Data privacy advocate submits further evidence in Google ads inquiry

Real-time bidding system represents ‘vast, systematic data breach’, Johnny Ryan argues

A data privacy advocate has submitted a dossier to the State's Data Protection Commission outlining further examples of alleged data breaches by Google, which he first raised with the watchdog two years ago.

Johnny Ryan, who is working on data privacy at the Irish Council for Civil Liberties, made a complaint to the commission about the issue of "real-time bidding", which is the buying and selling of online advert views through real-time auctions that take place through online advert exchanges in the time it takes a webpage to load.

In May 2019 the commission opened an inquiry into the potential breach of EU privacy rules by the tech giant around the sharing of personal data of internet users.

The investigation relates to Google’s processing of personal data through its online Ad Exchange, where companies bid to advertise to internet users based on their web browsing history.

Mr Ryan, who previously worked with private web browser Brave, described the system of real-time bidding to fill advertising spots as a “privacy crisis”.

He said the system allowed data about what an internet user was reading, watching or listening to to be sent to companies when Google placed an online ad.

This information could be used by data brokers – companies that build large anonymised profiles of web users, he said. The databases could then be sold to advertisers or other parties.

“My intimate data continues to be broadcast to countless companies through the RTB system. So does yours,” Mr Ryan said.

‘Intimate profiles’

He recently submitted a dossier to the commission outlining further examples of alleged data breaches from the practice.

The document claimed the real-time bidding system represented a “vast, systematic data breach” that allowed data brokers to “develop intimate profiles about us, our afflictions and interests” to then sell on.

The dossier set out several examples of data broker companies it said had built up databases of Irish internet users from Google’s system.

A spokesman for the commission said its investigation into the matter was ongoing. “Extensive recent updates and correspondence on this matter, including a meeting, have been provided by the [commission]. The investigation has progressed and a full update on the next steps provided to the concerned party,” he said.

When it opened the inquiry into Google last year, the commission said it was examining “whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR)”.

Google has previously said its real-time bidding system is subject to stringent policies and standards.

In a statement Google said: “We do not allow advertisers to select ads based on sensitive personal data and we do not share people’s sensitive personal data, browsing histories or profiles with advertisers. We perform audits of ad buyers on Google’s ad exchange and if we find breaches of our policies we take action.”

Jack Power

Jack Power

Jack Power is a reporter with The Irish Times