Court rejects claim Google 'data breach' is being ignored

The five-year battle against Google’s real-time bidding online advertising system – branded the biggest data breach ever recorded – has taken yet another twist after the Irish High Court has thrown out the claim.

The move was the latest attempt force the industry to change by Dr Johnny Ryan, a long-term crusader against the adtech industry and former Brave executive, who is now a senior fellow at the Irish Council for Civil Liberties (ICCL).

The first complaint – filed with the Irish Data Protection Commissioner and the UK Information Commissioner’s Office – on behalf of tech start-up Brave, the Open Rights Group and University College London was lodged in September 2018, aimed at triggering an EU-wide GDPR investigation into the practice.

Google’s real-time bidding (RTB) system decides which personalised ads will appear in front of people on millions of websites and apps and Ryan claims the auction sends private information about what people are doing online and where they are physically located to over a thousand tracking companies. The organisation claims that, according to Google’s own technical documents, it even sends that information to companies in China and Russia.

But the High Court has dismissed the claim that the Irish Data Protection Commission (DPC) had failed to fully investigate the complaint.

In a written judgment, Mr Justice Garrett Simons dismissed the action on the grounds the DPC was entitled to conduct its own inquiry into the alleged data breach, which the commission has opted to do, before resuming its investigation into Dr Ryan’s complaint.

Dr Ryan had claimed there was a failure to investigate the matter, which, he says, breaches the requirements of both the 2018 Data Protection Act and GDPR.

While the DPC had opened its own volition inquiry into the alleged breach, Dr Ryan was concerned that issues identified by him were not being considered as part of the DPC’s own probe.

The DPC, represented by Joe Jeffers SC, said that it opened an inquiry on its own volition in 2019, which it says is ongoing. The DPC said it will complete its own inquiry before resuming Dr Ryan’s complaint.

The Commission said its approach would ultimately result in a faster and more effective handling of the complaint.
It also argued the proceedings have been brought outside of the legal time frame allowed to bring a judicial review and that arguments raised in the proceedings are premature.

In his judgment, Mr Justice Simons said the DPC’s decision to prioritise the own-volition inquiry was “proportionate” and “within the margin of appreciation allowed to it” under GDPR.

Dr Ryan has yet to comment on the ruling.