- Ireland’s data watchdog is the lead regulator for Google in Europe, because the ad giant’s European HQ is in Dublin.
- The watchdog faces questions about whether it is up to the job, after dragging out an investigation into Google’s ad practices for more than a year.
- The probe centers on allegations that Google processes and shares intimate data with third-party brokers in a way that breaches EU privacy rules.
- Regulators across the EU have come under fire for having insufficient resources to uphold privacy regulation.
- Visit Business Insider’s homepage for more stories.
The regulator tasked with policing Google in Europe is under pressure to prove it’s up to the job.
The non-profit Irish Council for Civil Liberties (ICCL) has written to Ireland’s Minister for Justice Helen McEntee to ask if the Ireland’s Data Protection Commission is capable of acting on claims that Google violates EU citizens’ data privacy.
The letter marks the two-year anniversary of a complaint lodged by ICCL fellow and privacy expert Johnny Ryan.
Ryan formerly worked at privacy-focused browser Brave, a competitor to Google’s Chrome.
The commission is still investigating allegations by Ryan that Google provides companies with sensitive data, including around people’s political and sexual orientation, through an online ad placement mechanism called real-time bidding (RTB).
RTB is the automated, superfast process by which companies bid for the opportunity to put their ads in front of people online. That bid is informed by data gathered by platforms such as Google, and is often highly sensitive.
Ryan alleges that the broadcasting of this information through ad exchanges allows third parties, such as data brokers, to profile people in breach of the EU’s GDPR data privacy laws.
He complained in September 2018, describing the practice as a “massive and systematic data breach” and the commission opened an investigation into Google’s Ad Exchange in May 2019. It’s still ongoing.
“For some reason, there seems to be a great reluctance and hesitation to act on what appeared to me to be really clear-cut cases,” Ryan said.
Earlier in September, he sent more documents to the commission to back up his claims.
One document details how data management platform OnAudience used RTB data to profile 1.4 million people’s views on LGBTQ+ rights, and then used this information to influence the country’s election in 2019.
Another document shows how OnAudience profiled people in Ireland who regularly visit websites on sensitive topics such as AIDS, brain tumors, and support for incest and abuse.
Ryan said: “The figures that I’ve been releasing are showing hundreds and hundreds of billions of these real time bidding auctions happening every day. So that’s hundreds of billions of data breaches every day and the [commission] has not acted to solve that problem in two years.”
Ireland is home to the European headquarters of tech giants such as Google, Apple, and Facebook and so is at the forefront of the battle to protect data rights.
“[We want the letter] to make a case for the Irish regulator basically being a roadblock for any sensible GDPR enforcement across the European Union,” added Ryan. “We want to urge the minister, because she can’t investigate the [commission] because it’s an independent body, to investigate whether it has the capacity to undertake its tasks.”
He adds: “It’s time for the Irish government to acknowledge that if does not have a capable enforcer.”
Some EU regulators are still underfunded
Some privacy regulators have criticized their counterparts in other EU countries for delays and inaction.
Ireland’s DPC has come under particular fire, including from Germany’s federal data protection commissioner.
From 2016 to 2019, regulators in the EU increased their budgets and staff by almost 50%, but some countries still need more resources, per a report by the Wall Street Journal.
Last year, Ireland’s Data Protection Commission received less than a third of the additional funding it requested from the Irish government, bringing its total funding allocation to €16.9 million ($20 million).
A lack of funding significantly curbs a regulator’s ability to uphold GDPR regulation effectively, according to Zoé Vilain, chief strategy and privacy officer and Jumbo Privacy, a startup that helps people to manage their data privacy.
“I think that in every case in the justice system it’s always about money and the fact that they don’t have enough money to do their work,” said Vilain. “If you’re the lead authority for more companies than other member states, then you should have more money to deal with this case. That’s just obvious, otherwise you’re going to be swamped and you’re not going to be able to your job.”
Claims such as those brought forward by the ICCL help to raise public awareness about privacy, she added.
“The more stories where we can show that they do shocking stuff like this, maybe public opinion is going to shift and make privacy a priority for the next five years,” she says. “I think the whole ad industry has to like rebuild itself to be compliant with GDPR.”