Why marketers must conduct GDPR Data Protection Impact Assessments of RTB
This note examines the GDPR requirement that marketers conduct data protection impact assessments (DPIAs) when buying digital media using “real-time bidding” advertising.
- A 2018 European Court of Justice decision demonstrates that a marketer that buys targeted advertising is a “controller” of the personal data used for that targeting, even if the marketer does not process the data itself.
- The first consequence is that the marketer must conduct a Data Protection Impact Assessment (DPIA) of “real-time bidding” (RTB), per Article 35 of the GDPR.
- In turn, a DPIA of RTB will require that the marketer consult a European data protection authority, per Article 36 of the GDPR.
- The second consequence is that the marketer is exposed to liability from the way that RTB treats personal data. (Article 26 (3) and Article 82 (2) of the GDPR).
Marketers: “joint controllers” with no data?
The European Court of Justice decided in the Wirtschaftsakademie case in June 2018 that a marketer is a controller of data processing when it commissions targeted advertising, even if it does not have direct access to personal data being processed.
The Wirtschaftsakademie decision concerned a particular marketer’s use of Facebook fan pages. The Court ruled that the marketer’s use of Facebook for advertising “gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.”
In addition, the Court observed that the marketer
“can ask for — and thereby request the processing of — demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centers of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organize events, and more generally enable it to target best the information it offers.”
By asking for such targeting, the marketer causes the processing of the personal data that enable such targeting. The marketer “must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing”. 
Furthermore, the marketer is a controller not only because it specifies targets, but also because it receives statistical reporting on the effect of this targeting. “The production of those statistics is based on the prior collection … and the processing of the personal data of those visitors for such statistical purposes”.
Therefore, a marketer is “a controller responsible for that processing within the European Union”. It is possible that this can apply to an agency working on behalf of a marketer also. See previous analysis of the Wirtschaftsakademie decision here.
Though the ruling was made in the context of marketing activities on Facebook, the Court’s reasoning applies to all advertising technologies that process personal data to target and report on advertising at the request of a marketer. For example, the “real-time bidding” ad auction system reports on performance to the marketer, and is used for virtually identical targeting to that described by the Court:
“…demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitor…”
This has two consequences that may not be clear to marketers who commission, or who cause the commissioning of, RTB advertising. First, it exposes such a marketer to liability. Second, it requires that the marketer conducts a Data Protection Impact Assessment (DPIA) of RTB.
The marketer’s liability
Whereas the marketer in the Wirtschaftsakademie case was shown to be a joint controller with Facebook, a marketer that uses RTB will inevitably be a joint controller with a large number of RTB companies. The RTB system was built to widely spread personal data, not to protect it. As we and others have explained to European data protection authorities in our complaints against the IAB and Google RTB system, RTB is a data protection free zone. Our complaints have resulted in investigation of Google’s RTB system by the Irish Data Protection Commission (Google’s lead GDPR authority, and a scathing report from the UK Information Commissioner’s Office, which vindicates our complaints.
Due to the lack of transparency in the RTB industry, and the absence of data protection to limit how data are passed around in the open RTB market, it is likely that a marketer cannot learn of the totality of the companies involved in a single RTB advertising campaign that it has commissioned. This exposes marketers to a broad and boundless hazard. They are liable for misuse of data by adtech companies that they may never even have heard of.
Chart credit: The Economist
The inability to know who one’s joint controllers are offends the idea of how joint controllership is intended to work. Article 26 (1) makes clear that joint controllers must be transparent and cooperative:
“They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject”.
That this is impossible is a further sign that RTB is a data protection free zone.
Article 82 (2) of the GDPR provides that “Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation”. Not only is the marketer liable, despite never touching the data, but it may also be the most obvious party to confront with this liability, because its it likely to be far better known than the adtech companies that caused the problem. The advertiser’s name is on the advertisement.
Data Protection Impact Assessment requirement
Article 35 (1) of the GDPR requires a data protection impact assessment in the following circumstances:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. …
To clarify these criteria, European data protection authorities published ten tests for deciding whether a data protection impact assessment is required: the answer is yes if two or more of the following criteria apply:
- Evaluation or scoring (including profiling), including “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements”.
- Automated decision making, including “the processing may lead to the exclusion or discrimination against individuals”.
- Systematic monitoring.
- Processing of sensitive data, including GDPR Article 9 special category data.
- Data processed on a large scale, considering the number of people; volume of and range of data; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity.
- Matching or combining datasets from different purposes and/or origins “in a way that would exceed the reasonable expectations of the data subject”.
- Data concerning vulnerable subjects, for example, children, the mentally ill, employees as a disadvantage with respect to their employer, etc.
- Innovative use or applications of technological or organizational solutions.
- Data transfers across borders outside the European Union.
- When the processing in itself prevents data subjects from exercising a right or using a service or contract. “This includes processings performed in a public area that people passing by cannot avoid, or processings that aims at allowing, modifying or refusing data subjects’ access to a service or entry into a contract”.
Real-time bidding appears to meet all of the ten criteria, with the exception of item 7. The European data protection authorities observe that “the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects”.
We asserted this point a year ago, in our original complaints to data protection authorities. The UK ICO’s “adtech update report” has since supported this view. The ICO notes that real-time bidding technology companies are “legally required to perform DPIAs (Data Protection Impact Assessments)”, and elsewhere gives the reason. RTB “carries a number of risks that originate in the nature of the ecosystem and how personal data is processed within it”.
Because of its joint-controllership, a marketer using RTB is required to conduct a DPIA itself, arrange that its joint controller companies who carry out the RTB campaign conduct a DPIA. Since people can exercise their rights against each controller severally, it would be wise for marketers to conduct their own thorough DPIAs. This is particularly so since a marketer can probably never fully know how many joint controllers it is involved with in the open RTB market.
Data Protection Impact Assessments of RTB will reveal a data breach
Article 35 (7) says that a data protection impact assessment must contain:
(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Item (c) of this list will be particularly challenging to marketers.
A DPIA will note that the real-time bidding system generally involves the broadcast of intimate personal data to hundreds of companies, to solicit bids from them for the opportunity to show an ad to that specific person. A “bid request” broadcast about a particular visitor to a website can include:
- The URL of what the person is reading/watching/listening to.
- The person’s age.
- The person’s GPS coordinates, or a less specific indication of their location, depending on the RTB system being used.
- The person’s IP address (Google anonymizes this, but other companies do not).
- Category codes of content the person is loading, which can reveal their interests, medical conditions, and other sensitive facts. (Example Google codes: 571 eating disorders, 410 left-wing politics, 202 male impotence, 862 Buddhism, 625 AIDS & HIV, 547 African-Americans. Example IAB codes: IAB7-9 Bipolar disorder, IAB 7-18 Depression, IAB 7-3 AIDS/HIV, IAB 23-10 Latter-Day Saints, IAB 23-8 Judaism.)
- Unique identification codes for the individual person and their device, and descriptions of the device hardware and software that allow the latest personal information about the person to be added to existing profiles about them.
Once a person’s data have been broadcast by the RTB system, the company that sent the data loses control over it. The IAB, the tracking industry’s foremost lobby group, has observed in its own documents that “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/budding on/after delivery of an ad”.
The IAB’s “transparency and consent framework” is merely a signaling system that allows RTB companies to send each other notes about what they should and should not do with personal data. It is entirely at these companies’ discretion whether they heed these notes or not. The IAB has yet to introduce any mechanism for verifying whether this trust-based system is respected by the adtech companies who receive the data – probably because such a system is not practical. This data protection failure occurs in Google’s RTB system too. Google relies on an honor system in which the companies it sends data to are supposed to tell it when they break its rules.
In contrast to the IAB and Google’s trust-based system, the GDPR requires strict security of personal data. Article 5(1)f of the GDPR requires that personal data are “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”.
So long as RTB bid requests broadcast personal data to an unknowable number of companies, RTB will continue to create a data breach and will fall afoul of Article 5(1)f of the GDPR.
Article 36 (1) of the GDPR says that “where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk…” one must consult the data protection authority for guidance. In other words, after a marketer conducts a DPIA in order to protect themselves from liability, the marketer will then start talking to its lead data protection regulator in Europe.
Once consulted, data protection authorities have fourteen weeks to reply with advice on whether the processing can proceed. The absence of data protection in the RTB system means that a marketer (and the individual data subject) cannot know what parties actually receive data, or what they do with it. In view of the risks, the inescapable conclusion will be that the use of personal data in the RTB system cannot be permitted.
 Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16.
 “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” GDPR, Article 4 (7).
 Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16, paragraph 35.
 ibid., paragraph 37.
 ibid., paragraph 39.
 ibid., paragraph 38.
 ibid., paragraph 39.
 Data are personal if the data can single a person out (as a single datum or in combination with other data), without an unlikely degree of effort or expense or technological development. See GDPR, Article 4 (1); and Opinion 4/2007 on the concept of personal data, Article 29 Working Party, 20 June 2007, p. 15; and see the “reasonableness” test in action in the ECJ ruling in the Breyer case, paras 31 – 49 of http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN.
 Judgement of the Court (Grand Chamber), Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, case C‑210/16, paragraph 37.
 See complaints submitted to the Irish Data Protection Commission and to the UK Information Commissioner. See “Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR”, Brave Insight, 12 September 2018 (URL: https://brave.com/adtech-data-breach-complaint/).
 See “Google faces first investigation by its European lead authority for “suspected infringement” of the GDPR, following formal complaint from Brave”, Brave Insight, 22 May 2019 (URL: https://brave.com/dpc-google/); and “A summary of the ICO report on RTB – and what happens next”, Brave Insight, 26 June 2019 (URL: https://brave.com/ico-adtech-update-rtb/).
 GDPR, Article 26 (1).
 GDPR, Article 82 (2).
 GDPR, Article 35(1). Article 35 (3) gives further criteria for what requires a DPIA.
 “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679”, Article 29 Working Party, 4 October 2017, pp 9-11.
 ibid., p. 11.
 Paragraph 38 of the complaints submitted to the Irish Data Protection Commission and to the UK Information Commissioner. See “Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR”, Brave Insight, 12 September 2018 (URL: https://brave.com/adtech-data-breach-complaint/).
 “Update report into adtech and real time bidding”, Information Commissioner’s Office, 20 June 2019 , p. 22.
 ibid., p. 9.
 See Article 26 (1) of the GDPR, which allows joint controllers to agree their respective responsibilities.
 Article 26 (3) of the GDPR.
 See “Examples of data in a bid request from IAB OpenRTB and Google Authorized Buyers’ specification documents” presented in evidence to United Kingdom Information Commissioner’s Office, and to Irish Data Protection Commission on the scale of RTB bid requests, submitted on 20 February 2019 (URL: https://brave.com/wp-content/uploads/2019/02/3-bid-request-examples.pdf).
 “Pubvendors.json: transparency & consent framework”, IAB TechLab, May 2018, presented in evidence to United Kingdom Information Commissioner’s Office, and to Irish Data Protection Commission on the scale of RTB bid requests, submitted on 20 February 2019 (URL: https://brave.com/wp-content/uploads/2019/02/2-pubvendors.json-v1.0.pdf).
 See “Transparency & Consent Framework Policies, 2019-08-21.3” IAB, August 2019 (URL: https://iabeurope.eu/wp-content/uploads/2019/08/TransparencyConsentFramework_PoliciesVersion_TCFv2-0_2019-08-21.3_FINAL-1-1.pdf), p. 20.
 “Buyer will regularly monitor your compliance with this obligation, and immediately notify Google in writing if Buyer can no longer meet … this obligation…”. In “Authorized Buyers Programme Guidelines”, Google, August 2018 (URL: https://www.google.com/doubleclick/adxbuyer/guidelines.html).
 Article 5(1)f of the GDPR.
 Complaint to the United Kingdom Information Commissioner’s Office, and to the Irish Data Protection Commission on the scale of RTB bid requests, submitted on 12 September 2018 (URL: https://brave.com/adtech-data-breach-complaint/).
 Article 36 (1) of the GDPR.
 Eight weeks, plus six weeks in complex cases. GDPR, Article 36(2).