Despite this manifest good for companies and consumers alike, the Panoptykon Foundation filed a complaint with the Polish data protection authority, alleging that use of the OpenRTB protocol, including when used with the Content Taxonomy, violates the GDPR. However, a close examination of the complaint undermines this conclusion.
Buried in the most recent complaint is the statement that “we believe that IAB is a personal data controller” who “decides in its own discretion how the processing of personal data is carried out.”
This assertion strains credulity. No IAB entity collects or processes any data, nor does it direct anyone else to do so. OpenRTB is merely a communication protocol that supports real-time bidding for the delivery of advertising to consumers at a particular point in time.
Companies that choose to implement the protocol must do so in a manner that complies with the laws of the jurisdictions in which they operate. The CNIL (the French data protection authority) said it best: “[T]he GDPR does not aim at regulating technologies per se, but regulates how actors use these technologies in a context involving personal data.“
This overreach by the Panoptykon Foundation is highlighted by the primary case that it relies upon in the complaint, which involved the Jehovah’s Witness community and its members’ collection of personal information through their door-to-door outreach.
The European Court of Justice concluded that the community and its members (i.e., preachers) were joint data controllers: “Thus it appears that the collection of personal data relating to persons contacted and their subsequent processing of data help achieve the objective of the JWC […]” The Court further stated that, “not only does the Jehovah’s Witnesses Community have knowledge on a general level of the fact that such processing is carried out in order to spread its faith, but that community organizes and coordinates the preaching activities of its members, in particular, by allocating areas of activity between the various members who engage in preaching.”
No IAB entity has a relationship with its members that is remotely similar to the Jehovah’s Witnesses Community’s relationship with its members. In fact, unlike the Jehovah’s Witnesses Community, which organized and allocated territories for its members’ preaching, IAB Tech Lab does not direct its members to disclose any data through OpenRTB, nor does it direct companies to take part in behavioral advertising or use OpenRTB. Moreover, unlike the Jehovah’s Witnesses Community who processed data for a common religious purpose, IAB Tech Lab members – and for that matter non-members who implement the OpenRTB protocol – share no such common purpose. As everyone well knows, each business that implements OpenRTB does so for its own competitive business purpose.
If “IAB” can be a data controller, as the complaint suggests, without ever collecting data or having the requisite level of control to actively direct anyone to collect data, it would lead to absurd and undesirable results. All standard setting bodies would be data controllers alongside all companies that implement their standards (e.g. IEEE for WiFi and W3C for HTTP). If that were the case, no not-for-profit organization would ever be willing to serve as a standard setting body and take on the liability of outlier market participants over whom they have no knowledge or control.
We all should be concerned about the deleterious consequences that would follow from an acceptance of the allegations in the complaint, which rest on a case that does not fit the present circumstance.