Irish Data Protection Commissioner Under Fire for Allowing Real-Time Bidding
- The Irish Data Protection Agency was warned of Google’s real-time bidding system two years ago.
- The otherwise active commission did nothing, and the same was the case with the rest of the EU-based watchdogs.
- The reporter’s prestige and the presentation of user dossier examples act as a final call for action now.
The Irish Data Protection Commissioner (DPC), which is actually one of the most active and strict GDPR-enforcers in Europe, is accused of knowingly allowing what is characterized as the “biggest data breach of all time: Real-Time Bidding.” The grave accusations come from the Irish Council for Civil Liberties (ICCL), who has reportedly warned the Irish DPC of the violations over two years ago.
This is the same topic that we covered exactly one year ago, publicized by Dr. Johnny Ryan again.
Today, we release new data on the consequences of the biggest data breach of all time: Real-Time Bidding. Two years after my complaint about the RTB privacy crisis, @DPCIreland has failed to end it. @ICCLtweet https://t.co/4zj476UT3t pic.twitter.com/RvagTloWk4
— Johnny Ryan (@johnnyryan) September 21, 2020
The evidence that is now presented by the ICCL points to multiple infringements of Article 5(1) of the GDPR, which refer to the security of personal data. The culprit for these violations is Google and its vast network of advertisers.
The ICCL data involves 968 companies who were receiving sensitive data from Google, profiling internet users, and learning a lot about their private lives. From their health status and potential problems they’re facing to their political views and their very movement during COVID-19 lockdowns, everything is allegedly for sale to data brokers.
Source: ICCL
As J. Ryan explains, these companies don’t have to honor any limitations on how they use this data. They can practically pass them onto more companies without Google or the user ever knowing about it. In the case of a data leak, there are no requirements to verify what has happened to that data, so GDPR’s provision for personal information security is basically thrown out of the window in its entirety.
The consequences of this unlimited use and data sharing can be dire and widespread. AI-based systems could use these secret dossiers to understand what you care about and help retailers maximize selling prices to you. They could also exclude you from a job position that has just opened, or have a political group micro-target you and influence your view of the world with fake news.
Related: The ‘Google App Engine’ Could Be to Blame for Stealthy Phishing Attacks
So, this “underground” deal between Google and some advertisers was reported to the Irish DPC two years ago, but none of the EU-based privacy watchdogs took no action. On the contrary, things have reportedly gotten even worse, as all data protection commissions looked elsewhere and focused on imposing penalties for way more superficial violations.
Maybe Google’s real-time bidding system was too big and overwhelming for them to even investigate, but this isn’t an excuse for not even a single office launching a probe against the tech giant during these last two years.