New documents filed by privacy advocates claim the Internet Advertising Bureau (IAB) Europe and Google knowingly violated General Data Protection Regulation (GDPR) privacy laws.

The evidence focuses on the IAB Tech Lab’s OpenRTB ad system, claiming that it is illegal under GDPR, which is intended to protect personal data and privacy for individuals in the European Union.

The complaints allege that programmatic advertising using real-time auctions, specifically the IAB Tech Lab’s OpenRTB protocol, are inherently incompatible with EU data protection law.

They allege that the use of OpenRTB entailed large-scale and uncontrolled release of personal data without the user being aware. It also suggested that IAB Europe’s Transparency & Consent Framework (TCF) facilitates the breaches.

The documents were filed Tuesday with data protection authorities in the UK and Ireland.

In a response to the filing, the IAB Europe said in a blog post:

“These claims are not only false but are intentionally damaging to the digital advertising industry and to European digital media that depend on advertising as a revenue stream.” 

The post suggests that IAB Europe has consistently tried to outline the arguments and correct information, but that privacy advocates have chosen to ignore the facts, bringing more inaccurate information to support their case.

“Their errors of omission could therefore be characterized as either misrepresentations or just fabrications,” states IAB Europe.

It’s not clear whether those who make the claim truly understand the process of sharing data from searches or clicks, as well as data collection and ad serving, or whether the system really does violate the rules.

One report points to new evidence that IAB Europe CEO Townsend Feehan knew back in 2017 that the RTB system would violate GDPR laws, which went into effect in 2018.

But in an email to the European Commission Directorate General for Communications Networks, Content and Technology, Feehan wrote that it would be “technically impossible” to “be incompatible with consent under GDPR.”