The Irish Data Protection Commission (DPC) found itself in front of the Irish High Court yesterday and Thursday in a case concerning its failure to investigate Google’s online advertising auctions. The case was brought by Johnny Ryan, who had already reported Google’s “Real-Time Bidding” (RTB) system to the DPC in 2017. RTB is a technology where advertising space on websites and within apps is sold to advertisers through an automated auction.
Every time someone visits a website or uses an app and sees a targeted advertisement, data about what they read or view is sent to companies. These are known as “bid requests.” Advertising companies send this data to numerous companies to allow advertisers to bid on showing ads to visitors. This enables targeted advertising.
The bid requests that make this possible often contain various personal information of internet users, such as the content the visitor reads or views, location data, information about the device used, a unique tracking ID, and IP address. “The problem is that Google’s RTB auction sends private information about what people are doing online and where they are physically located to more than a thousand tracking companies,” said the Irish Council for Civil Liberties (ICCL), where Ryan is a senior fellow.
After his report in 2017, Ryan filed an GDPR complaint against Google’s advertising auction with the DPC. In May 2019, the Irish Data Protection Commission announced that it would conduct an investigation, but it would not examine the security of personal data, which was at the core of Ryan’s complaint. According to the ICCL and Ryan, the auction system represents the largest data breach ever recorded.
However, the DPC has refused to properly investigate the security of personal data within Google’s system for five years, Ryan claims, and he finds it inexplicable that the regulator is not taking action. “We are asking the Irish High Court to compel the DPC to do its job. I have worked in the RTB industry myself and know how dangerous it is if this data falls into the wrong hands. Everyone in Europe is at risk if the DPC does not protect our data rights.”
The DPC denied the accusations and stated that the investigation is still ongoing. Google has its European headquarters in Ireland. The DPC has been repeatedly criticized by European privacy regulators for being lenient towards tech companies, but the regulator itself denies this. The DPC has been forced to adjust its GDPR fines against tech companies, as they were deemed too low by European privacy regulators.