ICCL sues DPC over failure to act on massive Google data breach

15 March 2022 

Updated 21 March 2022 to add affidavit. 

The Irish Council for Civil Liberties (ICCL) is suing the DPC for its failure to protect people against the biggest data breach ever recorded: Google’s “Real-Time Bidding” online advertising system. The DPC must be compelled to act now.

The biggest data breach ever 

Google’s “Real-Time Bidding” (RTB) system selects what ads you will see when a website or app loads. It happens behind the scenes, and can broadcast private information about you to over a thousand[1] other tracking companies in a split second. There is no control over what those companies do with this sensitive data. This infringes the cardinal GDPR principle that companies must protect personal data. Google operates this unlawful RTB system on millions of websites,[2] broadcasting personal data to other tracking companies billions of times a day.[3] This is the largest data breach ever.

The DPC received a complaint about Google’s RTB data breach 3 ½ years ago. The DPC was obliged to investigate and act on that complaint under the GDPR. But it did not do so. Because Google’s EU operation is based in Ireland, the DPC has the lead responsibility to see that it obeys Europe’s data protection law. In fact, no other EU enforcers can act until the DPC does so. The DPC’s failure to act on this complaint has therefore allowed Google’s massive data breach to continue across the entire EU for 3 ½ years.

3 ½ years of inaction by the Irish Data Protection Commission

• 2018, September 12^th
  Dr Johnny Ryan lodges a GDPR complaint against Google’s and IAB’s Real-Time Bidding systems at the Irish Data Protection Commission.
• 2019, May 22^nd
  The DPC announces it has launched an inquiry into Google’s RTB system.
• 2022, January 12^th
  DPC says it has written a “statement of issues” of what it will investigate (at last). This excludes data security – the critical issue of the complaint.
• 2022, March 14^th
  The High Court grants leave for ICCL lawsuit against the DPC for inaction.

Liam Herrick, Executive Director of ICCL, said

“We are concerned that the rights of individuals across the EU are in jeopardy, because the DPC has failed to investigate Google’s RTB system over three and half years since first notified by Johnny Ryan in 2018. The issue at stake here affects the rights of every European and we are going to court to see that digital rights are protected. Repeated attempts to get the DPC to take up this rights violation have failed.” 

The plaintiff in the case is Dr Johnny Ryan, a Senior Fellow at ICCL. Dr Ryan said

“The DPC was created to protect us against the illegal collection and use of intimate data about us. But it has failed to act in this landmark case, despite the passage of three and a half years and having detailed evidence of Google’s massive and ongoing data breach”.

Separately, the EU Ombudsman recently wrote to European Commission President Ursula von der Leyen, following a separate complaint from ICCL, to investigate whether the Commission has adequately monitored Ireland’s application of the GDPR. The European Commission is due to respond by 15 May.[4] ICCL has repeatedly asked the DPC to disclose detailed statistics on its backlog of cross-border complaints and cases, and for transparency about what actions it took when it describes a complaint or case as resolved.[5]

The Irish Council for Civil Liberties (ICCL) is Ireland’s oldest independent human rights campaigning organisation. We monitor, educate and campaign to secure human rights for everyone in Ireland.

Contact

For media queries: sinead.nolan@iccl.ie +353 (0) 87 4157162

Documents 

Download Affidavit of Johnny Ryan Ryan 8 March 2022 (PDF). 

Notes