Civil liberties group demands action on 'largest data breach ever recorded'

Civil liberties group demands action on 'largest data breach ever recorded'

Liam Herrick, Executive Director of the Irish Counci of Civil Liberties.

The Data Protection Commission has been accused of an “unacceptable” lack of action concerning the behaviour of the online advertising industry, alleged to be “the largest data breach ever recorded”.

A new submission by the Irish Council for Civil Liberties (ICCL) to the DPC claims that the system of real time bidding, the dynamic process of auctioning advertising space as people browsed online, sees “Irish people’s health condition, political views, and whereabouts… analysed and sold in a dark data market”.

The ICCL further claims that insufficient action has been taken on a complaint regarding real time bidding submitted to the DPC by its fellow, Dr Johnny Ryan, two years ago when he was working in the private sector.

The DPC officially opened an investigation into Google Ireland’s processing of personal data via its online Ad Exchange in May 2019 off the back of Dr Ryan’s complaint, first lodged in September 2018.

It said at the time that the purpose of the investigation is to establish whether or not the data processed by Google as part of its online advertising auctions is compliant with the EU’s General Data Protection Regulation (GDPR).

“Extensive recent updates and correspondence on this matter, including a meeting, have been provided by the DPC,” Graham Doyle, deputy commissioner with the Commission, said.

“The investigation has progressed and a full update on the next steps provided to the concerned party.” 

The ICCL has alleged that real time bidding, which sees people marketed to via their recorded online actions, breaches Article Five of the GDPR, which requires that personal data be kept secure.

“It is the biggest data breach ever recorded, leaking our secrets hundreds of billions of times per day,” the Council said in a statement.

While Google, which is merely one of the largest purveyors of such marketable data, has become increasingly sensitive to accusations of data misuse in the past two years, the process of real time bidding remains incredibly lucrative to the tech giant. 

In the third quarter of 2018, 87% of Google’s total revenue came from advertising equating to about €20.4 billion.

In his and the ICCL’s submission, however, Dr Ryan alleges that real time bidding has seen users’ personal data sold to companies involved in multiple other activities other than the mere sale of products.

It also claims that the system has seen the targeting of 1,200 Irish people profiled as belonging to a ‘substance abuse’ category.

Other examples of such categories include those profiled under headings such as ‘AIDS & HIV’, ‘STD’, ‘Chronic Pain’, and ‘Sleep Disorders’.

Liam Herrick, the ICCL’s executive director, dubbed the perceived delay in action by the DPC as being “unacceptable”.

“Continued failure will further harm citizens and damage Ireland’s reputation,” Mr Herrick said.

The DPC, as the ‘one stop shop’ for regulating the many multinational tech companies headquartered in Ireland, has primary responsibility for monitoring and investigating the likes of Google and Facebook within Europe.

“Two years after I formally notified the DPC about the real time bidding privacy crisis, my intimate data continues to be broadcast to countless companies through the RTB system. So does yours,” Dr Ryan said.

His legal representative, international digital rights lawyer Ravi Naik, said “the DPC’s inaction has led to a blockage of enforcement against these practices across Europe”.

“This is an intolerable situation for such wide-scale abuses and the DPC needs to act for this illegal conduct to end,” he added.

More in this section