DPC sued for failing to investigate Google’s real-time auctions

Three and a half years after receiving a complaint about Google’s real-time bidding (RTB) advertising system, the Irish data watchdog is being sued for failing to investigate.

The Irish Council for Civil Liberties (ICCL), whose lead researcher Johnny Ryan is taking the case, says Google’s use of RTB amounts to the “biggest data breach on record”.

But while the DPC was obligated under the GDPR to investigate and act on the 2018 complaintsays the ICCL it has not acted – despite the fact that no other EU enforcement officer can act until the DPC does, meaning Google’s activities have been allowed to continue across the EU since.

And while the DPC produced a “problem statement” in January, detailing what it plans to investigate, that doesn’t include security issues.

“We are concerned that the rights of individuals across the EU are at risk as the DPC has not investigated Google’s RTB system for three and a half years since Johnny Ryan was first notified in 2018,” Liam said. Herrick, Executive Director of the ICCL.

“The issue at stake here affects the rights of every European, and we are going to court to see that digital rights are protected. Repeated attempts to get the DPC to take charge of this rights violation have failed.”

Google’s RTB system is an auction that allows advertisers to buy real-time online ad impressions, with their ad delivered instantly to the publisher’s site. As part of the process, Google shares data with potential advertisers, including their location and online activity.

And, says the ICCL, there are no technical measures to limit what companies can do with that information, or who they pass it on to. This, he says, contravenes GDPR requirements that personal data must be processed lawfully and fairly and that the processing of personal data must be kept to a minimum.

“It causes a data breach by broadcasting what you’re looking at to other tracking companies every time a page loads,” Ryan says. “Conservative estimate: Google does it billions of times, every day.”

With thousands of complaints pending, this is not the first time that the DPC has been criticized for inaction: last summer, in fact, the European Parliament asked the European Commission to open an infringement procedure against the oversight body for failing to apply the GDPR.

And earlier this year, Facebook whistleblower Frances Haugen called for an independent review of the DPC’s big tech regulations, saying she was avoiding accountability.

Google has been approached for comment.