A dossier of evidence detailing how the online ad-targeting industry profiles internet users' intimate characteristics without their knowledge or consent has been published today by the Irish Council for Civil Liberties (ICCL), piling more pressure on the country's data watchdog to take enforcement action over what complainants contend is the "biggest data breach of all time."
The publication follows a now two-year-old complaint lodged with Ireland's Data Protection Commission (DPC) claiming unlawful exploitation of personal data via the programmatic advertising Real-Time Bidding (RTB) process -- including dominant RTB systems devised by Google and the Internet Advertising Bureau (IAB).
The Irish DPC opened an investigation into Google's online Ad Exchange in May 2019, following a complaint filed by Dr Johnny Ryan (then at Brave, now a senior fellow at the ICCL) in September 2018 -- but two years on, that complaint, like so many major cross-border GDPR cases, remains unresolved.
"September 2020 marks two years since my formal complaint to the Irish Data Protection Commission about the 'Real-Time Bidding' data breach. This submission demonstrates the consequences of two years of failure to enforce," writes Ryan in the report.
Today, we release new data on the consequences of the biggest data breach of all time: Real-Time Bidding. Two years after my complaint about the RTB privacy crisis, @DPCIreland has failed to end it. @ICCLtweet https://t.co/4zj476UT3t pic.twitter.com/RvagTloWk4
— Johnny Ryan (@johnnyryan) September 21, 2020
Among hair-raising highlights in the ICCL dossier are that:
Google's RTB system sends data to 968 companies;
that a data broker company which uses RTB data to profile people influenced the 2019 Polish Parliamentary Election by targeting LGBTQ+ people;
that a profile built by a data broker with RTB data allows users of Google's system to target 1,200 people in Ireland profiled in a “Substance abuse” category, with other health condition profiles offered by the same data broker available via Google reported to include “Diabetes,” “Chronic Pain” and “Sleep Disorders”;
that the IAB’s RTB system allows users to target 1,300 people in Ireland profiled in an “AIDS & HIV” category, based on a data broker profile built with RTB data, while other categories from the same data broker include “Incest & Abuse Support,” “Brain Tumor,” “Incontinence” and “Depression”;
that a data broker that gathers RTB data tracked the movements of people in Italy to see if they observed the COVID-19 lockdown;
that a data broker that illicitly profiled Black Lives Matters protesters in the U.S. has also been allowed to gather RTB data about Europeans;
that the industry template for profiles includes intimate personal characteristics such as “Infertility,” “STD” and “Conservative” politics;
Under EU data protection law, personal information that relates to highly sensitive and intimate topics -- such as health, sexuality and politics -- is what's known as special category personal data. Processing this type of information generally requires explicit consent from users -- with only very narrow exceptions, such as for protecting the vital interests of the data subjects (and serving behavioral ads clearly wouldn't meet such a bar).
So it's hard to see how the current practices of the targeted ad industry can possibly be compliant with EU law, in spite of the massive scale on which internet users' data is being processed.
In the report, the ICCL estimates that just three ad exchanges (OpenX, IndexExchange and PubMatic) have made around 113.9 trillion RTB broadcasts in the past year.
"Google’s RTB system now sends people’s private data to more companies, and from more websites than when the DPC was notified two years ago," it writes. "A single ad exchange using the IAB RTB system now sends 120 billion RTB broadcasts in a day, an increase of 140% over two years ago when the DPC was notified."
"Real-Time Bidding operates behind the scenes on websites and apps. It constantly broadcasts the private things we do and watch online, and where we are in the real-world, to countless companies. As a result, we are all an open book to data broker companies, and others, who can build intimate dossiers about each of us," it adds.
Reached for a response to the report, Google sent us the following statement:
We enforce strict privacy protocols and standards to protect people’s personal information, including industry-leading safeguards on the use of data for real-time bidding. We do not allow advertisers to select ads based on sensitive personal data and we do not share people’s sensitive personal data, browsing histories or profiles with advertisers. We perform audits of ad buyers on Google’s ad exchange and if we find breaches of our policies we take action.
We also reached out to the IAB Europe for comment on the report. A spokeswoman told us it would issue a response tomorrow.
Responding to the ICCL submission, the DPC's deputy commissioner Graham Doyle sent this statement: "Extensive recent updates and correspondence on this matter, including a meeting, have been provided by the DPC. The investigation has progressed and a full update on the next steps provided to the concerned party."
However in a follow-up to Doyle's remarks, Ryan told TechCrunch he has "no idea" what the DPC is referring to when it mentions a "full update." On "next steps" he said the regulator informed him it will produce a document setting out what it believes the issues are -- within four weeks of its letter, dated September 15.
Ryan expressed particular concern that the DPC's enquiry does not appear to cover security -- which is the crux of the RTB complaints, since GDPR's security principle puts an obligation on processors to ensure data is handled securely and protected against unauthorized processing or loss. (Whereas RTB broadcasts personal data across the internet, leaking highly sensitive information in the process, per earlier evidence gathered by the complainants.)
He told TechCrunch the regulator finally sent him a letter, in May 2020, in response to his request to know what the scope of the inquiry is -- saying then that it is examining the following issues:
Whether Google has a lawful basis for processing of personal data, including special category data, for the purposes of targeted advertising via the Authorised Buyers mechanism and, specifically, for the sourcing, sharing and combining of the personal data collected by Google with other companies / partners;
How Google complies with its transparency obligations, particularly with regard to Article 5(1), 12, 13 and 14 of the GDPR;
The legal basis / bases for Google’s retention of personal data processed in the context of the Authorised Buyers mechanism and how it complies with Article 5(1)(c) in respect of its retention of personal data processed through the Authorised Buyers mechanism.
We've asked the DPC to confirm whether its investigation of Google's adtech is also examining compliance with GDPR Article 5(1)f and will update this report with any response.
The DPC did not respond to our question about the timing for any draft decision on Ryan's two-year-old complaint. But Doyle also pointed us to work this year around cookies and other tracking technologies -- including guidance on compliant usage -- adding that it has set out its intention to begin related enforcement from next month, when a six-month grace period for industry to comply with the rules on tracking elapses.
The regulator also pointed to another related open enquiry -- into adtech veteran Quantcast, also beginning in May 2019. (That enquiry followed a submission by privacy rights advocacy group Privacy International.)
The DPC has said the Quantcast enquiry is examining the lawful basis claimed for processing internet users' data for ad targeting purposes, as well as considering whether transparency and data retention obligations are being fulfilled. It's not clear whether the regulator is looking at the security of the data in that case, either. A summary of the scope of Quantcast enquiry in the DPC's annual report states:
In particular, the DPC is examining whether Quantcast has discharged its obligations in connection with the processing and aggregating of personal data which it conducts for the purposes of profiling and utilising the profiles generated for targeted advertising. The inquiry is examining how, and to what extent, Quantcast fulfils its obligation to be transparent to individuals in relation to what it does with personal data (including sources of collection, combining and making the data available to its customers) as well as Quantcast’s personal data retention practices. The inquiry will also examine the lawful basis pursuant to which processing occurs.
While Ireland remains under huge pressure over the glacial pace of cross-border GDPR investigations, given it's the lead regulator for many major tech platforms, it's not the only EU regulator accused of sitting on its hands where enforcement is concerned.
The U.K.'s data watchdog has similarly faced anger for failing to act over RTB complaints -- despite acknowledging systematic breaches. In its case, after months of regulatory inaction, the ICO announced earlier this year that it had "paused " its investigation into the industry’s processing of internet users’ personal data -- owing to disruption to businesses as a result of the COVID-19 pandemic.