Dr Johnny Ryan, privacy advocate, and Brave browser thought leader conducted a provocative Dmexco fringe presentation this week exploring what he sees as the increasingly questionable legality of real-time bidding under GDPR.

In an outlandish, but plausible presentation, Ryan painted data regulators as the forest guardians of Tolkien lore awakening against the threat of potential real-time bidding (RTB) illegality.

“Now the Ents are awakening, they are terrifying. They may just bring down the castle," he said.

On his Tolkienesque trip to the Mordor of digital advertising, Dmexco, (depending on who you ask) he is a hero hobbit championing privacy, or a marauding orc smearing adtech.

As Ryan conducted a forensic dissection of the trade, the Interactive Advertising Bureau Europe (IAB) said programmatic revenues in the region grew by 33% in 2018 to €16.7bn. Its chief executive, Townesend Feehan, conceded that the industry is “experiencing a period of rapid transformation," citing brand safety and increasing regulation globally.

Brave move?

Ryan spearheads a pan-European privacy campaign while promoting Brave, a tracker-blocking web browser with a fascinating business model.

He believes that IAB Europe's technical standards, guiding programmatic advertising practices, likely "broadcast" hundreds of user data points to hundreds of bidders when they access a website in the milliseconds it takes for an ad auction to occur. Shared is web domain, assumed age, gender, location, mobile ID, IP address, browser version and operating system. Theoretically, this data could travel downstream to innumerable sources.

While hundreds of billions of these requests are processed each day, regulators in Ireland and the UK probe these practices.

Fuelling Ryan's campaign, in June, the UK Information Commissioner’s Officer said it has "general, systemic concerns around the level of compliance of RTB" and added, "the processing operations involved in RTB are of a nature likely to result in a high risk to the rights and freedoms of individuals.”

Data processors had six months to get their house in order at the risk of maximum fine of €20m or 4% of global revenue, whatever is highest. Showing its teeth, in July Marriot and BA were hit by fines (£99m and £184m respectively) for data breaches.

Ryan claimed the RTB process could see "the biggest ever data breach we have ever seen…" This is illustrated in his slide below.

He added: “Privacy and data protection is enshrined in European rights. If there is an absence of knowledge about where the data goes, there is no way the user can even consent."

His argument hinges on GDPR's article 5(1) f; the requirement to ensure data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Ryan said: “If you can’t protect the data, you can’t have it. Currently, it is a free for all.”

“If I ask for consent for your school reports, walk up to the roof and throw them off the rooftop so that people can take them and copy them, do I breach user consent with my ‘broadcast’? There must be a point when something becomes a broadcast rather than a transmission.”

Ryan again relies on metaphor but hints that if web users knew the extent of their data footprint, they would think twice about providing it. “Prepare for IAB and Google RTB reform. It is highly likely to happen, to not plan for it is not a good idea.”

A surprise attendee at Ryan’s talk was IAB Europe's Feehan. The organisation previously branded Ryan’s efforts as a “PR stunt” but chose now to engage in person.

IAB response

Townsend Feehan, chief executive of IAB Europe, spoke to The Drum after Ryan’s presentation in which she interjected, at odds with his thesis.

She said she was “surprised at how crude and simplistic the presentation was".

"The topic is technically complicated, and his narrative is simple and compelling but it omits a really relevant part of the story. During the talk, he acknowledged that RTB can be done in a GDPR-compliant way. His narrative was that it is inherently, structurally and constitutionally incapable of being done legally. It is a toxic narrative."

Feehan, said there is an "emphatic" belief at IAB Europe that RTB can comply with GDPR but acknowledged that there may be bad actors out there, "if there is anyone machine-gunning data out, they are breaking the law and face a large GDPR fine.

"He tells a shocking and alarming story in a vacuum as if there were no rules. But the rules don't create a technical impediment to bad things happening. You can beat someone to death with a hairdryer. The crime is homicide, and society still considers it OK to have hairdryers lying around."

Feehan conceded that there remains work to do getting the consent management platforms (CMP) up to scratch, the user interfaces that gather consent on web pages. Of around 140 CMPs working with IAB Europe, only 85 have passed compliance measures. "Most have had to make some changes." Often access to additional information and lists of vendors were obscured or hidden by non-compliant partners.

She announced that IAB Europe is in discussion with the ICO to ensure concerns are addressed. "We have had some interesting conversations and we have some homework to do."

In the next few months, Feehan hinted, we'll know where the ICO will land.

During the panel

A DSP employee in the crowd outlined the varying quality of the consent management platforms. He claimed there were around 100 types of consent agreements varying from “flippant to very comprehensive”.

A top media exec at an FMCG giant asked what preparations brands could make to prepare for the worst if the process is indeed unlawful under GDPR. He outlined his belief that there could be incremental improvements made to the ecosystem.

And finally, a consultant working with the IAB ended the discussion: “The ICO needs to see change, and from industry, need to see a willingness. There is an amnesty at the moment. [Adtech] is sitting on the beach and there is a tide coming in, at some point they have to get off the beach. But it is a big industry and a lot of money it will not change overnight.”