• by Sean Hargrave , Staff Writer, September 17, 2019

At the same time, RTB has been given until Christmas to reform itself in the UK, and Google is under formal investigation in Ireland. The privacy campaigner behind the complaint that has got Google investigated in Dublin, Johnny Ryan, was at the Dmexco conference last week in Germany to outline his beef with RTB. In his words, it's the biggest leakage of personal information in history. 

For the IAB Europe delegates at the show who watched his presentation, the whole thing was -- according to comments reported in The Drum -- "crude" and "simplistic."

Today Johnny Ryan, who works as the Chief Policy and Industrial Relations Officer at Brave, made the deck for his speech available. It's a very thorough collection of 117 slides, so it's definitely one to flick through when you have some spare time and a cup of tea to hand. Whatever the IAB Europe might say, it must be remembered that the deck comes from the guy whose complaint has launched a formal investigation into Google in Ireland. It deserves to be taken very seriously.

I'm a Twitter contact of Johnny's and have been bouncing around ideas and questions to get to the bottom of the argument behind the 117 pages of slides and complex diagrams. He's a fascinating guy who is clearly passionate about the subject area and highly responsive to questions from people like myself who find the legalese of GDPR a little daunting.

What I can discern so far, and apologies if I am oversimplifying it or getting aspects of the argument wrong, is that RTB requests involve a wide supply chain of supply-side and demand-side platforms, as well as ad networks and trading desks, that are all, in his opinion, accessing personal information. As soon as someone accesses a page, their personal information is banded around the ecosystem without the viewer's prior consent. 

Now, you may be saying they could well have agreed to a cookie. In Ryan's argument this is a moot point for two reasons.

First of all, all those companies in the digital advertising supply chain have the ability to process a person's data, and more importantly, if they process it for their own purposes beyond the reason for which it was originally passed on, they become a controller of that data. 

Secondly, whoever originally gains consent can only legally allow data to be shared with pre-disclosed partners and with its security guaranteed. The point with RTB is, it is very hard for a data controller to truly say where the data is going and be assured it will always be processed securely.

Now, the counter argument here is likely to be that the data is not personal, to which Ryan's point is that data sometimes includes an IP address and so, by law, is personally identifiable. Also IDs given to a customer can be linked to a real profile of that person, and so could be considered personally identifiable. 

So where will the cards fall? It's impossible to tell, but it's pretty clear that RTB will have to change.

When so much data that has the potential to be deemed personal is flying around to so many platforms, there is a possibility it could be seen as failing to live up to the demands of GDPR.

In my opinion, it will all come down to interpretation over whether RTB operates under personally identifiable data.

The result? I would suggest that the way RTB can carry on is to ensure that no information is personally identifiable, or be construed as being personally identifiable.

Defined segments -- for example, a millennial, middle-income woman from Bristol who is into jogging and hockey and is looking for training shoes who has just accessed a page -- will be offered rather than an IP address and more revealing details.

The industry is likely to need to find a way to limit data sharing, allowing a supply-side platform to handle more of the process without broadcasting information to all and sundry, yet still revealing enough to solicit bids.

Publishers are already working on building highly defined segments through their first-party data efforts, and if they can stop this information from leaking out, they can offer these to advertisers -- hopefully without too much data spilling out, and certainly without any personally identifiable data leaking. 

It is a hugely complex area that I cannot even begin to claim to understand fully. That is why it is taking lawyers and top-level probes in Dublin and London to get under the bonnet of the industry.

For me, the answer must be that if personal information is the problem, RTB will have to work to highly segmented audiences to avoid dealing in data that might be construed as personal. 

Nobody would suggest that the entire RTB industry is full of rogues, but for the benefit of the doubt taking away anything that could be construed as personal information has to be the safest way forward.