Johnny Ryan, Senior Fellow at ICCL, is the plaintiff in the suit. Since 2018, Ryan has been one of the biggest voices drawing attention to the security concerns with Google’s Real-time Bidding (RTB) system for advertisement spaces. Ryan hopes his lawsuit will force the DPC into finally taking action against Google adtech.
What is Google’s Real-time Bidding System?
Google runs an automated system that selects the advertisements visitors see on websites. Google creates a unique profile of the visitor based on their browsing history and other information like demographic and location data. This profile is sent to an ad exchange for advertisers to bid on in real-time. Consequently, the highest bidder’s advertisement is displayed on the website. These customer profiles contain sensitive personal information which is displayed to a large number of advertisers. According to Ryan, there are no controls or checks in place which protect this data, leaving companies free to misuse it. He added that Google runs the RTB system on millions of websites, and broadcasts personal data to advertisers billions of times a day. In a Twitter thread revealing the extent of the problem, Ryan called this “the biggest data breach ever recorded.”
History of Ryan’s Complaints Against Google Adtech
The ICCL is Ireland’s oldest independent human rights activist organization. In a press release, the data watchdog group said the Irish DPC first received a complaint about Google RTB 3.5 years ago. However, despite its obligation to act on such a complaint, the regulator did not do so. Instead, it decided to conduct an inquiry into Google RTB’s activity in May 2019. In January 2022, the DPC released a list of issues that it planned to look into. However, the list did not include security, which was Ryan’s main concern. “The DPC was created to protect us against the illegal collection and use of intimate data about us. But it has failed to act in this landmark case, despite the passage of three and a half years and having detailed evidence of Google’s massive and ongoing data breach,” Ryan said. Since Google’s EU operations are based in Ireland, the Irish DPC is responsible for ensuring it complies with the GDPR. In fact, other European data regulators cannot take action until the DPC does so.
Growing Scrutiny on Irish DPC
Apart from ICCL’s lawsuit, the European Ombudsman has also sought more information on how the Irish DPC is carrying out its duties. She requested European Commission President Ursula von der Leyen to look into whether the DPC has “adequately monitored Ireland’s application of the GDPR.” The Commission has time until May 15 to respond to the European Ombudsman. If you found this story interesting and want to learn more about the GDPR, check out our GDPR compliance checklist.