Last week we reported about a decision of the French Data Protection Authority - the CNIL - imposing a €50 million fine on Google for alleged infringement of the European data protection rules. This, however, does not seem to be the end of Google's headaches. Earlier this week, a Polish NGO - Panoptykon - filed a complaint against the company with the President of the national Personal Data Protection Office.
Besides the complaints' addressee the two cases do not seem to have much in common. As a matter of fact, Google is not the only entity against which Panoptykon complained. A separate complaint was lodged against IAB Europe, an industry association in the field of interactive marketing. Both complaints concern the functioning of the market for online behavioural advertising, in which, according to Panoptykon, IAB and Google are key players.
The developments in Poland are a direct follow-up to the two complaints lodged last September in Ireland and the UK by Brave ("a privacy-focused web browser" set up by Mozilla's co-founder Brendan Eich) and Open Rights Group. Their focus remains on the real-time bidding (RTB) system used in the advertising market, which the applicants believe to infringe General Data Protection Regulation on at least several counts (for a rough explanation of the system see a video uploaded by... the IAB itself; further reference can be made to a report by Johnny Ryan of Brave). Key arguments of the complaining organisations concern the lack of a valid legal basis, including for the processing of sensitive data, failure to ensure data security, and the lack of appropriate control tools for data subjects (e.g. to verify and correct their marketing profiles).
Not surprisingly, Panoptykon's campaign has met with animated reactions. The President of IAB Poland drew a parallel to complaining against "a car producer for [producing cars] having technical abilities of breaking traffic rules, like exceeding speed limits or parking in restricted areas". He recalled the Transparency & Consent Framework created by the association with the aim to "help the businesses [involved in the ecosystem] to comply with applicable law". He also insisted that the RTB system is by no means "directed" by IAB Europe. Panoptykon, on the other hand, described the association as a "standard-setter" who, sticking to the traffic metaphor, "laid down the rules to be followed on its private roads in a way that makes it impossible to drive safely".
All eyes are now on the Polish DPO, who is widely regarded as an expert in the field. Panoptykon encourages the authority to engage in a joint operation with its British and Irish counterparts based on Article 62 of the GDPR. Thus, similarly to the French proceedings, the commented case seems like an important test for the GDPR's procedural framework.