Dr. Johnny Ryan of the Irish Council for Civil Liberties (ICCL) is suing the Irish Data Protection Commission (DPC) over its failure to fully investigate a complaint that Google’s real-time bidding (RTB) system for online advertising was in violation of the General Data Protection Regulation (GDPR).
Google’s RTB system, which is used on millions of websites, broadcasts data about website visitors to tracking companies to allow advertisers to target individuals based on several criteria and show them tailored online advertisements. The system allows high-velocity trading of people’s data, but the ICCL maintains the system violates the GDPR, as private information about EU citizens is sent to tracking companies without their knowledge or consent, and there is no way for them to opt out.
Google has its EU headquarters in Dublin, which means the DPC is responsible for investigating any complaints about Google GDPR violations. Dr. Ryan filed a complaint with the DPC in September 2018 regarding the RTB system used by Google and IAB, and alleges the DPC delayed investigating the complaint into what the ICCL claims is the “the biggest data breach ever recorded.”
The DPC opened a formal inquiry into Google and the IAB in May 2019. This was an own-volition inquiry to establish whether the processing of personal data carried out at each stage of the advertising transaction is compliant with all appropriate provisions of the GDPR. The DPC will seek to establish if there is a legal basis for processing personal data, whether the principles of transparency and data minimalization were followed, and also Google’s data retention practices.
Ryan’s 2018 complaint against the RTB is far from the only complaint filed over the system. Others have challenged the legal basis for processing user data and other potential GDPR violations. Ryan’s complaint is focused on security, and the DPC made no mention of investigating security issues in its inquiry. The issue is the RTB system broadcasts sensitive user data – including browsing history, device IDs, location, and more – to intermediaries, and there is no way for users to control who receives that data and how it is used.
“The DPC was created to protect us against the illegal collection and use of intimate data about us but it has failed to act in this landmark case, despite the passage of three and a half years and having detailed evidence of Google’s massive and ongoing data breach,” said Ryan. “This is a really nice, crisp, clear example of the DPC having Europe-wide responsibility for a really big issue that affects everybody – everyone – and it’s not some small thing. And they haven’t done anything. So, there isn’t really anything that I could do – we have to sue them.”
The DPC has attracted considerable criticism for its failure to act against big tech companies that have their base in Dublin. There have been several accusations that the DPC is failing in its responsibility to enforce compliance with the GDPR. Facebook whistleblower Frances Haugen recently called for Ireland to launch an independent review of the DPC regarding its GDPR enforcement activities, and Ryan has filed a complaint with the EU Ombudsman alleging the EU has failed to monitor the DPC’s application of the GDPR in the country.