Hamburg District CourtSievekingplatz 120355 Hamburg21/181/PHE/THB/ENK/CSCAttorney Peter Hense, Attorney Tilman Herbrich and Attorney Elisabeth NiekrenzLeipzig, 15.04.2021Lawsuitby Dr Johnny Ryan, Irish Council of Civil Liberties, Unit 11, First Floor, 34 Usher's Quai, Dublin 8,D08 DCW9- Plaintiff -Litigation Counsel:Spirit Legal Fuhrmann HenseNeumarkt 16-18, 04109 LeipzigPartnershipofLawyers1. IAB Technology Laboratory, Inc. , 116 East 27th Street 7th Floor, New York, NY 10016,USA, represented by vonwersch Digital Strategies GmbH, Grindelhof 69, 20146 Hamburg,Germany, represented by Oliver von Wersch, Managing Director.- Defendant 1 -The partners of Spirit Legal Fuhrmann Hense Partnerschaft von Rechtsanwältenare attorney Peter Hense and attorney Sabine Fuhrmann.

2. Xandr, Inc. , 28 West 23th Street, Fl. 4, New York, NY 10010, USA, represented by AppNexus Germany GmbH, Große Elbstraße 43, 22767 Hamburg, Germany, represented byManaging Directors Charles Brian O'Kelley, Michael Rubinstein, and Michiel Nolet.- Defendant 2 3. GmbH, Ludwig-Erhard-Straße 14, 20459 Hamburg, Germany,represented by the Managing Director Marc Stahlmann- Defendant 3 -because of:Data breachesAmount in dispute (preliminary):EUR 10,000.00In the name of and on behalf of the plaintiff, we bring this action and will request at the hearing:The defendants are ordered to avoid a fine to be set by the court for the case ofinfringement - in lieu of imprisonment - or imprisonment for up to six months (fine inindividual cases not exceeding EUR 250,000.00, imprisonment for a total of not morethan two years), to be enforced on their legal representatives,to refrain from,1.processing personal data of the plaintiff without appropriate security measures inaccordance with art. 32 of the GDPR,if this is done, as set out in Annex K 1;2. processing personal data of the plaintiff without providing the plaintiff in atransparent and comprehensible and easily accessible form with the obligatoryinformation under data protection law pursuant to art. 12 para. 1, 13 and 26 para.2 sentence 2 GDPR,Page 2 of 174

if this is done as shown in Annex K 2;3.processing the plaintiff's personal data without a legal basis,if this is done, as set out in Annex K 3;4.transferring personal data of the plaintiff to the United States withouta. an adequacy decision pursuant to art. 45 GDPR,b. appropriate safeguards in accordance with art. 46 of the GDPR, orc. an exception in accordance with art. 49 GDPR.In the event that the written preliminary proceedings are ordered, we immediately request theIssuance of a default judgment pursuant to section 331 Zivilprozessordnung (ZPO, Codeof Civil Procedure) if the defendants do not indicate their willingness to defend in duetime.Page 3 of 174

TABLE OF CONTENTSA.FACTS .7I.The parties . 81.The plaintiff . 82.Defendant 1 . 83.Defendant 2 . 104.Defendant 3 . 12II.Concerning motion 1. 121.General functioning of Real Time Bidding . 132.Role of the respective standards . 25a)OpenRTB . 25b)AdCOM . 26c)Content Taxonomy. 26d)Audience Taxonomy. 273.Processing of personal data of the plaintiff, triggered by visiting the website of defendant 3 . 27a)Real-time auction via "OpenRTB API Specification Version 2.4 " . 29b)Real-time auctioning via OpenRTB API Specification Version 2.5 . 49c)Real-time auctioning by means of "OpenRTB Specification v3.0 . 584.Lack of technical and organizational measures to ensure security in OpenRTB . 71a)the extent of the data processing operations . 71b) The IAB Transparency & Consent Framework . 76c)5.The assumption of general compliance . 79Responsibilities of the defendants . 80(a) contributions by the 1st defendant . 80(aa) organisation of data processing . 80bb) Coordination of data processing . 81cc) Encouraging data processing . 83dd) Facilitation of data processing . 85(b) contributions by the 2nd defendant . 86(c) contributions by the 3rd defendant. 90III.Concerning motion 2. 911.Information provided. 912.Contributions by the defendants. 92Page 4 of 174

IV.Concerning motion 3. 921.Processing of particularly sensitive data triggered by visit to defendant 3's website: "Does my jobput my health at risk?". 932.Processing of particularly sensitive data relating to the applicant . 102a)Location . 102b)Viewed online content . 105aa)Website currently under consideration . 105bb)Data classified by means of content taxonomy . 105cc)Data classified by means of audience taxonomy . 110c)Consent String Record. 115d)Extensions . 117e)Sensitive data of the plaintiff were processed. . 1183.No request for explicit consent for special categories of personal data . 1194.Contributions by the defendants. 119V.Concerning motion 4.1201.Transfer of data to third countries . 1202.Contributions by the defendants. 121B.LEGAL ASSESSMENT . 122I.Admissibility of the action .1221.International jurisdiction of the Hamburg Regional Court. 1222. Local and subject-matter jurisdiction of the Hamburg Regional Court . 123II.Merits of the action.1231.Burden of proof of the defendant. 1232.Joint data protection responsibility of the defendants . 125a)Broad interpretation of the concept of liability . 125b)Liability of the defendant . 1263.aa)Criteria of the ECJ case law on actual influence on the purposes and means of processing 127bb)Enabling, coordinating, promoting and facilitating as effective influence. 132cc)Joint decision on the means and purposes of processing. 134Joint tortious liability of the defendants under section 830 BGB . 136(a) complicity of the defendants in the joint action. 136b)4.Incitement of the 1st defendant equates to complicity . 137Merits of request 1 . 139Page 5 of 174

a)Claim under sections 823 para. 2, 1004 para. 1 sentence 2 BGB analogously in conjunction 5 para. 1 lit. f, 24 para. 1, 32 para. 1 GDPR . 140b)Claim under sections 823 para. 2, 1004 para. 1 sentence 2 BGB analogously in conjunction withart. 83 para. 4 lit. a GDPR in conjunction with section 41 para. 1 BDSG . 1465.Merits of request 2 . 146a)Claim based on sections 823 para. 2, 1004 para. 1 sentence 2 BGB analogously in conjunctionwith art. 12 para. 1, art. 13 para. 1 and para. 2 GDPR or art. 26 para. 2 sentence 2 GDPR . 146b)Claim under sections 823 para. 1, 1004 para. 1 sentence 2 BGB analogously in conjunction 2 para. 1 in conjunction with art. 1 para. 1 GG . 1496.Merits of motion 3 . 151a) Claim based on sections 823 para. 2, 1004 para. 1 sentence 2 BGB analogously in conjunction withart. 9 para. 1 and para. 2 GDPR. 152b)Claim from sections 823 para. 2, 1004 para. 1 sentence 2 BGB analogue in conjunction with.section 15 para. 3 TMG in conjunction with art. 6 para. 1 p. 1 lit. a GDPR . 155c)aa)Mandatory consent requirement for the processing at issue. 155bb)Ineffective consent mechanism on the website of the defendant 3 . 157cc)Blocking effect for the application of art. 6 para. 1 sentence 1 lit. f GDPR . 160Claim under sections 823 para. 2, 1004 para. 1 sentence 2 BGB analogously in conjunction withart. 5 para. 1 lit. f, 32 para. 1 GDPR . 1617.Merits of motion 4 . 162Page 6 of 174

JUSTIFICATIONA.FactsThe plaintiff objects to the processing of his personal data in the context of the sending ofpersonalised online advertising. Through the challenged system Real Time Bidding (RTB),extensive information about the private online behaviour of people, including the plaintiff, is sentto thousands of companies. Real Time Bidding involves automated auctions for the advertisingspaces on a website while that occur in real time as it is loading.Users can thus be tracked in their user behaviour.The rules of Real Time Bidding are defined worldwide by technical standards called “OpenRTB”,“AdCOM”, “Content Taxonomy” and “Audience Taxonomy”.The OpenRTB protocol generated 6.7 billion in revenue in Europe in 2019 [IAB Europe, sing-Spend2019-Report.pdf, last accessed 07.04.2021].The action is directed against the subsidiary organisation of a trade association of the onlineadvertising industry which, by providing the technical standards, significantly coordinates,organises, enables and encourages the challenged processes (1st defendant), against a companywhich operates a platform for the purchase and sale of online advertising space (2nd defendant),and against the operator of an online medium on whose website corresponding technologies areused (3rd defendant).Real Time Bidding violates applicable data protection law millions of times every day. Even one ofthe inventors of Real Time Bidding and former managing director of the 2nd defendant, BrianO'Kelley, assumes that the technology is not compatible with the GDPR [Schiff, RTB RIP? TheWriting Could Be On The Wall For Real-Time Bidding In Europe, Ad Exchanger, Aug. 06, 2019,available at: -europe/, last accessed on Apr. 01, 2021; Itega, RTB inventor says today'sad-tech is dead, IAB can't help, and it's time to help publishers build atop privacy, available s/, last accessed on Apr. 01, 2021].Page 7 of 174

A class action lawsuit was filed in the U.S. in May of this year against Google's Real Time Bidingsystem [Davis, Google Hit With Privacy Suit Over Real-Time Bidding, Media Post, Mar. 29, 2021,available at: din.html, last accessed Apr. 06, 2021].I.The parties1.The plaintiffThe plaintiff is an Irish citizen and a Senior Fellow of the Irish Council for Civil Liberties, which hasbeen involved in the protection of fundamental rights for 45 years. He has previously worked inadvertising technology, the media industry and for a company which operates a web browser. Hehas written two books on Internet technologies. The plaintiff has extensive insight into how RealTime Bidding works.He has been consulted by the EU Commission and the US Senate on the dangers for website visitorsof processing personal data in the course of auctioning online advertising space [see]. His research and commentary appear in media suchas The New York Times, The Economist, Wired, Le Monde and on the front page of the Financial Times.2.Defendant 1The 1st defendant is an international association of media and technology companies engaged indigital advertising. The 1st defendant's members include technology companies such as Google,Facebook, and AT&T, among others.Offer of Proof:Partial printout of the 1st defendant's website as of 03/23/2021 regardingIAB Tech Lab Members, available at: ech-labq-members/, last accessed 03/23/2021,presented as Annex K 4The 1st defendant develops and promotes technologies and technical standards for fullyPage 8 of 174

automated personalized online advertising, including the basic technical standard OpenRTB, whichis substantiated by the further technical standards AdCOM, Content Taxonomy, and AudienceTaxonomy. These standards form the framework for the global functioning of the targeting ofpersonalized advertising media in the real-time auction of online advertising space on websitesand in apps. In addition to developing these standards and protocols, the defendant also supportscompanies in their implementation.The 1st defendant is operationally active in Europe through a German company, namely vonwerschDigital Strategies GmbH. Its managing director, Oliver von Wersch, and his employees oversee keyareas of the defendant's activities in Europe:"[.] The Founder and CEO of vonwerschpartner, Oliver von Wersch, will oversee key aspects of Tech Lab operationsin the EU and UK. The overall vonwerschpartner organization will support Tech Lab with a cross-functional teamof project managers and ad tech specialists to effectively serve the needs of the region.""Working with vonwerschpartner will help us build stronger, lasting relationships throughout Europe. As a globalorganization, it is crucial that we connect regularly with a broad range of members to understand their needs,share new developments, and facilitate standards adoption. [ ]”Offer of Proof:Partial printout of 1st defendant's website, press release dated 09/06/2020,available at: reasesinvestment-presence-in-europe/, last accessed 12/02/2021,presented as Annex K 5Three employees of vonwersch Digital Strategies GmbH are assigned to the business premises inHamburg to represent and implement the interests of the 1st defendant in Germany. They managethe main components of the operative business of the 1st defendant in Europe. These are sales andcommunication activities of the 1st defendant vis-à-vis members and departments of the IAB, Europe as well as vis-à-vis the public, the involvement of European companies in thedevelopment of the standards and the organization of exchange meetings of the membersconcerning the implementations of the 1st defendant's technical standards."[.] What we dovonwerschpartner Digital Strategies represent IAB Tech Lab in Europe, with a dedicated staff of 3 people. Wesupport the client in building up and extending long-term market relationships, e.g. with local IABs, developPage 9 of 174

strategic cooperations, represent the client on local events through panels and speeches, and support theengagement of (new) members.Since the beginning of our mandate, we have significantly increased the awareness for Tech Lab's activities inEurope, and improved the active involvement of European companies, and other entities into the technologydevelopment processes (e.g. Project Rearc). [ ]“Offer of Proof:Partial printout of vonwersch Digital Strategies GmbHwebsite as h-lab, last accessed02/12/2021, p. 4,presented as Annex K 6The 1st defendant's website states that this has significantly increased awareness of the work ofthe IAB TechLab in Europe and that this has improved the active involvement of Europeancompanies and other institutions in the technology development processes. The 1st defendant haspublicly acknowledged that the engagement with vonwersch Digital Strategies GmbH is to facilitatethe adoption of standards, and that this is done on the instructions of the 1st defendant ("on behalfof IAB Tech Lab").Offer of Proof:Partial printout of 1st defendant's website, European CommunicationGroups, as of 03/23/2021, available at:, lastaccessed 03/23/2021,presented as Annex K 73.Defendant 2The 2nd defendant operates a technology platform which enables the purchase and sale of“inventory”, i.e. advertising space on websites from several advertising networks (hereinafter“advertising exchange” or “online advertising exchange”).The 2nd defendant is a member of the 1st defendant (see partial printout of the 1st defendant'swebsite dated 23/03/2021 via IAB Tech Lab Members, available at: 10 of 174

the-iab-tech-lab/iab-tech-lab-members/, last accessed 23/03/2021, already submitted as AnnexK 4).Advertising Exchanges (online advertising exchanges) give access to an additional marketingchannel for publisher websites (websites with advertising space), marketers (agencies) and adnetworks, thus enabling advertisers to access advertising space from multiple website providers.In doing so, the second defendant in turn uses technology platforms that enable the automated andauction-based purchase of online advertising and its automated control in real time [see "Glossary"of the Bundesverband Digitale Wirtschaft (BVDW) e.V. of 23.03.2021, available at:, last accessed on 23.03.2021].The 2nd defendant is identified as a controller for the processing of personal data in the dataprotection notices for the platform of the online advertising exchange Xandr.Offer of proof:Partial printout of the website of Xandr, Inc., Platform Privacy Policy, om/privacy/platform-privacy-policy/ , last accessed4/14/2021,presented as Annex K 82nd defendant maintains subsidiaries worldwide. These include, among others, the wholly ownedsubsidiary AppNexus, Inc. (28 West 23rd Street New York, NY 10010 USA). AppNexus, Inc. holds100% of the shares in AppNexus Germany GmbH, a subsidiary based in Hamburg. According to thecorporate purpose of AppNexus Germany GmbH, which is shown in the commercial register, theGerman branch is responsible for "The sale of, account management for, marketing of andimplementation of real-time advertising technologies, in particular those of the shareholderAppNexus Inc. as well as the corresponding customer support and other related services".Offer of proof:Printout of the extract from the commercial register of defendant 2 dated23.03.2021,presented as Annex K 9The 2nd defendant is responsible for the implementation of the technical standards OpenRTB,Page 11 of 174

AdCOM, Content Taxonomy, and Audience Taxonomy, of the 1st defendant in Germany.Defendant 2 is a subsidiary of WarnerMedia, a branch of the US telecommunications providerAT&T with an annual turnover of USD 171 billion in 2020 [see Key figures of AT&T, available at: guv/at t, last accessed on 06.04.2021].4.Defendant 3The 3rd defendant operates an information service on the topics of online marketing and ecommerce under the website with the URL Reports on currentdevelopments in the industry appear there. Reports on current developments in the industryappear there. It also sells marketing services via this website, inter alia in the form of advertisingspace, paid contributions or e-mail advertising.On Sept. 05, 2019, an article was published on defendant's website titled "Privacy Scandal: SecretGoogle Websites to Sell User Data?" reporting on plaintiff's activities.Offer of Proof:Partial Printout of 3rd defendant’s website, Gau, Secret Google Websites eheimegoogle-websites-verkauf-nutzerdaten, last accessed Apr. 14, 2021,presented as Annex K 10II.Concerning motion 1In the following, the general processes of Real Time Bidding (1.) as well as the function of theindividual challenged standards are explained (2.). This is followed by a description of theprocessing of the plaintiff's personal data that is the subject of the dispute (3.). Then the deficits ofthe data security of the processing are described (4.). Finally, the responsibility contributions ofthe individual defendants follow (5.).Page 12 of 174

1.General functioning of Real Time BiddingReal Time Bidding takes place behind the scenes of commercial websites and apps. When a datasubject accesses a website such as that of the 3rd defendant, which participates in Real TimeBidding auctions according to the 1st defendant's specifications, each advertising space on awebsite is allocated by an automated auction in real time, on the basis of the data subject's preciselyfitting personal data.Defendant 1's system works as follows: Supply Side Platforms (SSPs) use defendant 1's technicalstandards to send out requests for bids on advertising space on the website. This bid requestcontains a variety of personal information about the person who loads the website or app.SSPs and online advertising exchanges that enable the buying and selling of advertising space frommultiple advertising networks (Advertising Exchanges), such as the 2nd defendant, send thispersonal data to a large number of other companies called Demand Side Platforms (DSPs) that acton behalf of advertisers.There may also be auctions of auctions, in which several online advertising exchanges (AdvertisingExchanges), such as that of the 2nd defendant, each send bid requests to a large number ofcompanies to solicit bids for a single advertising space (so-called header bidding).Offer of Proof:Entire printout of defendant 1's website, Standard Header ContainerIntegration with an Ad Server, as amended June 2017, available anAdServer resented as Annex K 11When a SSP sends a bid request about a particular individual to a DSP, possibly through an onlineadvertising exchange, DSPs then decide whether, and how much, to bid for the opportunity todisplay an advertisement to that individual, based on the information they received in the bidrequest.Page 13 of 174

In less than a second (less than 200 milliseconds), the ad that won the auction is loaded on thewebsite. This process can take place several times while a website is loading, to auction each of theadvertising spaces available on the specific website.The following diagram, prepared by the international weekly newspaper The Economist incollaboration with plaintiff, shows the flow of information from an IAB OpenRTB auction that takesplace to a

- Defendant 2 - 3. GmbH, Ludwig-Erhard-Straße 14, 20459 Hamburg, Germany, represented by the Managing Director Marc Stahlmann - Defendant 3 - because of: Data breaches Amount in dispute (preliminary): EUR 10,000.00 In the name of and on behalf of the plainti