Often it can seem that the battle to protect online privacy is hopeless, as companies gather ever-more data about us as we move around the internet. But in the background, the fightback is underway. It’s happening on multiple fronts, and it’s happening slowly, but it is definitely happening.
For example, back in 2017, Privacy News Online wrote about a statement by Belgium, France and the Netherlands that Facebook broke their privacy laws. After years in the lower courts, the Belgian case reached the Court of Justice of the European Union (CJEU), the EU’s highest court. Interestingly, the case was not about Facebook’s actions themselves, but about whether or not Belgium’s Data Protection Authority has the power to investigate those actions. That might seem to be a strange question, but it relates to the way that the EU’s General Data Protection Regulation (GDPR) works. This specifies a “one-stop shop” rule, whereby generally only the data protection authorities in the jurisdiction where a company has its European headquarters can bring an action. The idea here is to prevent the situation where the many data protection authorities across the EU bring the same case. Instead, there is a “lead supervisory authority” that handles the case in conjunction with other data protection authorities.
As the press release on the CJEU’s decision summarizes, “Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to that processing.” Unfortunately, the court fails to define exactly what those “certain conditions” might be, making the judgment unhelpfully vague in this respect. Still, the most important aspect is that the court has not said that only the lead supervisory authority can bring cases against companies allegedly infringing the GDPR: that opens up the possibility of more national authorities doing so, and helping to define the limits of this approach. That, in its turn, is important given the high-profile failure of the Irish Data Protection Commission (DPC) to move forward quickly with the many important GDPR cases it is considering. The fact that other data protection authorities can bring cases may put more pressure on the DPC to start handing out fines, and big ones, or see itself sidelined by actions in other countries. As this blog explained in May, that’s already happening in Germany.
Belgium is defending online for privacy on another front. Last year, the Belgian data protection authority wrote a critical report about the use of real-time bidding (RTB). As this blog noted, the report was forwarded to the agency’s “litigation chamber”. A few days ago, one of the people involved tweeted that things have finally moved on and the case is now being heard by the chamber. That action is specifically against the Interactive Advertising Bureau Europe (IAB Europe) over its Transparency and Consent Framework (TCF), which is used to gather consent for ad trackers. It’s designed to help digital advertisers comply with the GDPR, but the Belgian data protection authorities see it as more of a surveillance infrastructure because of the way that RTB works.
The Irish Council for Civil Liberties (ICCL) couldn’t agree more. Announcing a major legal action against RTB, the ICCL says:
The online advertising industry is governed by reckless and harmful rules set by IAB TechLab, the industry trade body. IAB TechLab’s members include big tech (Google, Facebook, Amazon…), data brokers (Equifax, Experian, Acxiom…), advertising agencies (Groupm, Publicis, IPG…).
It is headquartered in New York. But being in New York does not protect IAB TechLab from European law. Nor does it protect the thousands of companies that use IAB TechLab’s rules to share and trade our most intimate secrets.
IAB TechLab has a European presence in Hamburg. ICCL approached Spirit Legal, a German law firm, to act against IAB TechLab and two other defendants that use its systems at the Landgerichte Hamburg.
According to the IAB TechLab Web site:
Where IAB in the US and internationally is focused on the local market and its business needs the IAB Tech Lab is a global, non-profit, research and development consortium focused on promoting common technology to the digital advertising supply chain. In pursuit of global adoption, IAB Tech Lab collaborates with our members to bring software tools, reference code, and technology certifications to market that help companies implement correctly and efficiently against global industry technical standards.
The lawsuit has been brought by Johnny Ryan, Senior Fellow of ICCL. Privacy News Online wrote about his work on RTB last September, which was a prelude to the new legal action. The ICCL press release on the RTB lawsuit mentions another interesting development in this area: the new “Anti-tracking ads coalition” of the European Parliament will announce efforts to introduce a law to stop online ads from tracking people as described in ICCL’s lawsuit. The coalition has its own website with more information.
The EU has just launched an antitrust investigation of Google over its online advertising. This is an important step, because the EU currently leads the way on privacy protection, and its laws have global ramifications. But in the US, too, there is a growing movement to tame the rampant RTB. Earlier this year, Google was hit with a privacy suit over its use of RTB. And a recent opinion piece in the New York Times by Dina Srinivasan suggested giving “a federal agency like the Federal Trade Commission the power to police conflicts of interest and pass rules against self-dealing in emerging exchange markets like advertising.” Meanwhile, an international coalition has called for action against surveillance-based advertising, and produced a report outlining the case against commercial surveillance online. Things are definitely moving.
Featured image by Basile Morin.