Google Ad Exchange in data privacy probe

The Irish Data Protection Commission (DPC) announced on Wednesday that it’s launched a probe into whether Google’s processing of personal data as part of its Ad Exchange is breaching General Data Protection Regulation (GDPR) rules.

The DPC said that the probe was triggered by Dr. Johnny Ryan, among others. Dr. Ryan is the Chief Policy Officer (CPO) of the privacy-focused Brave browser, which was founded by Brendan Eich, the inventor of JavaScript and co-founder of Mozilla.

According to Dr. Ryan,

Google’s DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites [and] is a driver of Google’s $19.9B revenue from ads served on publishers’ websites and relies on broadcasting users’ personal data, unbeknownst to them.

From the DPC’s announcement:

Arising from the Data Protection Commission’s ongoing examination of data protection compliance in the area of personalised online advertising and a number of submissions to the Data Protection Commission, including those made by Dr. Johnny Ryan of Brave, a statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange.

Formal complaint from Brave

In September, Ryan submitted a formal complaint – to both the Information Commissioner’s Office (ICO) in the UK and to the Irish DPC – against Google and a number of other ad technology firms. Joining him in the complaint were Executive Director of the Open Rights Group Jim Killock and Michael Veale of University College London.

The complaint says that Google’s DoubleClick/Authorized Buyers advertising system is leaking personal data of website visitors to thousands of companies, without people being aware, able to consent, nor empowered to do anything about it.

The complaint references what’s called the Ryan report: a report from Dr. Ryan that details how the marketing ecosystem for behavioral advertising interacts with people’s personal data.

On Wednesday, Dr. Ryan testified before the US Senate Judiciary Committee about the issues at the heart of the complaint and the Ryan report: namely, the sensitive personal information that gets broadcast about us nearly every time we visit a website that uses “real-time bidding” ad auctions.

In these ad auctions, data about us is broadcast to tens or hundreds of tracking companies, Dr. Ryan said. Those tracking companies let advertisers compete for the opportunity to show us an ad.

Advertising is necessary to fund content publishing, so all that’s OK, right? You might think so until you hear what’s in that “big broadcast,” Ryan said:

It can include your – inferred – sexual orientation, political views, whether you are Christian, Jewish, or Muslim, etc., whether you have AIDS, erectile disfunction, or bi-polar disorder. It includes what you are reading, watching, and listening to. It includes your location, sometimes right up to your exact GPS coordinates. And it includes unique ID codes that are as specific to you as is your social security number, so that all of this data can be tied to you, continually, over time. This allows companies you have never heard of to maintain intimate profiles about you and what makes you tick – and on everyone you have ever known.

It’s happening “hundreds of billions of times a day,” Dr. Ryan said, and none of it is necessary for “smart advertising.” It doesn’t bring in much profit, either, he said, referencing research from Carnegie Mellon University – due to be published next month – that shows that the profiling nets publishers only an extra 4% revenue: US $.00008 extra per ad.

If it agrees, the DPC could put on some hurt

The Irish DPC can issue big penalties: companies found not to be compliant with GDPR face fines up to €20m (US $22.36m) or 4% of an organization’s annual global turnover.

The BBC got this response when it asked Google about the probe:

We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorised buyers using our systems are subject to stringent policies and standards.

The DPC will also look into Google’s data retention practices.

For his part, Brave’s CPO predicts that “surveillance capitalism is about to become obsolete.”

The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google. We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.