Web sites shared over 100 trillion pieces of our personal data last year: time to stop real-time bidding’s blatant disregard of privacy

Posted on Sep 23, 2020 by Glyn Moody

Last week Privacy News Online wrote about developments in the long-running battle between the privacy campaigner Max Schrems and Facebook. One of the key issues there is the failure by the Irish Data Protection Commission (DPC) to act on the initial complaint made by Schrems seven years ago. That matters, because under EU law, Ireland is effectively the data protection agency for the whole of the European Union. Like Facebook, Google too has its European headquarters in Dublin. That means complaints against the company must also be dealt with by Ireland’s DPC. As this blog reported two years ago, just such a complaint was submitted to both the UK and Irish data protection authorities, regarding the use of real-time bidding systems (RTB) by Google. The problem of RTB, and how it goes against core requirements of the EU’s GDPR legislation, was first discussed here three years ago, with updates noting the serious implication for privacy. The UK’s Information Commission Office published the preliminary results of its investigation into RTB (since paused because of Covid-19) last year, and they didn’t look good for Google. The Irish DPC has been very slow to take action. As a result, one of the people involved in the initial complaint, Johnny Ryan, has released new evidence of how serious the problem is:

September 2020 is the two year anniversary of my formal complaint to the Irish Data Protection Commission about the Real-Time Bidding privacy crisis. In these two years, RTB has been allowed to continue to infringe Article 5(1)f of the GDPR, which requires security of personal data. In fact, this vast data breach appears to have worsened.

Today, we at the ICCL [Irish Council for Civil Liberties] submitted evidence to the DPC that show the consequence of failure to enforce the GDPR to stop the vast RTB data breach at the heart of the online advertising industry.

Ryan’s hand has been strengthened by his move last month from the software company Brave, where he was Chief Policy & Industry Relations Officer, to join the ICCL, where he is a Senior Fellow on its Information Rights Programme. He explained his decision to join the ICCL as follows:

What happens in Dublin has global consequence. Big tech’s data use across the EU is regulated from Dublin. Failure to enforce the GDPR here puts all European citizens in jeopardy. I am joining ICCL to focus all of my energy on holding Big Tech – and its enforcers – to account.

The new evidence shows the scale of the problem. According to Ryan’s research, Google’s RTB system sends Web site users’ highly-personal data to 968 companies as a matter of routine. Google’s RTB data allows advertisers to target people profiled in a “substance abuse” category. Health conditions include “diabetes”, “chronic plain”, and “sleep disorders”. The industry-standard Internet Advertising Bureau’s RTB categories include “Incest & Abuse Support”, “Brain Tumor”, “Incontinence”, and “Depression”, and “AIDS & HIV”. Specific uses of RTB data noted by Ryan include tracking the movements of people in Italy to check whether they were observing the Covid-19 lockdown there, and targeting LGBTQ+ people during the 2019 Polish Parliamentary election.

Moreover, the situation has deteroriated since Ryan’s original RTB complaint two years ago. The number of Web sites using Google’s RTB system has increased from 8.4 million to 13.5 million in that period. More broadly, the number of RTB broadcasts of personal data by three of the biggest RTB ad exchanges – OpenX, IndexExchange and PubMatic – has increased from 180 billion to 320 billion. That’s per day; overall, these three ad exchanges have made around 113.9 trillion RTB broadcasts in the last year, according to the ICCL figures.

Given this almost unimaginable scale of personal data that is being sent across the Internet every day, in a completely uncontrolled fashion, it is no wonder that online privacy is practically non-existent. These RTB broadcasts provide so much cumulative data about anyone using the Internet for any length of time that extremely detailed profiles of our most intimate interests can be built up.

What’s depressing is that this is not a new revelation. Precisely these issues were raised in Privacy News Online’s first article about RTB three years ago. But nothing has happened since to rein in the industry. On the contrary. Ryan’s work shows that according to every metric more personal data is being shared between more companies. It is impossible to prevent data leaks occurring while this is happening. The only solution, as this blog and many others have suggested, is to forbid this kind of micro-targeted advertising based on RTB.

The other urgent action is for the Irish DPC to get serious about policing privacy in the EU. The fact that no serious action has been taken in cases against two of the most powerful companies online suggests that this is not just a coincidence, but deliberate foot-dragging by the DPC. It’s clear why that might be the case. Ireland derives important revenues from these Internet companies, and so its government will naturally be reluctant to threaten that income by punishing them for GDPR breaches. Its fear will be that companies will move to other EU countries that are more lenient in this regard. The only way to prevent this race to the bottom for privacy is to institute a central data protection authority that serves the whole of the EU, and which enforces the GDPR strictly on behalf of all EU citizens.

Featured image by ICCL.