„Advertising is expensive, no advertising is even more expensive.“ (Paolo Bulgari, Businessman and Designer of jewelry).
According to this principle, programmatic buying and providing of advertising according to your behavior on the Internet, is becoming more and more important. Google also uses this concept of so- called “Programmatic Advertising” for its product campaigns.

The private web browser Brave Software Inc. has filed complaints against Open RTB and Authorized Buyers (Google’s proprietary) before the British and the Irish data protection authorities as Brave believes that this “online behavioral advertising” system contravenes various provisions of the General Data Protection Regulation (GDPR). Furthermore, the claimants requested for data protection authorities to conduct a joint supervisory operation, under art. 62 GDPR, with regard to this practice. If carried out, this would be the first time that a joint supervisory operation under art. 62 GDPR is performed.

What is Programmatic Advertising and how does the online behavioral advertising system work?

Programmatic advertising describes the automated serving of digital ads in real time based on individual ad impression opportunities. Whereas the traditional method includes requests for proposals, tenders, quotes and human negotiation, programmatic buying uses machines and algorithms to purchase display space. The technical process behind is called “Real Time Bidding” (RTB), which is basically an automated pricing process between supply (Sell-Side) and demand (Demand -Side). The customized offers for the target group are realized by means of an exact analysis of the user behavior.

Data protection relevance?

Personal data is essential for Programmatic Advertising. „Every time a person visits a website and is shown a “behavioral” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies”, writes Brave manager Johnny Ryan. This includes, among other things, the data subject’s IP address, cookie IDs, technical parameters of the device used and the type of content accessed.
Ryan calls this process a „data protection-free zone“. According to Ryan, a data breach occurs because this broadcast fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful. It is doubtful also whether data subjects are sufficiently informed about the extent and consequences of these data transfers.
The relevant provisions of the GDPR are therefore Art. 5 (1) lit. a and f, which requires that personal data is processed in a manner that guarantees appropriate security of the personal data; Art. 6 that delimits the circumstances under which the legitimate processing of personal data shall occur; Art. 9, requiring the specific consent of the data subject for the processing of her/his special categories of personal data; Art. 22, which requires specific consent when decisions that significantly affect the individual are made on the base of the automated processing of her/his data; Art. 25, which requires data protection by design and by default and Arts. 13 and 14, which mandate the data controller to provide information where personal data are collected from the data subject or from a third party.

Perspective / Expectations:

In response to a request from Heise Online (a German IT news site), Google had commented on the complaint that it had integrated data protection and security into its products from the outset and committed itself to complying with the requirements of the General Data Protection Regulation.

IAB Europe (the leading European trade association for digital advertising) vehemently vetoed the complaints submitted. According to IAB, the complaints are incorrect and would demonstrate a fundamentally wrong understanding of European data protection law. The IAB understands that it is not against the law to use personal data in real auctions if the parties act in accordance with the GDPR.

This is indeed an interesting case and one that is of considerable relevance for the online marketing business. It could even trigger, for the first time, an EU-wide investigation in to the ad tech industry’s practices, under Article 62 of the GDPR. Nevertheless, we assume that a timely decision cannot be expected, as European data protection authorities are currently overwhelmed with complaints. It can take years to reach a decision in court. It is to be hoped, however, that a quicker decision will be taken due to the great relevance of the case.