Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR

Dublin, Ireland and London, United Kingdom, Wednesday, 12 September 2018 — Simultaneous complaints have been filed with European data protection authorities against Google and other ad tech firms.

The complainants are being made by Dr Johnny Ryan of Brave, the private web browser, Jim Killock, Executive Director of the Open Rights Group, and Michael Veale of University College London. The complaint notifies European regulators of a massive and ongoing data breach that affects virtually every user on the web. The documents submitted in this complaint are available at the bottom of this page.

Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.

The GDPR, Article 5, paragraph 1, point f, requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” If you can not protect data in this way, then the GDPR says you can not process the data.

Bid request data can include the following personal data:

  • What you are reading or watching
  • Your location
  • Description of your device
  • Unique tracking IDs or a “cookie match”.
    This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you
  • Your IP address (depending on the version of “real time bidding” system)
  • Data broker segment ID, if available.
    This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of  bidding system)

Dr Ryan said “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data”

The complaint refers to specific tables in the technical specifications of the RTB bid request system used by advertising technology companies, and Google’s proprietary RTB system, to show exactly which data are involved (see detail in complaint documents at link).

Article 5 (1) f of the GDPR requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” But there is no control over the intimate personal data in RTB bid requests once they have been broadcast.

Ravi Naik, a Partner at ITN Solicitors who worked with David Carroll on the Cambridge Analytica complaint to the UK Information Commissioner, is working on the case.

Mr Naik said “We have been instructed by clients in numerous jurisdictions to file complaints concerning the behavioural advertising industry. The complaints have been lodged with a number of data protection authorities, with a request for a Europe-wide investigation into the industry using new powers within the GDPR. Those complaints are significant and the consequences could be far reaching. We are confident that any proper appraisal by the authorities of the concerns will lead to a fundamental shift in our relationship with the internet, for the better”.

The complaint – filed simultaneously with the Irish Data Protection Commissioner and the UK Information Commissioner – requests joint supervisory investigation by European Regulators under Article 62 of the GDPR. This appears to be the first action of this nature since the application of the GDPR.

Jim Killock of the Open Rights Group said “The online ad industry is opaque and needs investigation. People do not – and cannot – fully understand or know how and where their data is used. This seems highly unethical, and does not square with Europe’s data protection laws”.

Files submitted in this complaint: