Data Protection Commission accused of failing to act on ‘largest data breach ever’

21 Sep 2020

Image: © Prostock-studio/Stock.adobe.com

The Irish Council for Civil Liberties accused the Data Protection Commission of failing to act on a complaint about real-time bidding in advertising.

The Irish Council for Civil Liberties (ICCL) has released a report claiming the Irish Data Protection Commission (DPC) is failing to act when it comes to concerns about real-time bidding (RTB) systems in the online advertising industry.

RTB involves advertisers using data to target users with online ads. The ICCL described the practice as a “data breach at the heart of the online advertising sector” that allows illicit profiling of Irish people by data brokerage firms, including Google and others. This could enable Irish people’s health conditions, political views and whereabouts to be analysed and sold in a “dark data market”, it said.

The report claimed that this has led to electoral influence in Poland and profiling of Irish people with AIDS and other conditions. The ICCL alleged that it also goes against Article 5 of GDPR, which requires that personal data be kept secure.

‘Largest data breach ever recorded’

“RTB constantly broadcasts everyone’s online actions and where we are in the real world to a vast array of companies,” the ICCL said. “There is no technical limit on what those companies then do with our secrets or who they share them with.”

Dr Johnny Ryan, senior fellow of the ICCL, made a complaint to the DPC regarding RTB two years ago. In May 2019, the data watchdog then opened an investigation into the processing of personal data by Google Ireland’s Ad Exchange business.

“Today, two years after I formally notified the DPC about the RTB privacy crisis, my intimate data continues to be broadcast to countless companies through the RTB system. So does yours,” Ryan said.

Liam Herrick, executive director of the ICCL, added: “It is unacceptable that the largest data breach ever recorded should be permitted to continue more than two years after the DPC was made aware of it. Continued failure will further harm citizens and damage Ireland’s reputation.”

The ICCL report claimed that the industry profiles user data based on characteristics such as ‘infertility’, ‘STD’ and ‘conservative’. It also suggested that data brokers used RTB data to profile LGBTQ people to influence last year’s parliamentary election in Poland, tracked the movements of people in Italy during the lockdown and profiled Black Lives Matter protestors.

Ryan’s solicitor in Ireland, Gerard Rudden, said: “The scale of the data breach identified and exposed by Dr Ryan in his complaint is astonishing. The regulator has a duty to act with all due diligence. It is extremely concerning that two years have passed, during which time the problem has grown significantly and no decisive action seems to have been taken.”

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com