Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR

Dublin, Ireland and London, United Kingdom, Wednesday, 12 September 2018 — Simultaneous complaints have been filed with European data protection authorities against Google and other ad tech firms.

The complainants are being made by Dr Johnny Ryan of Brave, the private web browser, Jim Killock, Executive Director of the Open Rights Group, and Michael Veale of University College London. The complaint notifies European regulators of a massive and ongoing data breach that affects virtually every user on the web. The documents submitted in this complaint are available at the bottom of this page.

Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.

The GDPR, Article 5, paragraph 1, point f, requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” If you can not protect data in this way, then the GDPR says you can not process the data.

Bid request data can include the following personal data:

  • What you are reading or watching
  • Your location
  • Description of your device
  • Unique tracking IDs or a “cookie match”.
    This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you
  • Your IP address (depending on the version of “real time bidding” system)
  • Data broker segment ID, if available.
    This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of  bidding system)

Dr Ryan said “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data”

The complaint refers to specific tables in the technical specifications of the RTB bid request system used by advertising technology companies, and Google’s proprietary RTB system, to show exactly which data are involved (see detail in complaint documents at link).

Article 5 (1) f of the GDPR requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” But there is no control over the intimate personal data in RTB bid requests once they have been broadcast.

Ravi Naik, a Partner at ITN Solicitors who worked with David Carroll on the Cambridge Analytica complaint to the UK Information Commissioner, is working on the case.

Mr Naik said “We have been instructed by clients in numerous jurisdictions to file complaints concerning the behavioural advertising industry. The complaints have been lodged with a number of data protection authorities, with a request for a Europe-wide investigation into the industry using new powers within the GDPR. Those complaints are significant and the consequences could be far reaching. We are confident that any proper appraisal by the authorities of the concerns will lead to a fundamental shift in our relationship with the internet, for the better”.

The complaint – filed simultaneously with the Irish Data Protection Commissioner and the UK Information Commissioner – requests joint supervisory investigation by European Regulators under Article 62 of the GDPR. This appears to be the first action of this nature since the application of the GDPR.

Jim Killock of the Open Rights Group said “The online ad industry is opaque and needs investigation. People do not – and cannot – fully understand or know how and where their data is used. This seems highly unethical, and does not square with Europe’s data protection laws”.

Files submitted in this complaint: 

Contact:
Johnny Ryan
Phone: +353 876725770
X (formerly Twitter): @johnnyryan
Email: johnny@brave.com

Press coverage:

Related articles

Why Brave Disables FLoC

Brave opposes FLoC, a recent Google proposal that would have your browser share your browsing behavior and interests by default with every site and advertiser with which you interact.

Read this article →

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.

close

Almost there…

You’re just 60 seconds away from the best privacy online

If your download didn’t start automatically, .

  1. Download Brave

    Click “Save” in the window that pops up, and wait for the download to complete.

    Wait for the download to complete (you may need to click “Save” in a window that pops up).

  2. Run the installer

    Click the downloaded file at the top right of your screen, and follow the instructions to install Brave.

    Click the downloaded file, and follow the instructions to install Brave.

  3. Import settings

    During setup, import bookmarks, extensions, & passwords from your old browser.

Need help?

Get better privacy. Everywhere!

Download Brave mobile for privacy on the go.

Download QR code
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo