The Irish Council for Civil Liberties (ICCL) represented by its senior fellow Dr. Johnny Ryan sued the Irish Data Protection Commission (Irish DPC) over its inaction in regard to a major security complaint filed against Google’s real-time bidding (RTB) system. RTB describes the trading of users’ personal data in real-time advertising auctions. As Google operates its RTB system “on millions of websites, broadcasting personal data to other tracking companies billions of times a day”, Ryan calls the RTB system “the largest data breach ever”.
How does real-time bidding work?
With RTB, advertisers can bid on digital advertising spaces in real-time in order to target an ad to a specific internet user. When a user visits a website, a corresponding bid request is being sent to an Advertising Exchange Platform (Ad exchange). This bid request contains different types of information such as demographical data, location information, browser history, etc. The ad exchange then forwards the bid requests to buyers (advertisers) who bid in real-time for the ad as it is presented to the website user. The advertiser who submits the highest bid gets their ad displayed to the website user. Buyers usually bid through a Demand Side Platform (DSP), which automates the bidding process. All this happens automatically during the few seconds it takes a website to load.
Therefore, user profiles are becoming more and more important to tech companies, as the price for an advertising impression increases the more is known about a user. However, these practices also have real-life consequences. As Dr. Johnny Ryan said:
“These secret dossiers about you – based on what you think is private – could prompt an algorithm to remove you from the shortlist for your dream job. A retailer might use the data to single you out for a higher price online. A political group might micro target you with personalised disinformation.”
The ICCL’s lawsuit against the Irish DPC
Accordingly, these RTB systems are cause for major concern. In September 2018, Dr. Johnny Ryan filed a complaint with the Irish DPC, as the competent data protection authority for Google, in which the NGO raised concerns about Google’s real-time bidding system. In particular, ICCL questioned the security of the system as it shares highly sensitive data about individuals (device IDs, browsing history and habits, location data, etc.) with intermediaries without the tracked users being aware of, or in control of, who receives their information or what happens to it.
The Irish DPC opened an investigation against Google in May 2019. However, the investigation was not opened based on the issues raised in Dr. Ryan’s complaint; instead, the agency opened what it called an “own-volition inquiry” to investigate,
“whether the processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the GDPR, including the lawful basis for the processing, the principles of transparency and data minimisation, as well as Google’s retention practices.”
The Irish DPC did not explicitly state that it would investigate data security issues in regard to Google’s RTB – even though this was the crucial part of Dr. Ryan’s complaint.
Following this in September 2020, Dr. Ryan published a file including evidence that showed how users’ characteristics are being profiled for targeted advertising – without their knowledge or consent – and criticised the Irish DPC, for its continued inaction on his RTB security complaint.
Finally, the ICCL sued the Irish DPC over its inaction in order to force it to investigate the security of Google’s RTB system. The Irish High Court admitted ICCL’s lawsuit in March 2022. If the claim is successful, the Irish DPC could be ordered to investigate the security of Google’s RTB system.
A pattern of lenience?
Many large tech companies, like Meta, Google, Microsoft, Twitter, eBay and many more have their European headquarters in Ireland, making the Irish DPC one of the most important privacy watchdogs in the European Union (EU).
However, several decisions issued by the Irish DPC against tech giants since the GDPR came into force in May 2018 have had to go through dispute resolution procedures (in terms of Art. 65 GDPR) after other EU data protection authorities rejected the Irish DPC’s penalties as being too lenient. Examples of this are the Irish DPC´s decisions against Twitter and WhatsApp, for a security breach in 2020 and regarding transparency violations, respectively.
This pattern of leniency by the Irish DPC is jarring. Especially in the case of large tech companies, which usually process large amounts of personal and sometimes sensitive data, it is important to thoroughly investigate allegations and, if the allegations are confirmed, to impose appropriate fines.
A lenient approach to investigations and the imposition of fines may lead to a decline in the level of data protection, as violations of the GDPR could become lucrative and worth the cost, especially for companies with high revenues. It will thus be interesting to see if the Irish DPC will be ordered to, at least, investigate the matter, as this could be another important step to ensuring the effective enforcement of the rules of the GDPR.
