Battle to stop adtech mass data breach heads to court

Irish_2The five-year battle against Google’s real-time bidding online advertising system – branded the biggest data breach ever recorded – is heading to the Irish High Court this week, amid claims that without action everyone in Europe is at risk.

The move is the latest attempt by Dr Johnny Ryan, a long-term crusader against the adtech industry and former Brave executive, who is now a senior fellow at the Irish Council for Civil Liberties (ICCL).

The first complaint – filed with the Irish Data Protection Commissioner and the UK Information Commissioner’s Office – on behalf of tech start-up Brave, the Open Rights Group and University College London was lodged in September 2018, aimed at triggering an EU-wide GDPR investigation into the practice.

Google’s real-time bidding (RTB) system decides which personalised ads will appear in front of people on millions of websites and apps.

Tracking firms representing advertisers receive detailed information from Google’s auction about people as they browse the web or use apps, so that each firm can bid on behalf of an advertiser for the opportunity to show personalised ads to specific people who the advertiser has identified as their intended target.

This RTB auction system is the primary means of showing ads online, and happens billions of times a day in the split seconds as web pages and apps are loaded.

ICCL maintains that Google’s RTB auction sends private information about what people are doing online and where they are physically located to over a thousand tracking companies. The organisation claims that, according to Google’s own technical documents, it even sends that information to companies in China and Russia.

There is no control over what any of these companies then do with the information they receive from Google. Nor is it possible to know who they sell it on to.

ICCL obtained industry data that it alleges shows a person in Ireland has their online activity and location exposed in this way 392 times a day on average by the RTB industry, in which Google is the dominant actor. It insists Google’s European totals are “staggering” by exposing people’s data 42 billion times a day in Europe (and 31 billion in the US).

This enormous data breach repeats every day, exposing everyone to highly invasive profiling, ICCL insists, adding that it has evidence of the sale of RTB data by a data broker firm revealing Irish people’s sensitive health conditions, tied to Google. Other RTB data, not tied to Google, included a set of Irish people who were identified as sexual abuse survivors.

The firm is also alleged to have used RTB to influence an election in Europe. ICCL reported this to the Irish DPC; to ICCL’s knowledge, no action was taken.

But, for five years, the DPC has refused to investigate this primary concern. Instead, it bypassed the complaint and launched a separate investigation in 2019 that excluded the data breach from its scope.

The plaintiff in the case is Ryan, a senior fellow at ICCL. He said: “The DPC’s half-decade refusal to investigate Google’s massive data breach is inexplicable. We are asking the Irish High Court to order the DPC to finally do its job. Having worked in the RTB industry, I know how dangerous these data are when put in the wrong hands. Everyone in Europe is at risk when the DPC fails to protect our data rights.”

The court will hear the case for two days.

Related stories
Decision Marketing at 10: How GDPR changed the world
Targeted ads use ‘illegal surveillance’, lawmakers told
War on ‘illegal’ adtech RTB heads to the German courts
Belgians rule IAB’s adtech system is in breach of GDPR
Adtech breach widens, two years after first complaints
Privacy groups hit out at fresh delay to adtech probe
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
$273bn behavioural ad industry ‘is in breach of GDPR’