[ad_1]
The Irish Council for Civil Liberties (ICCL) today published an evidence dossier detailing how the online advertising industry profiles the intimate characteristics of Internet users without their knowledge or consent, increasing pressure on the body of control of the country’s data to take compliance measures what the complainants claim is “the biggest data breach of all time.”
The post follows a two-year-old complaint filed with the Irish Data Protection Commission (DPC) alleging the illegal exploitation of personal data through the programmatic advertising real-time bidding process (RTB), including RTB systems. dominant devised by Google and the Internet. Advertising Office (IAB).
The Irish DPC opened an investigation into Google’s online Ad Exchange in May 2019, following a complaint filed by Dr. Johnny Ryan (then at Brave, now a senior ICCL member) in September 2018, but two years after that complaint, as such. many major cross-border GDPR cases remain unsolved.
And indeed, multiple OTR complaints have been filed with EU regulators, but none have yet been resolved. It’s a major black mark against the block’s flagship data protection framework.
“September 2020 marks two years since my formal complaint to the Irish Data Protection Commission regarding the ‘Real Time Bidding’ data breach. This submission demonstrates the consequences of two years of non-compliance,” Ryan writes in the report.
https://platform.twitter.com/widgets.js“data-reactid =” 29 “>https://platform.twitter.com/widgets.js
Among the highlights of the ICCL dossier are the following:
- Google’s RTB system sends data to 968 companies;
- what a data brokerage company that uses data from RTB to profile people who influenced the 2019 Polish parliamentary elections by targeting LGBTQ + people;
- that a profile created by a data broker with data from RTB allows users of the Google system to target 1200 people in Ireland profiled in a category of “substance abuse”, with other health condition profiles offered by the same broker from data available through Google including “Diabetes”, “Chronic Pain” and “Sleep Disorders”;
- what tThe IAB RTB system allows users to target 1,300 people in Ireland profiled in an “AIDS and HIV” category, based on a data broker profile created with RTB data, while other categories of the same data broker include “Incest & Support Abuse “,” Brain Tumor “,” Incontinence “and” Depression “;
- what a The data broker that collects data from RTB tracked the movements of people in Italy to see if they observed the Covid-19 blockage;
- what a The data broker who unlawfully described the Black Lives Matters protesters in the United States was also allowed to collect RTB data on Europeans;
- that he the industry template for profiles includes intimate personal characteristics such as “Infertility”, “STDs” and “conservative” policies;
Under EU data protection law, personal information that relates to intimate and highly sensitive topics, such as health, sexuality, and politics, is what is known as special category personal data. The processing of this type of information generally requires the explicit consent of the users, with only very limited exceptions, so as to protect the vital interests of the data subjects (and the publication of behavioral advertisements would clearly not meet that requirement).
Therefore, it is difficult to see how the current practices of the specific advertising industry can comply with EU legislation, despite the massive scale at which Internet user data is processed.
In the report, ICCL estimates that just three ad exchanges (OpenX, IndexExchange, and PubMatic) have made around 113.9 billion real-time streams in the last year.
“Google’s RTB system now sends people’s private data to more companies and from more websites than when DPC was notified two years ago,” he writes. “A single ad exchange using the IAB RTB system now sends 120 billion RTB transmissions in one day, a 140% increase from two years ago when the DPC was notified.”
“Real-Time Bidding operates behind the scenes on websites and applications. It constantly broadcasts the private things we do and see online, and where we are in the real world, to countless companies. As a result, we are all an open book to companies from data brokerage and others, who can create intimate dossiers about each of us, “he adds.“data-reactid =” 43 “>“Real-Time Bidding operates behind the scenes on websites and applications. It constantly broadcasts the private things we do and see online, and where we are in the real world, to countless companies. As a result, we are all an open book to companies in data brokerage and others, who can create intimate dossiers about each of us, “he adds.
Upon arrival for a response to the report, Google sent us the following statement:
We enforce strict privacy protocols and standards to protect people’s personal information, including industry-leading safeguards on the use of data for real-time bidding. We do not allow advertisers to select ads based on sensitive personal data and we do not share sensitive personal data, browsing histories or people’s profiles with advertisers. We conduct ad buyer audits on the Google ad exchange, and if we find violations of our policies, we take action.
We also reached out to IAB Europe for comment on the report. A spokeswoman told us that she would give an answer tomorrow.
In response to ICCL’s presentation, DPC Deputy Commissioner Graham Doyle sent this statement: “The DPC has provided extensive recent updates and correspondence on this matter, including a meeting. The investigation has progressed and an update has been provided. complete next steps to stakeholder. “
However, in a follow-up to Doyle’s comments, Ryan told TechCrunch that he “has no idea” what the DPC is referring to when it mentions a “full update.” On “next steps,” he said the regulator informed him that it will produce a document that will establish what it believes the problems are, within four weeks of his letter, dated September 15.
Ryan expressed particular concern that the DPC investigation does not appear to cover security, which is the crux of RTB’s complaints, as the GDPR security principle imposes an obligation on processors to ensure that data is handled in an appropriate manner. secure and protected against unauthorized processing or loss. (While RTB transmits personal data over the Internet, leaking highly confidential information in the process, based on previous evidence collected by whistleblowers.)
He told TechCrunch that the regulator finally sent him a letter, in May 2020, in response to his request to know what the scope of the investigation is, saying that it is examining the following issues:
- If Google has a legal basis for the processing of personal data, including data of special categories, for the purposes of targeted advertising through the Authorized Buyers mechanism and, specifically, for the collection, exchange and combination of personal data collected by Google with other companies / partners;
- How Google fulfills its transparency obligations, in particular with regard to art. 5 (1), 12, 13 and 14 of the GDPR;
- The legal basis / bases for the retention of personal data processed by Google in the context of the Authorized Buyers mechanism and how it complies with Article 5 (1) (c) regarding the retention of personal data processed through the Authorized Buyers mechanism;
We have asked the DPC to confirm whether their investigation of Google’s ad technology is also examining compliance with Article 5 (1) f) of the GDPR and will update this report with any responses.
The DPC did not respond to our question about the timing for any draft decision on Ryan’s complaint from two years ago. But Doyle also directed us to work around cookies and other tracking technologies this year, including guidance on supported usage, adding that he has set his intention to start the related app starting next month, when a period of six-month grace for the industry Comply with the rules on tracking transfers.
The regulator also pointed to another related open investigation, into adtech veteran Quantcast, also from May 2019 (that investigation followed a presentation by privacy rights group Privacy International).
The DPC has said that Quantcast’s investigation is examining the claimed legal basis for processing Internet user data for ad targeting purposes, as well as considering whether transparency and data retention obligations are being met. It’s also unclear whether the regulator is looking at data security in that case. A summary of the scope of Quantcast’s research in the DPC’s annual report states:
In particular, the DPC is examining whether Quantcast has complied with its obligations in relation to the processing and aggregation of personal data that it carries out for the purpose of profiling and using the profiles generated for targeted advertising. The research examines how and to what extent Quantcast fulfills its obligation to be transparent with people about what it does with personal data (including the sources of collection, combination and making available of its customer data) as well as the personal data of Quantcast data retention practices. The investigation will also examine the legal basis on which the prosecution occurs.
While Ireland remains under enormous pressure from the glacial pace of cross-border GDPR investigations, given that it is the main regulator of many of the major technology platforms, it is not the only EU regulator accused of staying in its hands on what regards the application.
The UK data watchdog has faced anger for failing to act on OTR complaints, despite acknowledging systematic violations. In his case, after months of regulatory inaction, the ICO announced at the beginning of this year that it had “stopped” its investigation into the processing of personal data of Internet users by the industry, due to business interruption as a result of the COVID-19 pandemic.“data-reactid =” 67 “>The UK data watchdog has faced anger for failing to act on OTR complaints, despite acknowledging systematic violations. In his case, after months of regulatory inaction, the ICO announced at the beginning of this year that it had “stopped” its investigation into the processing of personal data of Internet users by the industry, due to business interruption as a result of the COVID-19 pandemic.
