Two years since the first realtime bidding (RTB) complaints were lodged, regulators’ failure to act is allowing Google and IAB Europe to perpetuate the “biggest data breach of all time”, with abuse even more widespread and consumers’ highly personal details up for grabs tens of billions of times a day.
That is the damning conclusion of a new dossier of evidence on the adtech industry drawn up by the Irish Council for Civil Liberties (ICCL), which claims the breach is not only continuing, it is growing exponentially, while regulators seemingly sit on their hands, unwilling to act.
The original complaint – filed with the Irish Data Protection Commissioner and the UK Information Commissioner’s Office – on behalf of tech start-up Brave, the Open Rights Group and University College London was lodged in September 2018, aimed at triggering an EU-wide GDPR investigation into the practice.
And while the ICO has been in the firing line for its failure to act, given the ICCL’s location it is perhaps unsurprising the organisation is now turning its guns on the Irish DPC.
The regulator opened its investigation into Google’s online Ad Exchange in May 2019, but the case remains unresolved and Johnny Ryan, the former chief privacy director at Brave, has taken up the fight in his new role as ICCL fellow.
In the report, Ryan writes: “September 2020 marks two years since my formal complaint to the Irish DPC. This submission demonstrates the consequences of two years of failure to enforce.”
Among the allegations in the report are that Google’s RTB system sends data to 968 companies, while just three ad exchanges (OpenX, IndexExchange and PubMatic) have made around 113.9 trillion RTB broadcasts in the past year alone.
Meanwhile, the ICCL claims to have unearthed serious breaches of consumers’ data rights, with firms flogging so-called “special category personal data” willy nilly.
For instance, one data broker is alleged to have used RTB data to profile people to influence the 2019 Polish Parliamentary Election by targeting the LGBTQ+ community; another uses RTB data to target people in Ireland profiled in a “substance abuse” category, with other health condition profiles offered by the same broker available via Google including “diabetes”, “chronic pain” and “sleep disorders”.
In addition, the system approved by industry trade body IAB Europe is alleged to allow users to target Irish consumers profiled in an “Aids & HIV” category based on a data broker profile built with RTB data, and other categories from the same data broker include “incest & abuse support”, “brain tumor”, “incontinence” and “depression”.
Finally, a data broker that illicitly profiled Black Lives Matters protesters in the US, has also been allowed to gather RTB data about Europeans, while the industry template for profiles includes intimate personal characteristics such as “infertility”, “STD” and “Conservative” politics.
The report states: “Google’s RTB system now sends people’s private data to more companies, and from more websites than when the Irish DPC was notified two years ago. A single ad exchange using the IAB RTB system now sends 120 billion RTB broadcasts in a day, an increase of 140% over two years ago.
“RTB operates behind the scenes on websites and apps. It constantly broadcasts the private things we do and watch online, and where we are in the real-world, to countless companies. As a result, we are all an open book to data broker companies, and others, who can build intimate dossiers about each of us.”
In response to the report, Google said: “We enforce strict privacy protocols and standards to protect people’s personal information, including industry-leading safeguards on the use of data for realtime bidding.
“We do not allow advertisers to select ads based on sensitive personal data and we do not share people’s sensitive personal data, browsing histories or profiles with advertisers. We perform audits of ad buyers on Google’s ad exchange and if we find breaches of our policies we take action.”
IAB Europe has yet to comment on the findings but Irish DPC deputy commissioner Graham Doyle said in a statement: “Extensive recent updates and correspondence on this matter, including a meeting, have been provided by the DPC. The investigation has progressed and a full update on the next steps provided to the concerned party.”
However, Ryan insists he has “no idea” what the Irish DPC means about a “full update” and on its pledge to provide the “next steps”, he said the regulator informed him it will produce a document setting out what it believes the issues are within four weeks of the ICCL’s letter, dated September 15.
Group seeks €10bn pay-out over adtech GDPR breach
Privacy groups hit out at fresh delay to adtech probe
ICO strikes back at claims it has shut down all cases
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
ICO urged to act now on adtech or be seen as soft touch
IAB in dock over sector’s ‘systemic’ breaches of GDPR
$273bn behavioural ad industry ‘is in breach of GDPR’