Ireland's data watchdog slammed for letting adtech carry on 'biggest breach of all time'

Big Data Social Media Montage
Big Data Social Media Montage  

A dossier of evidence detailing how the online ad targeting industry profiles Internet users' intimate characteristics without their knowledge or consent has been published today by the Irish Council for Civil Liberties (ICCL), piling more pressure on the country's data watchdog to take enforcement action over what complainants contend is the "biggest data breach of all time".

The publication follows a now two-year-old complaint lodged with Ireland's Data Protection Commission (DPC) claiming unlawful exploitation of personal data via the programmatic advertising Real-Time Bidding (RTB) process -- including dominant RTB systems devised by Google and the Internet Advertising Bureau (IAB).

The Irish DPC opened an investigation into Google's online Ad Exchange in May 2019, following a complaint filed by Dr Johnny Ryan (then at Brave, now a senior fellow at the ICCL) in September 2018 -- but two years on that complaint, like so many major cross-border GDPR cases, remains unresolved.

And, indeed, multiple RTB complaints have been filed with regulators across the EU but none have yet been resolved. It's a major black mark against the bloc's flagship data protection framework.

"September 2020 marks two years since my formal complaint to the Irish Data Protection Commission about the "Real-Time Bidding" data breach. This submission demonstrates the consequences of two years of failure to enforce," writes Ryan in the report.

Among hair-raising highlights in the ICCL dossier are that:

Under EU data protection law, personal information that relates to highly sensitive and intimate topics -- such as health, sexuality and politics -- is what's known as special category personal data. Processing this type of information generally requires explicit consent from users -- with only very narrow exceptions, such as for protecting the vital interests of the data subjects (and serving behavioral ads clearly wouldn't meet such a bar).

So it's hard to see how the current practices of the targeted ad industry can possibly be compliant with EU law, in spite of the massive scale on which Internet users' data is being processed.

In the report, the ICCL estimates that just three ad exchanges (OpenX, IndexExchange and PubMatic) have made around 113.9 trillion RTB broadcasts in the past year.

"Google's RTB system now sends people's private data to more companies, and from more websites than when the DPC was notified two years ago," it writes. "A single ad exchange using the IAB RTB system now sends 120 billion RTB broadcasts in a day, an increase of 140% over two years ago when the DPC was notified."

"Real-Time Bidding operates behind the scenes on websites and apps. It constantly broadcasts the private things we do and watch online, and where we are in the real-world, to countless companies. As a result, we are all an open book to data broker companies, and others, who can build intimate dossiers about each of us," it adds.

Reached for a response to the report, Google sent us the following statement:

We also reached out to the IAB Europe for comment on the report. A spokeswoman told us it would issue a response tomorrow.

Responding to the ICCL submission, the DPC's deputy commissioner Graham Doyle sent this statement: "Extensive recent updates and correspondence on this matter, including a meeting, have been provided by the DPC. The investigation has progressed and a full update on the next steps provided to the concerned party."

However in a follow up to Doyle's remarks, Ryan told TechCrunch he has "no idea" what the DPC is referring to when it mentions a "full update". On "next steps" he said the regulator informed him it will produce a document setting out what it believes the issues are -- within four weeks of its letter, dated September 15.

Ryan expressed particular concern that the DPC's enquiry does not appear to cover security -- which is the crux of the RTB complaints, since GDPR's security principle puts an obligation on processors to ensure data is handled securely and protected against unauthorized processing or loss. (Whereas RTB broadcasts personal data across the Internet, leaking highly sensitive information in the process, per earlier evidence gathered by the complainants.)

He told TechCrunch the regulator finally sent him a letter, in May 2020, in response to his request to know what the scope of the inquiry is -- saying then that it is examining the following issues:

We've asked the DPC to confirm whether its investigation of Google's adtech is also examining compliance with GDPR Article 5(1)f and will update this report with any response.

The DPC did not respond to our question about the timing for any draft decision on Ryan's two-year-old complaint. But Doyle also pointed us to work this year around cookies and other tracking technologies -- including guidance on compliant usage -- adding that it has set out its intention to begin related enforcement from next month, when a six-month grace period for industry to comply with the rules on tracking elapses.

The regulator also pointed to another related open enquiry -- into adtech veteran Quantcast, also beginning in May 2019. (That enquiry followed a submission by privacy rights advocacy group, Privacy International.)

The DPC has said the Quantcast enquiry is examining the lawful basis claimed for processing Internet users' data for ad targeting purposes, as well as considering whether transparency and data retention obligations are being fulfilled. It's not clear whether the regulator is looking at the security of the data in that case, either. A summary of the scope of Quantcast enquiry in the DPC's annual report states:

While Ireland remains under huge pressure over the glacial pace of cross-border GDPR investigations, given it's the lead regulator for many major tech platforms, it's not the only EU regulator accused of sitting on its hands where enforcement is concerned.

The UK's data watchdog has similarly faced anger for failing to act over RTB complaints -- despite acknowledgingsystematic breaches. In its case, after months of regulatory inaction, the ICO announced earlier this year that it had 'paused 'its investigation into the industry's processing of Internet users' personal data -- owing to disruption to businesses as a result of the COVID-19 pandemic.


More Related News

Economic cost of new EU tech rules could top $100.5 billion, study says
Economic cost of new EU tech rules could top $100.5 billion, study says

The European Union's plan to rein in U.S. tech giants with new rules could cost the 27-country bloc as much as 85 billion euros ($100.5 billion) in economic growth, Brussels-based think tank ECIPE warned. Under the proposed rules, Facebook , Alphabet unit Google, Amazon and Apple could be forced to share data and banned from favouring their own services. In a study sponsored by Google, due to be published this week and seen by Reuters, the European Centre for International Political Economy (ECIPE) said changing the regulatory approach could have a chilling effect on the EU economy.

Apple developing search engine to compete with Google: report
Apple developing search engine to compete with Google: report

Apple has accelerated work to develop its own search engine that would allow the iPhone maker to  offer an alternative to Google, a Financial Times report said Wednesday.

HAGENS BERMAN, NATIONAL TRIAL ATTORNEYS, Encourages First American Financial (FAF) Investors with Losses to Contact Its Attorneys, Securities Fraud Class Action Filed, SEC Investigating Data Privacy Disclosures
HAGENS BERMAN, NATIONAL TRIAL ATTORNEYS, Encourages First American Financial (FAF) Investors with Losses to Contact Its Attorneys, Securities Fraud Class Action Filed, SEC Investigating Data Privacy Disclosures

SAN FRANCISCO, Oct. 27, 2020 (GLOBE NEWSWIRE) -- Hagens Berman urges First American Financial Corp. (NYSE: FAF) investors with significant losses to submit your losses now. A securities fraud class action has been filed and certain investors may have valuable claims. Class Period: Feb. 17, 2017 - Oct. 22, 2020 Lead Plaintiff Deadline: Dec. 24, 2020 Visit: Contact An Attorney Now:                                              844-916-0895First American Financial (FAF) Securities Fraud Class Action:The lawsuit centers on the accuracy of First American's statements about the company's data protection practices and...

Insider Q&A: Google
Insider Q&A: Google's Annie Jean-Baptiste on inclusion

As the head of product inclusion at Google, Annie Jean-Baptiste works to help ensure that the company's products -- from photos to search to everything else -- are built with everyone in mind, including women, underrepresented minorities, and people of different ages, abilities, geographic locations and economic status. Jean-Baptiste spoke to The Associated Press recently about her work. ANSWER: We started product inclusion as what we call a 20% project, which means we get to spend 20% of our time doing something that we're passionate about, even if it's not our role.

Turkey's Erdogan sues Dutch anti-Islam lawmaker for insults
  • US
  • 2020-10-27 12:00:16Z

Turkish President Recep Tayyip Erdogan is suing Dutch lawmaker Geert Wilders after the anti-Islam politician posted a series of tweets against the Turkish leader, including one that described him as a "terrorist." The state-run Anadolu Agency said Erdogan's lawyer on Tuesday filed a criminal complaint against Wilders at the Ankara Chief Prosecutor's office for "insulting the president" -- a crime in Turkey punishable by up to four years in prison. Wilders posted a cartoon depicting Erdogan wearing a bomb-resembling hat on his head, with the comment: "terrorist."

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply


Top News: Economy