Dr Johnny Ryan, privacy advocate, and Brave browser thought leader conducted a provocative Dmexcofringe presentation this week exploring what he sees as the increasingly questionable legality of real-time bidding under GDPR.
In an outlandish, but plausible presentation, Ryan painted data regulators as the forest guardians of Tolkien lore awakening against the threat of potential real-time bidding (RTB) illegality.
“Now the Ents are awakening, they are terrifying. They may just bring down the castle,” he said.
On his Tolkienesque trip to the Mordor of digital advertising, Dmexco, (depending on who you ask) he is a hero hobbit championing privacy, or a marauding orc smearing adtech.
As Ryan conducted a forensic dissection of the trade, the Interactive Advertising Bureau Europe (IAB) said programmatic revenues in the region grew by 33% in 2018 to €16.7bn. Its chief executive, Townesend Feehan, conceded that the industry is “experiencing a period of rapid transformation,” citing brand safety and increasing regulation globally.
Brave move?
Ryan spearheads a pan-European privacy campaign while promoting Brave, a tracker-blocking web browser with a fascinating business model.
He believes that IAB Europe’s technical standards, guiding programmatic advertising practices, likely “broadcast” hundreds of user data points to hundreds of bidders when they access a website in the milliseconds it takes for an ad auction to occur. Shared is web domain, assumed age, gender, location, mobile ID, IP address, browser version and operating system. Theoretically, this data could travel downstream to innumerable sources.
While hundreds of billions of these requests are processed each day, regulators in Ireland and the UK probe these practices.
Fuelling Ryan’s campaign, in June, the UK Information Commissioner’s Officer said it has “general, systemic concerns around the level of compliance of RTB” and added, “the processing operations involved in RTB are of a nature likely to result in a high risk to the rights and freedoms of individuals.”
Data processors had six months to get their house in order at the risk of maximum fine of €20m or 4% of global revenue, whatever is highest. Showing its teeth, in July Marriot and BA were hit by fines (£99m and £184m respectively) for data breaches.
Ryan claimed the RTB process could see “the biggest ever data breach we have ever seen…” This is illustrated in his slide below.
He added: “Privacy and data protection is enshrined in European rights. If there is an absence of knowledge about where the data goes, there is no way the user can even consent.”
His argument hinges on GDPR’s article 5(1) f; the requirement to ensure data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Ryan said: “If you can’t protect the data, you can’t have it. Currently, it is a free for all.”
“If I ask for consent for your school reports, walk up to the roof and throw them off the rooftop so that people can take them and copy them, do I breach user consent with my ‘broadcast’? There must be a point when something becomes a broadcast rather than a transmission.”
Ryan again relies on metaphor but hints that if web users knew the extent of their data footprint, they would think twice about providing it. “Prepare for IAB and Google RTB reform. It is highly likely to happen, to not plan for it is not a good idea.”
A surprise attendee at Ryan’s talk was IAB Europe’s Townesend. The organisation previously branded Ryan’s efforts as a “PR stunt” but chose now to engage in person.