21 September 2020
A new ICCL report reveals that failure by the Irish Data Protection Commission (DPC) to stop a massive data breach at the heart of the online advertising industry is allowing illicit profiling of Irish people by data broker companies. Irish people’s health conditions, political views, and whereabouts are analysed and sold in a dark data market.
The ICCL report also includes a proven case of electoral influence, profiling of Irish people with AIDS and other conditions, and a list of the nine hundred and sixty eight companies that Google sends information to about the private things that people do and watch online.
“It is unacceptable that the largest data breach ever recorded should be permitted to continue more than two years after the DPC was made aware of it”, said Liam Herrick, director of ICCL. “Continued failure will further harm citizens, and damage Ireland’s reputation.”
The data breach occurs in online advertising’s Real-Time Bidding (RTB) system, which is an open secret operating behind the scenes on websites and apps. RTB constantly broadcasts everyone’s online actions, and where we are in the real-world, to a vast array of companies. There is no technical limit on what those companies then do with our secrets, or who they share them with. Watch a video explainer on RTB here.
This infringes Article 5(1)f of the EU’s General Data Protection Regulation, which requires that personal data be kept secure. It is the biggest data breach ever recorded, leaking our secrets hundreds of billions of times per day. It is two years since the DPC was first formally notified of this by Dr Johnny Ryan, now a Senior Fellow of the ICCL. But as today’s report shows, the problem has grown even more acute over the past two years.
Dr Ryan said “Today, two years after I formally notified the DPC about the RTB privacy crisis, my intimate data continues to be broadcast to countless companies through the RTB system. So does yours.”
Because of the DPC’s key role as Google’s GDPR supervisory authority for all of Europe, its failure to act has international implications. International digital rights lawyer Ravi Naik, who represents Dr Ryan, said “the DPC’s inaction has led to a blockage of enforcement against these practices across Europe. This is an intolerable situation for such wide-scale abuses and the DPC needs to act for this illegal conduct to end.”
Today’s ICCL report also brings to light documentation from the data industry, revealing that it attributes characteristics such as “infertility”, “STD”, or “Conservative” to each of us. The report also shows how data brokers used RTB data to profile LGBTQ+ people to influence last year’s parliamentary election in Poland, tracked the movements of people in Italy during the lockdown, and profiled Black Lives Matters protestors.
Dr Ryan’s Irish solicitor, Gerard Rudden, said ““The scale of the data breach identified and exposed by Dr Ryan in his complaint is astonishing. The regulator has a duty to act with all due diligence. It is extremely concerning that 2 years have passed, during which time the problem has grown significantly, and no decisive action seems to have been taken.”
ENDS/
Full report, key insights, letter to Minister for Justice and appendices here:
https://www.dropbox.com/sh/7xo77grl2mnb6b6/AAAlszXoQ_zM2kUSsSRqKJSqa?dl=0
Find a video explainer on RTB here: https://vimeo.com/451973748
For comment: Dr Johnny Ryan, Liam Herrick
For media queries: Sinéad Nolan sinead.nolan@iccl.ie 087-4157162