The online advertising industry has rejected claims made to data protection authorities that it is targeting and profiling users based on categories of highly sensitive personal data, in breach of EU law.
On Monday, Warsaw-based digital rights organisation the Panoptykon Foundation joined complaints filed with regulators in Ireland and the UK last September.
The complaints, including one to the Data Protection Commission in Ireland, were filed by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of web browser company Brave. The complainants said they had filed new evidence which shows how ad auction companies, including Google, "unlawfully profile internet users' religious beliefs, ethnicities, sexual orientation, diseases and disabilities".
They cited documents from Google and the Interactive Advertising Bureau showing categories purportedly used in real-time online ad bidding.
A spokeswoman for Google said: “We have strict policies that prohibit advertisers on our platforms from targeting individuals on the basis of sensitive categories such as race, sexual orientation, health conditions, pregnancy status, etc. If we found ads on any of our platforms that were violating our policies and attempting to use sensitive interest categories to target ads to users, we would take immediate action.”
The Interactive Advertising Bureau, a trade group of more than 650 media and technology companies that sell digital advertising or deliver marketing campaigns, also rejected the complaints.
"As with previous submissions made by Brave et al, we believe that: the complaints are fundamentally misdirected at IAB Europe or the IAB Tech Lab; and they fail to demonstrate any breach of EU data protection law," the organisation said.
In a blog post, it said that technical standards developed by IAB Tech Lab were “intended to facilitate the effective and efficient functioning of technical online advertising processes, such as real-time bidding”.
“IAB Europe’s Transparency & Consent Framework helps companies engaged in online advertising to meet certain requirements under EU data protection and privacy law, such as informing users about how their personal data is processed. The responsibility to use technologies and do business in compliance with applicable laws lies with individual companies.”
IAB compared the complaints to being akin to "attempting to hold road builders accountable for traffic infractions" by motorists
IAB said the “content taxonomy” mapping document cited by the complainants did not, as they seemed to contend, “demonstrate that taxonomies of data types that would qualify as special categories of personal data (and are subject to stricter protections under EU data protection law) are used by individual companies”.
“Nor can it be considered to prove or demonstrate that any companies making use of those taxonomies are doing so without complying with applicable EU data protection or other law.”
IAB compared the complaints to being akin to “attempting to hold road builders accountable for traffic infractions” by motorists.
The body said a technical standard “may be misused to violate the law or used in a legally compliant way, just as a car may be driven faster than the speed limit or driven at or below that limit”.
“The mere fact that misuse is possible cannot reasonably be used as evidence that it is actually happening. And the whole purpose of the transparency and consent framework is to ensure it does not.”
The complainants stood over their position on Wednesday and said the IAB was proceeding “on a misunderstanding of the law and the facts”.