This note summarizes the ICO report on real-time bidding, which vindicates the GDPR complaints initiated by Brave.

In September 2018, Brave started to trigger a series of formal complaints under the GDPR against the lack of data protection in real-time bidding (RTB) advertising auctions. RTB auctions happen hundreds of billions of times every day, and leak the online habits of billions of Internet users in to the data broker ecosystem. We believe is the largest data breach ever recorded.

The first complaints were filed in Ireland, by Dr Johnny Ryan of Brave, and in the UK, by Jim Killock of the Open Rights Group and by Dr Michael Veale, then of University College London.[1] The three complainants worked with Ravi Naik, an eminent digital rights solicitor. There have since been fifteen complaints across the European Union, which duplicate the original complaints.[2]

Last week, the UK Information Commissioner (the “ICO”) published a thirty-page report on real-time bidding.[3] The report confirms the issues raised in the original complaints of September 2018, and in the additional evidence submitted by the complainants since then.

This was the second public gesture made by European data protection authority in response to the RTB complaints. Last month, the Irish Data Protection Commission (DPC) announced a statutory investigation of Google DoubleClick’s suspected infringement of the GDPR.[4]

The crux of the RTB problem

Elizabeth Denham, the UK Information Commissioner, notes in the report’s introduction that:

one visit to a website, prompting one auction among advertisers, can result in a person’s personal data[5] being seen by hundreds of organisations…[6]

This is the crux of the complaint: the broadcast of personal data in RTB bid requests to a large number of companies, without any control on what then happens to the data, infringes Article 5(1)f of the GDPR. Article 5(1)f requires that personal data be kept secure and protected against unauthorized access or distribution.

As we noted in our original complaint,

Article 5(1)(f) of the GDPR requires data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”[7]

The ICO report summarizes the problem as follows:

As bid requests are often not sent to single entities or defined groups of entities, the potential is for these requests to be processed by any organisation using the available protocols, whether or not they are on any vendor list and whether or not they are processing personal data in accordance with the requirements of data protection law. … Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties, eg retention, security etc. In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls.[8]

The only protections in place are contractual, which the ICO says is inadequate:

reliance on contractual agreements to protect how bid request data is shared, secured and deleted … does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.[9] This contract-only approach does not satisfy the requirements of data protection legislation. Organisations cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organisational controls back up those terms.[10]

The ICO concludes that

Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest…[11]

This means that “individuals have no guarantees about the security of their personal data within the ecosystem”,[12] which is contrary to Article 5(1)f of the GDPR.

Without adequate security, it is impossible to fulfil the GDPR requirements for accountability, transparency, and fairness. The processing of bid request data in this context is unlawful. Whether or not an entity has legal basis to perform the processing is therefore redundant. RTB’s lack of security is its original sin from which everything else flows.

Unlawful consent systems, and inapplicability of legitimate interest.

The ICO report also vindicates concerns that we raised about the use of consent and legitimate interest as legal bases for RTB.

First, legitimate interest cannot be used as a legal basis for RTB (as I first wrote in early 2017[13]). The ICO says that “the nature of the processing within RTB makes it impossible to meet the legitimate interests lawful basis requirements”.[14] This repeats what we said in our original complaints.[15]

Second, the ICO says that IAB consent system cannot provide a legal basis for RTB (as I warned even before the IAB consent & transparency framework was first launched[16]). It also repeats what we said in our original complaints about the IAB and Google approach to consent for RTB,[17] and concludes:

The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.[18] Given the complexity and opacity of the RTB ecosystem, organisations cannot always provide the information required, particularly as they sometimes do not know with whom the data will be shared.[19]

We demonstrated in evidence submitted in February 2019, that the IAB was already aware of this, before it launched the TCF system. The CEO of IAB Europe wrote the following in an email, which we obtained through a freedom of information request:

As it is technically impossible for the user to have prior information about ever data controller involved in a real-time bidding (RTB) scenario, [RTB…] would seem, at least prima facie, to be incompatible with consent under GDPR.[20]

Third, even if the IAB and Google approaches to consent had been lawful, the presence of special category data may be in bid requests mean that “consent requests provided under both the TCF [IAB Consent & Transparency Framework] and AB [Google Authorized Buyers] frameworks are non-compliant.”[21] The ICO says that “any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies).”[22] Again, this closely echoes our original complaints.[23]

Fourth, the ICO notes that “organisations are therefore legally required to perform DPIAs (Data Protection Impact Assessments)”,[24] because RTB “carries a number of risks that originate in the nature of the ecosystem and how personal data is processed within it”.[25] This echoes a point first raised in our original complaints to data protection authorities.[26]

The ICO notes that few companies appear to have conducted such assessments,[27] and concludes that “we therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.”[28]

A note on special category data

The ICO notes that there are fields in the OpenRTB and Authorized Buyers protocols that relate to special category data[29] in the context of “content taxonomies” and “publisher verticals”, which we submitted as evidence in January 2019.[30] The ICO notes that:

The schema used within both OpenRTB and the TCF, and Authorized Buyers, include fields relating to politics, religion, ethnic groups, mental health and physical health, among others. The bid requests include these fields as well as other information about the user such as device IDs, cookie IDs, location data etc.[31]

The ICO went so far as to highlight examples of these categories:

The IAB’s ‘content taxonomy’ (v2.0, November 2017) contains hundreds of fields, which include ‘Heart and Cardiovascular Diseases’, ‘Mental Health’, ‘Sexual Health’ and ‘Infectious Diseases’ whilst Google’s ‘publisher verticals’ include ‘Reproductive Health’, ‘Substance Abuse’, ‘Health Conditions’, ‘Politics’ and ‘Ethnic & Identity Groups’. … Collection [of these data] alongside the identifiers and other personal data in a bid request indicates the processing of special categories of data either directly or by inference.[32]

This, however, is the extent of the ICO’s reporting on special category data in bid requests. The ICO appears to assume that the only special category data present in the RTB system is in “content taxonomies”. This is unlikely. As we noted in our original complaints, other fields in the protocols can also reveal special category data:

The websites that individuals are browsing may contain indicators as to their sexuality, ethnicity, political opinions etc. Such indicators might be explicit, or so effectively and easily inferred with high accuracy using modern analytic techniques that they are effectively explicit. [33]

For example, a person’s frequent location, the URL of their web browsing, or the name of an app they use, can be broadcast in bid requests, and may reveal special category data such as ethnicity or sexual preference.

A smarter RTB industry

The ICO makes two astute observations of the industry, which should prompt introspection among our colleagues. It appears to be alarmed by how poorly informed companies involved in real-time bidding are about the technology:

It is unclear whether organisations that participate in the RTB frameworks fully understand how they function in general or how the processing of personal data works.[34]

Nor does the ICO appear to be impressed with the level of understanding within the industry of how much data are actually necessary to process in order to run an auction for advertising space and target an advertisement:

it is unclear whether RTB participants have fully established what data needs to be processed in order to achieve the intended outcome of targeted advertising to individuals.[35]

The ICO says that it will consult with the two standards setting bodies, the IAB and Google, to discuss my proposal that the bid request protocols should be modified to broadcast less data. As I wrote in the note that announced additional evidence in February:

The IAB RTB system allows 595 different kinds of data to be included in a bid request. 4% of these should be disallowed, or truncated. The same applies to the Google system. [This …] will prevent the system from leaking the personal data.[36]

The ICO warns in its report that it may “mandate” such a revision,[37] and notes that “we do not think these issues will be addressed without intervention.”[38] Elsewhere, describing several possible changes to adtech, the ICO says that it does not believe “that the current market would adopt such measures voluntarily.”[39]

The report concludes that there is a widespread failure to protect personal data, including special category personal data, in a system that leaks the interest and online behaviour of Internet users, “millions of times a second”.[40]

This could enable foreign subversion of the next UK election, widespread misuse of individuals’ private profiles in job recruitment, and an undermining of individuals’ interests in transactions with actors forearmed with sensitive insights about them.

From July, the ICO will gather more information on security of personal data in RTB, profiling, and whether any data protection impact assessments have been undertaken. In six months it may review the industry, and asks that companies re-evaluate what they are doing with personal data.[41]