On January 28, 2019, the Panoptykon Foundation filed a complaint with the Polish Data Protection Authority against IAB Europe on behalf of an individual, alleging that OpenRTB, the widely-used real-time bidding (“RTB”) protocol promulgated by IAB Tech Lab, violates numerous provisions of the General Data Protection Regulation (the “GDPR”). The complaint recycles many of the same arguments made to the Irish Data Protection Commission and the UK Information Commissioner’s Office in 2018; we analyzed these other arguments in a previous article.
The complaint argues that IAB should be considered a data “controller” under the GDPR for all processing activities undertaken through OpenRTB. As discussed below, such a contention would dramatically (and improperly) expand the definition of “controller” and should be rejected by regulatory authorities.
The GDPR regulates “processing activities” (i.e., discrete operations performed on personal data). An entity is either a data “controller” or a data “processor” with respect to such processing activities. In other words, the determination of an entity as controller or processor must be analyzed in relation to whatever processing activities are in question.
All processing activities have at least one controller. A controller determines the “purposes” and “means” of such processing activities, either alone or jointly with other controllers. The “purpose” is why a processing activity is being carried out and the “means” are how that processing activity will be carried out.
Although the definition of “controller” has been interpreted broadly, guidance and case law require that an entity, alone or with others, have a certain level of factual “influence” on the purpose and means of processing to be considered to have “control.” Indeed, the Article 29 Working Party (the “WP”) provides that “[b]eing a controller is primarily the consequence of the factual circumstance that an entity has chosen to process personal data for its own purposes.” (Emphasis added).
The WP further explains that determination of the means “would imply control when the determination concerns the essential elements of the means.” (Emphasis added).
Determination of the “means” therefore includes both technical and organizational questions where the decision can be well delegated to processors (as e.g. “which hardware or software shall be used?”) and essential elements which are traditionally and inherently reserved to the determination of the controller, such as “which data shall be processed?”, "for how long shall they be processed?”, “who shall have access to them?”, and so on. (Emphasis added).
Thus, although determining the purpose of a processing activity automatically renders an entity a “controller,” an entity determining the means of processing is considered a controller only when such determination concerns the essential means.
The Jehovah’s Witnesses Case
The complaint relies primarily on one case from the European Court of Justice (“ECJ”) to support its claim that IAB is a controller with respect to all processing activities undertaken through OpenRTB: Case C-25/17 (the “Jehovah’s Witnesses case”). The complaint also cites to Case C-210/16, which we discuss and distinguish in our previous article linked above.
In the Jehovah’s Witnesses case, Jehovah’s Witnesses members (i.e., preachers) went door-to-door to convert others to their faith. The members wrote notes on their visits, such as the names of the people they visited, their addresses, and summaries of their conversations. The Data Protection Supervisor claimed that the Jehovah’s Witnesses religious community (the “JWC”) was a controller in relation to the notes taken by their members during this door-to-door preaching.
The JWC contended that it was not a data controller because it did not determine the purposes and means of processing, alleging (1) the JWC did not formally require the collection of notes by its members and (2) the JWC did not have access to the members’ notes.
The ECJ, along with the Advocate General, analyzed the JWC’s potential role as a data controller in relation to the specific processing activity in question: members’ note taking when door-to-door preaching. The ECJ held that the JWC “organized and coordinated” the preaching to such a level that it defined the purposes and means of processing in the context of that preaching jointly with its members. The Advocate General emphasized that the JWC: (1) “gave very specific instructions for taking notes;” (2) allocated areas among the members to better organize the preaching and increase the chances of converting individuals; (3) kept records on how many publications the members disseminated and the amount of time they spent preaching; and (4) kept a register of individuals who did not want to be visited.
Analysis of the Complaint
First, with respect to IAB, the complaint alleges: “IAB is one of the two leading actors...in the market of behavioural advertising which organises, coordinates and develops the market by creating specifications of an API...that is utilised by companies that participate in [OpenRTB] auctions in ad markets...Those specifications are accompanied by the rules of their application [in the IAB Transparency and Consent Framework].”
The complaint does not claim that IAB is the controller of any specific processing activities. Instead, it claims that IAB is the controller of all processing activities undertaken through OpenRTB that relate to “behavioural advertising” because it is a “leading actor” that “organizes, develops and coordinates the market.” It is stating that IAB’s control over the market is similar to the JWC’s control over its preachers in that it co-determines what personal data shall be processed and why for all participants within OpenRTB and, by extension, the multi-billion dollar behavioral advertising industry.
However, the level of control in the Jehovah’s Witnesses case is readily distinguishable. The JWC instructed its preachers to go door-to-door for the discrete purpose of expanding its membership. To ensure the effectiveness of the activity, the JWC assigned members to different areas, kept track of how long they preached and how many publications they distributed, and provided detailed instructions on what notes to take (i.e., what personal data to process).
The complaint relies on the fact that, like OpenRTB, the JWC did not formally require the processing of personal data, yet was still a controller because it “organized and coordinated” the activity. This argument is a red herring. “Organization and coordination” is only relevant where it results in determination of the purpose and means of processing. The JWC’s “organization and coordination” amounted to such tight control over its members’ preaching activity that it was still viewed as instructing them to process personal data on its behalf.
Conversely, IAB’s development and release of OpenRTB does not allow it to instruct or direct another business as to what personal data it shall in fact process or transfer through the protocol, or for which purposes. Unlike the preachers answering to a centralized authority, entities do not engage in processing activities over OpenRTB at the behest of, or for a shared purpose with, IAB.
A standard’s primary objective is to define technical requirements for interoperability among various systems. As such, it allows entities to carry out activities more efficiently through a common “language.” However, this development of a communication medium by which processing activities may be carried out must be differentiated from the processing activities themselves. The purpose for initiating processing and each subsequent operation relating thereto (e.g., collection, transmission to downstream partners) is determined at the business level. IAB’s defining of the protocol’s structure provides the technological capability for entities to carry out such activities, but it is not, in itself, a processing activity or “purpose.” The alternative would create a virtually unlimited definition of “controller.” Likewise, IAB’s theoretical ability to lessen the processing capability of the protocol – such as eliminating the “device identifier” field – also cannot be a criterion by which control is decided in this context. If such ability were acted upon, it would only limit the range of processing activities capable within that technology (activities that were never required in the first place). This attenuated “control by exclusion” leads to bizarre results and is not what the GDPR intended. For example, any provider that releases technology capable of a range of processing activities would become a controller of all such activities if it ever puts limits on that capability.
Second, the complaint also alleges that “IAB has full control of how the behavioural advertising market within...[OpenRTB] is designed and operates, so it decides at its own discretion how the processing of personal data is to be carried out, e.g., by determining the elements that must be included in the so-called bid request, i.e., a request for submission of bids in an ad market.” In other words, the complaint argues that IAB, through OpenRTB, decides the essential means of all processing activities carried out under the technical protocol.
When analyzed against the aforementioned elements highlighted by the WP, IAB does not determine the “essential means” of the processing activities carried out over OpenRTB:
- Which data shall be processed?
- IAB does not decide what data will be processed when entities carry out processing activities via OpenRTB. The complaint conflates the capability to allow entities to process personal data with deciding what data shall be processed for any given processing activity.
- The Panoptykon Foundation and related parties argue that because almost all bid requests sent via OpenRTB contain at least a device identifier, and OpenRTB documentation recommends device identifiers be included in bid requests, IAB decides that entities shall process device identifiers. Such an argument is unavailing. Technology providers routinely recommend that personal data be processed for added business value (e.g., SaaS platforms). No one has seriously argued that these providers automatically become joint controllers by virtue of doing so. The decision to process such data is left to the autonomy of the user.
- For how long shall the data be processed/when should the data be deleted?
- IAB does not mandate retention periods. Such a decision is solely within the business’s own legal judgment for what satisfies the storage limitation principle for its particular processing activities.
- Who shall have access to the data?
- This decision is, again, controlled entirely by the entities using OpenRTB and differs dramatically depending on the context in which advertising may be transacted (e.g., open auction, private marketplace, programmatic, or direct).
Third, according to the complaint, IAB is a controller because it has general knowledge that processing is happening through OpenRTB:
[T]he JWC, which collects information on its members (as opposed to information on persons visited by its members), becomes, by creating guidelines and maps, a joint controller of personal data of persons visited by its members despite the fact that it does not establish any direct interaction with those persons and has no access to such data. This instance can be directly compared with IAB, as its role is also to provide guidelines and specifications to companies that participate in auctions in ad markets. Like the community analysed by the CJEU, IAB has a general knowledge of the fact that processing is carried out and knows its purposes (matching ads in RTB model), as well as it organizes and coordinates activities of its members by way of management of... [OpenRTB].
Although it is correct that an entity does not need direct access to data to be a controller, it still needs a level of control sufficient to determine the purposes and means of processing. Much of the above quote is a restatement of the complaint’s previous arguments examined herein.
However, there is one slightly different argument presented: “IAB has a general knowledge of the fact that processing is carried out and knows its purposes...” and thus is a controller. This “general knowledge” standard that the complaint proposes ignores all context and nuance from the Jehovah’s Witnesses case. Clearly, every company that has a general knowledge that processing is being carried out through its technology, and is aware of the purpose for which its carried out, cannot be a joint controller or else virtually every technology company (e.g., standards bodies, SaaS platforms, and software companies) would be a joint controller.
The CJEU’s mention that the JWC was aware of its members’ processing of personal data (i.e., note taking) was to demonstrate that excessive formalism (i.e., an express written statement telling individuals to process data) should not be required when an entity has such a level of control that it, practically speaking, instructs others to carry out processing of personal data for a defined purpose. As mentioned above, providing guidelines and technical specifications to companies, or simply knowing that personal data is being processed through OpenRTB, does not amount to the level of control contemplated by the GDPR or prior case law to become a joint controller.
Finally, the complaint contends: “The argument that [OpenRTB] created by IAB is only a technical protocol which does not obligate particular companies to process data is ill-advised and not true. [OpenRTB] enables and facilitates the processing and dissemination of data as the protocols that are connected with [Open RTB] include certain fields that are so designed that they trigger transfers of data, including sensitive data....”
Notwithstanding such allegations, OpenRTB does not obligate companies to process personal data. None of the required fields to send a bid request per OpenRTB documentation contain personal data. Fields at issue in the complaint, such as the description of a URL’s content, geolocation, device identifier, and user agent string, are optional. This optionality makes sense because OpenRTB is used for activities outside of “behavioral advertising,” such as direct out-of-home and contextual advertising, and in such cases personal data is often irrelevant or not processed.
As mentioned above, the complaint conflates providing entities the capability to process personal data, or recommendations to process personal data (e.g., bid request examples and recommended fields within OpenRTB documentation) for added business value, with having the requisite control to decide what data shall be processed by a particular entity.
It seems evident that behavioral advertising critics desire IAB to amend OpenRTB so that no personal data is capable of being transmitted at all. In their singular focus to bring about this result, these parties advocate expanding the definition of controller so broadly as to render almost all companies in every industry as controllers.
If they succeed, although they may accomplish their own goals, they may also stop (or diminish) the willingness of technology providers and standards bodies to engage in the European market. Here, we should heed the Advocate General’s warning in the FashionID opinion that excessively expanding the scope of what constitutes a controller will create such a lack of clarity that it “...crosses into the realm of actual impossibility for a potential joint controller to comply with valid legislation.”
 The Complaint is filed against IAB Europe; however, IAB Tech Lab, rather than IAB Europe, promulgates the OpenRTB standard. For convenience, we use the term “IAB” throughout this article.
 All complaint quotes used herein are taken from a translation of such complaint.