The Irish Data Protection Commission (DPC) announced on Wednesday that it has launched an investigation into whether the processing of Google's personal data as part of its ad exchange violates the rules of the General Data Protection Regulation. (GDPR).
According to Dr. Ryan,
Google's DoubleClick / Authorized Buyers advertising system is active on 8.4 million websites [and] It is a driver of Google's $ 19.9B revenue from ads posted on publishers 'websites and is based on the transmission of users' personal data, without their knowledge.
From the announcement of the DPC:
Derived from the ongoing examination by the Data Protection Commission of compliance with data protection in the area of personalized online advertising and a series of presentations to the Data Protection Commission, including those made by Dr. Johnny Ryan de Brave, a legal investigation in accordance with section 110 The Data Protection Act of 2018 was initiated with respect to the processing of personal data of Google Ireland Limited in the context of its online Ad Exchange.
Formal complain of brave
In September, Ryan filed a formal complaint, both with the Office of the Information Commissioner (ICO) in the United Kingdom and with the Irish DPC, against Google and other advertising technology firms. Next to him, in the complaint, were the Executive Director of Open Rights Group, Jim Killock and Michael Veale, of University College London.
The complaint states that Google's DoubleClick / Authorized Buyers advertising system is filtering personal data from website visitors to thousands of companies, without people being aware, unable to give their consent or empowered to do anything about it. .
The complaint refers to what is called the Ryan report: a report by Dr. Ryan that details how the marketing ecosystem for behavioral advertising interacts with people's personal data.
On Wednesday, Dr. Ryan testified before the US Senate Judiciary Committee. UU On the central issues of the complaint and Ryan's report: namely, the confidential personal information that is transmitted about us almost every time we visit a website that uses "real information". Tender time announcement auctions.
In these ad auctions, information about us is transmitted to tens or hundreds of tracking companies, said Dr. Ryan. Those tracking companies allow advertisers to compete for the opportunity to show us an ad.
Johnny Ryan (@johnnyryan) May 21, 2019
Advertising is necessary to finance the publication of content, so everything is fine, right? I might think so until I hear what's in that "great broadcast," Ryan said:
It can include your – inferred – sexual orientation, political views, be it Christian, Jewish or Muslim, etc., if you have AIDS, erectile dysfunction or bipolar disorder. Include what you are reading, watching and listening. It includes your location, sometimes up to your exact GPS coordinates. And it includes unique identification codes that are as specific to you as your social security number, so that all of this data can be linked to you, continuously, over time. This allows companies you've never heard of to keep an intimate profile of you and what motivates you, and of all the people you've met.
It's happening "hundreds of billions of times a day," said Dr. Ryan, and none of that is necessary for "smart advertising." Nor does it generate many benefits, he said, referring to research at Carnegie Mellon University. that will be published next month, which shows that profile networks only generate an additional 4% of revenue: US $ .00008 additional per ad.
If you agree, the DPC could cause harm.
The Irish DPC may impose large fines: companies that do not comply with GDPR face fines of up to 20 million euros (US $ 22.36 million) or 4% of the annual global turnover of an organization.
The BBC got this answer when it asked Google about the probe:
We will fully participate in the investigation of the CPD and appreciate the opportunity to further clarify Europe's data protection rules for real-time bidding. Authorized buyers who use our systems are subject to strict policies and standards.
The DPC will also review Google's data retention practices.
For its part, the CPO of Brave predicts that "surveillance capitalism is about to become obsolete."
The action of the Irish Data Protection Commission indicates that now, almost a year after the introduction of the GDPR, a change is taking place that goes beyond Google. We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risks under the GDPR.