22 July 2023
Irish Council for Civil Liberties is in court on Thursday 27 and Friday 28 July against the Irish Data Protection Commission for its failure to protect people against the biggest data breach ever recorded.
On Thursday, 27 July, the High Court will hear a case taken by the Irish Council for Civil Liberties (ICCL) against the Data Protection Commission (DPC). ICCL alleges that the DPC has failed to protect people against the biggest data breach ever recorded: Google’s “Real-Time Bidding” online advertising system.
The DPC is responsible for supervising how Google’s handles data across all of Europe. ICCL is asking the High Court to order the DPC to act on the massive data breach at the heart of Google’s online advertising system. Google is a notice party in the hearing. The High Court will hear the case for two days.
The biggest data breach ever
Google’s “Real-Time Bidding” (RTB) system decides which personalised ads will appear in front of people on millions[1] of websites and apps. “Bidding” refers to the auctions that Google runs for each advertising slot. Tracking firms representing advertisers receive detailed information from Google’s auction about people as they browse the Web or use apps, so that each firm can bid on behalf of an advertiser for the opportunity to show personalised ads to specific people who the advertiser has identified as their intended target. This RTB auction system is the primary means of showing ads online,[2] and happens billions[3] of times a day in the split seconds as web pages and apps are loaded.
The problem is that Google’s RTB auction sends private information about what people are doing online and where they are physically located to over a thousand[4] tracking companies. According to Google’s own technical documents, it even sends that information to companies in China[5] and Russia.[6] There is no control over what any of these companies then do with the information they receive from Google. Nor is it impossible to know who they sell it on to. In other words, Google’s RTB auction is a vast and unending data breach.
The data Google broadcasts so widely can be very sensitive indeed: what you are reading or watching at that moment; inferences about your sexual preferences, religion, ethnicity, illnesses, political views; and your physical location.[7] Google also sends ID codes about you that allow recipients to maintain living dossiers about your activity and movements in the real world.
ICCL obtained industry data that show a person in Ireland has their online activity and location exposed in this way 392 times a day on average by the RTB industry, in which Google is the dominant actor.[8] Google’s European totals are staggering: it exposes people’s data 42 billion times a day in Europe (and 31 billion in the United States).[9]
This enormous data breach repeats every day, exposing everyone to highly invasive profiling. For example, ICCL uncovered the sale of RTB data by a data broker firm revealing Irish people’s sensitive health conditions, tied to Google.[10] Other RTB data, not tied to Google, included a set of Irish people who were identified as sexual abuse survivors. The firm had also used RTB to influence an election in Europe. ICCL reported this to the DPC. To ICCL’s knowledge, no action was taken.
DPC’s half-decade refusal to investigate the biggest data breach ever
The plaintiff in the case is Dr Johnny Ryan, a Senior Fellow at ICCL. Dr Ryan previously worked in the RTB industry. In 2017 he blew the whistle about Google’s RTB business to the DPC. The DPC refused to take any action.
Then, in 2018, he submitted a formal GDPR complaint to the DPC that included detailed evidence against Google. It also included evidence against the IAB, a tracking industry standards and lobbying body. The complaint was clear: the failure to ensure security for personal data was the complaint’s “principal concern”.[11]
But, for five years, the DPC has refused to investigate this primary concern. Instead, it bypassed the complaint and launched a separate investigation in 2019 that excluded the data breach from its scope.
Everyone in Europe has been affected by the DPC’s refusal to act, because by virtue of Google having its EU headquarters in Ireland the DPC is Europe’s lead supervisory authority for Google.
Speaking today, ICCL’s Dr Johnny Ryan said
“The DPC’s half-decade refusal to investigate Google’s massive data breach is inexplicable. We are asking the Irish High Court to order the DPC to finally do its job. Having worked in the RTB industry, I know how dangerous these data are when put in the wrong hands. Everyone in Europe is at risk when the DPC fails to protect our data rights.”
ICCL is Ireland’s oldest independent human rights campaigning organisation. It monitors, educates and campaigns to secure human rights.
Timeline: the DPC’s half-decade inaction
- 2017, Dr Ryan blew the whistle to the DPC while working in the online advertising industry. The DPC refused to act on the information.
- 2018, September
Dr Ryan lodged a GDPR complaint against Google’s and IAB’s Real-Time Bidding systems with the Irish Data Protection Commission.
- 2019, May
The DPC announced it had launched an inquiry into Google’s RTB system, citing Dr Ryan’s complaint. It subsequently disclosed that this inquiry would not investigate the lack of security, which was the principal concern of Dr Ryan’s complaint.
- 2022, January
DPC said it has written a “statement of issues” of what it will investigate (at last). It told ICCL it has excluded security – the critical issue of the complaint – from its investigation.
- 2023, July 27-28th
ICCL v DPC hearing at the High Court.
Contact
For media queries: ruth.mccourt@iccl.ie +353 (0) 87 4157162
Notes
[1] 15,590,421 websites according to BuiltWith (URL: https://trends.builtwith.com/ads/DoubleClick.Net), and AppFigures reports 1.5 million Android apps and 127,000 iOS apps.
[2] “Programmatic” including display and video ads accounted for an estimated $99bn in 2021, whereas Search accounted for an estimated $78.3bn, according to “PwC IAB Internet Advertising Revenue Report 2021”, April 2022 (URL: https://www.iab.com/insights/internet-advertising-revenue-report-full-year-2021/), pp 17, 21.
[3] “The Biggest Data Breach: ICCL report on scale of Real-Time Bidding data broadcasts in the U.S. and Europe”, ICCL, May 2022 (URL: https://www.iccl.ie/wp-content/uploads/2022/05/Mass-data-breach-of-Europe-and-US-data-1.pdf).
[4] 1,084 companies are currently listed in “Ad technology providers”, Google’s list of receiving companies (URL: https://support.google.com/admanager/answer/9012903?hl=en)
[5] Including 北京泛为信息科技有限公司 (Beijing Fanwei Information Technology Co., Ltd.), 世纪富轩科技发展(北京)有限公司 (DHgate Group), 北京泛为信息科技有限公司 (Fancy Digital) (URL: https://support.google.com/admanager/answer/9012903?hl=en).
[6] Including Yandex, AdSniper, AiData, and others (URL: https://support.google.com/admanager/answer/9012903?hl=en).
[7] See “HyperlocalSet” in “Authorized Buyers Proto v253”, Google (URL: https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide#hyperlocalset-object).
[8] “The Biggest Data Breach: ICCL report on scale of Real-Time Bidding data broadcasts in the U.S. and Europe”, ICCL, May 2022 (URL: https://www.iccl.ie/wp-content/uploads/2022/05/Mass-data-breach-of-Europe-and-US-data-1.pdf), p. 3.
[9] ibid.
[10] ICCL submission to Data Protection Commissioner, 21 September 2020 (URL: https://www.iccl.ie/wp-content/uploads/ 2020/09/1.-Submission-to-Data-Protection-Commissioner.pdf).
[11] “Our principal concern is that the current frameworks and policies relating to the industry fail to provide adequate protections against unauthorised, and potentially unlimited, disclosure and processing of personal data”. Paragraph 25 of the grounds of complaint to the Data Protection Commissioner, September 2018 (URL: https://www.iccl.ie/wp-content/uploads/2022/03/Johnny-Ryan-complaint-v-RTB-Irish-Data-Protection-Commission-12-September-2018-combined-with-Report.pdf).