The ICCL claims Google’s real-time bidding system is ‘the biggest data breach ever recorded’ and is in violation of GDPR.
Ireland’s Data Protection Commission (DPC) has been issued a High Court challenge over claims the watchdog has failed fully to investigate a complaint about Google’s real-time bidding (RTB) system for online advertising.
The action is being brought by Dr Johnny Ryan of Irish Council for Civil Liberties (ICCL), which has described RTB as “the largest data breach ever” as it is used on millions of websites and broadcasts data to tracking companies “billions of times a day”. The organisation claims this system is in breach of GDPR.
RTB is the process where user data is bought and sold by online advertisers, and determines the ads a person will see when a website or app loads based on their personal data. The ICCL claims this system can broadcast private information about an individual to more than a thousand tracking companies “in a split second”.
Ryan made a complaint to the DPC in September 2018 about the RTB process used by Google and IAB, and claims there has been a delay in investigating the matter. As Google’s EU headquarters are based in Dublin, the Irish watchdog is the lead data supervisor for the company under GDPR’s ‘one-stop shop’ mechanism.
“The DPC was created to protect us against the illegal collection and use of intimate data about us,” Ryan said in a statement today (15 March). “But it has failed to act in this landmark case, despite the passage of three and a half years and having detailed evidence of Google’s massive and ongoing data breach”.
The ICCL said the DPC created a “statement of issues” on what it will investigate on 12 January this year, but data security – “the critical issue of the complaint” – was excluded.
The DPC, in correspondence with Ryan’s lawyers, denied that it has delayed handling the complaint.
Previous criticism
The ICCL has regularly criticised the online advertising industry’s practices, and specifically RTB, over data privacy issues. It has also criticised the DPC for how it handles GDPR complaints against Big Tech.
As well as Google, the DPC acts as the EU’s lead data supervisor for several major US tech players that have European headquarters in Ireland.
Ryan told an Oireachtas Joint Committee on Justice last April that the DPC had failed to resolve 98pc of cases important enough to be of concern across the EU and that the country had become a “bottleneck of GDPR investigation and enforcement”.
He also recently made a complaint to the EU Ombudsman, alleging that the European Commission had failed to properly monitor the DPC’s application of GDPR in the country.
Enforcement of GDPR has attracted a lot of criticism since the data protection regulations came into force in 2018. Last December, a senior European Commission official warned that the EU’s privacy rules may need to change, with more power put in the hands of EU institutions, if enforcement is not effective.
At a Joint Oireachtas Committee meeting last month, Facebook whistleblower Frances Haugen called for a review of the DPC and claimed the Irish regulator is “widely considered” to have stepped back in its responsibilities in enforcing GDPR.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.