed by the RTB system. The BGDA reports that such special categories of data are not provided adequate controls or protection. More interestingly, the BGDA also proclaimed that the IAB, which is to overlook the fair functioning of the RTB, does not have adequate data protection themselves and is absent from a data protection officer.
Given the fact that the RTB is utilising vast amounts of data to profile and broker individuals, it is adamant to have privacy principles in place. However, the BGDA states that the RTB offers none. There are almost 22 (twenty-two) complaints (access here- 1, 2, 3) that have been filed in 16 (sixteen) European Union (EU) member nations regarding the threat of data breach by the RTB system. The RTB system appears to be in direct violation of Article 5(1) of the GDPR which requires appropriate security to be in place while processing personal data.
Action is still pending on these complaints. However, given the magnitude of the effects and threats posed by the RTB system, we at BlockSuits are positive that serious actions will be taken against the bidders of our personal data.
Authored by Shivani Agarwal, Founder, and Samaksh Khanna, Co-founder.
Commentaires