Dr Johnny Ryan (while working at Brave) has gathered evidence on the biggest data breach in history. Every day, the online ad industry broadcasts what every Internet user reads and watches to thousands of companies, hundreds of billions of times a day. Together with 21 privacy activists and organisations, Dr Ryan is using the GDPR to end it.
Timeline
12 September 2018 Formal GDPR complaints, accompanied by an overview of RTB that details evidence from Google and IAB technical documentation (the ‘Ryan Report’), are submitted to Irish Data Protection Commission (DPC) and UK Information Commissioner’s Office (ICO) by Johnny Ryan of Brave, and Jim Killock of Open Rights Group and Michael Veale of UCL. Read more.
28 January 2019 Further evidence on “content categories” is submitted. The complaint is also submitted to Polish Data Protection Authority by Katarzyna Szymielewicz of Pakoptykon Foundation. Read more.
20 February 2019 Further evidence is submitted, including sample bid requests, IAB correspondence, and material on the scale of and lack of control in RTB system. Read more.
20 May 2019 The complaint is extended to four more countries. The new complaints are filed by Gemma Galdon Clavell of Eticas Foundation, David Korteweg of Bits of Freedom, Jef Ausloos of University of Amsterdam, Pierre Dewitte of University of Leuven, and Jose Belo of Exigo Luxembourg. Read more.
22 May 2019 The Irish Data Protection Commission announces a statutory investigation into Google’s RTB business under Section 110 of the Irish Data Protection Act, which relates to “suspected infringement”. Read more.
4 June 2019 The complaint is extended to France, Germany, Italy, the Netherlands, Poland, Bulgaria, the Czech Republic, Estonia, and Hungary. This is coordinated through Liberties.eu. The new complainants are the Society for Civil Rights, Digitale courage, Digitale Gesellschaft, Netzwerk Datenschutzexpertise, Deutsche Vereinigung für Datenschutz, the Italian Coalition for Civil Rights and Freedoms, the Bulgarian Helsinki Committee, the Association for the Defense of Human Rights in Romania, the Italian Coalition for Civil Rights and Freedoms, the Estonian Human Rights Centre, the Peace Institute. Read more (external link).
20 June 2019 The UK Information Commissioner’s Office publishes a report that confirms and vindicates the complaint and accompanying evidence. However, the ICO fails to take any action. Read more.
4 September 2019 Further evidence, demonstrating the misuse of personal data in Google’s RTB system, is submitted to the Irish Data Protection Authority. Read more.
8 October 2019 The Belgian Data Protection Authority confirms in writing to Ausloos and Dewitte that it is investigating the IAB.
31 December 2019 The ICO’s six month grace period for the RTB industry ends. No substantive action is taken or proposed by the industry to end the RTB data breach.
17 January 2020 The ICO announces that it will take no immediate action to stop the ongoing RTB data breach. Read more.
See also: Real Time Bidding Evidence