Ireland's privacy watchdog sued for inaction over 'massive Google data breach'

Ireland's evasive response to a major security complaint filed against Google's adtech the year the European Union's General Data Protection Regulation (GDPR) came into application is the target of a new lawsuit that accuses the Data Protection Commission (DPC) of years of inaction over what the complainants assert is "the largest data breach ever."

Today local press in Ireland reported that the Irish High Court has agreed to hear the suit.

The litigation has been prepared by the Irish Council for Civil Liberties (ICCL), whose senior fellow, Johnny Ryan, is named as the plaintiff.

At issue is the DPC's response to a long-running complaint about Google's role in the high-velocity trading of web users' personal data to determine which ads get served -- and, more specifically, the lack of attention the data-trading systems of the tracking-based advertising industry pay to security. (Security, of course, is a key principle of the EU's flagship data protection regime.)

The ICCL's suit thus accuses the DPC of a failure to act on what it couches as a "massive Google data breach."

Ryan will be familiar to anyone who's been following adtech's mounting legal woes in Europe as the driving force behind a series of complaints and lawsuits, since 2018, targeting the high-velocity trading of people's data for real-time ad auctions (real-time bidding, or RTB).

A former adtech insider turned whistleblower, Ryan has amped up pressure on the industry for reform through a series of strategic GDPR complaints. But, more recently, his complaints have increasingly targeted the DPC itself.

In September 2020, for example, he published a dossier of evidence highlighting how the online ad-targeting industry profiles internet users’ intimate characteristics without their knowledge or consent -- calling out the DPC for ongoing inaction over the RTB security complaint.

He has also lodged a complaint with the European Commission that led to an ombudsperson stepping in to look into the EU's own high-level monitoring of the (decentralized) application of the GDPR, which relies upon agencies in each member state to do the graft of investigating and enforcing violations of the law.

On the 2018 Google adtech complaint, the DPC has -- so far -- announced some procedural steps.

Following Ryan's original September 2018 complaint, which named both Google and the online ad industry body the IAB Europe (two key players in the RTB system), Ireland opened a formal inquiry into Google's adtech in May 2019. The regulator is the lead EU watchdog for Google.

However, Ireland did not open an inquiry based on the substance of Ryan's complaint; rather, it opened what's known as an "own-volition inquiry" -- saying it would seek to "establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the GDPR, including the lawful basis for processing, the principles of transparency and data minimisation, as well as Google’s retention practices," as it put it at the time.

Notably, the DPC did not say its inquiry would interrogate Google's role in RTB through a security lens -- despite the core of Ryan's complaint being that a system that "functions" by broadcasting highly sensitive data about people (browsing habits, device IDs, location, etc.), across the internet to intermediaries, with no way for the tracked users to control who receives their information or what gets done with it, is the opposite of secure.

So that's what Ryan, via the ICCL, is now pressing for: The lawsuit aims to force Ireland to investigate the security of RTB, an issue the regulator has so far seemed keen to avoid.

While RTB has faced a number of other GDPR complaints, in relation to issues like the legal basis for processing people's data in the first place, Ryan's complaint intentionally zeroed in on security as it seemed to offer the clearest route to demonstrating that something was very rotten in the state of adtech, as he explained to TechCrunch back in 2018.

"I'm trying to be as efficient as possible with every bit of litigation that we launch," Ryan tells us now. "For 3.5 years I have asked the Irish Data Protection Commission to investigate and act on the biggest data breach ever recorded. And it has not done so and as a result of that, every European has been exposed to this."

"The DPC is really good at muddying things," he adds. "This is a really nice, crisp, clear example of the DPC having Europe-wide responsibility for a really big issue that affects everybody -- everyone -- and it's not some small thing. And they haven't done anything. So there isn't really any thing that I could do -- we have to sue them."

"If they don't act on this, they may as well not exist," he concludes.

Commenting on the suit in a statement, Liam Herrick, executive director of ICCL, added: We are concerned that the rights of individuals across the EU are in jeopardy, because the DPC has failed to investigate Google’s RTB system over three and half years since first notified by Johnny Ryan in 2018. The issue at stake here affects the rights of every European and we are going to court to see that digital rights are protected. Repeated attempts to get the DPC to take up this rights violation have failed.”

Last month, a flagship ad industry framework that was also targeted in complaints attached to RTB, the IAB Europe's Transparency and Consent Framework (TCF) -- which is routinely served to web users in the form of a "privacy choices" pop-up, asking people to consent to their data to be used for ad-targeting in real-time ad auctions -- was found by Belgium's data protection authority to be in breach of the GDPR. (As was the IAB itself.)

The IAB has been given a few months to find a fix for a very long list of violations -- and some privacy experts argue this is likely an impossible task, given the systemic violations the TCF plugs into (and for which RTB is the core aim).

The Belgian authority was acting on similar RTB complaints to Ryan's that had been filed locally. (The IAB is overseen by Belgium's regulator, so Ireland would not be expected to lead on that branch of his complaint. However, Ryan also accuses Ireland of failing to pass on his original complaint to Belgium as the GDPR's one-stop-shop mechanism would surely intend.)

The laundry list of failures identified by the Belgian DPA with regards to the IAB's TCF very much features security -- with breaches of the security of processing, integrity of personal data, data protection by design and default among those listed in its final decision earlier this year.

Yet, despite security being clearly identified as a problem with a flagship industry framework that plugs into RTB (and, more than that, is intended to feed the system as a key strategic piece of adtech apparatus), the DPC's still ongoing investigation of Google's adtech -- using its own terms of reference -- does not mention "security."

In a timeline chronicling what the ICCL's press release couches as "3 ½ years of inaction," the civil liberties organization writes that on January 12 of this year the regulator finally said it had written a “statement of issues” of what it will investigate, vis-a-vis the Google complaint, but that statement "excludes data security -- the critical issue of the complaint."

It's not clear why the DPC has chosen to carve out security from its probe of Google's adtech.

Its plentiful critics would surely have thoughts on that. (Ryan says he has "no idea about their motives" when asked for a view -- suggesting "many people see conspiracy where there is merely cock-up" and "we do not know why there is this persistent inertia" -- hence "that's why we need an independent review.")

Reached for comment on the ICCL's lawsuit, deputy commissioner Graham Doyle declined wider remarks -- saying only that there's "not much to say at this stage beyond the fact that our investigation is progressing."

Ireland's data protection regulator continues to attract trenchant criticism over its circuitous (some might say labyrinthine) approach to GDPR enforcement -- especially in regards to cross-border complaints against major tech giants like Google and Facebook.

Civil society, consumer protection and digital and privacy rights groups, and individual experts have all blasted the regulator for years for dragging its feet -- or simply avoiding -- properly investigating a string of major complaints and concerns, from systemic privacy and consent abuses to location tracking violations or indeed RTB's massive security question, even though these are the sorts of systemic issues which, if confirmed by investigation, implicate massive consumer harms that scale right across the bloc.

That also means these are the sorts of complaints that, were they to actually be enforced, could force wholesale reform of certain types of privacy-hostile data-mining business models.

It's notable that the handful of final decisions the DPC has issued against tech giants to date, since the GDPR began being applied in May 2018, have had to go through an objection resolution process baked into the regulation -- after other EU data protection agencies rejected Ireland's preference for lesser penalties. (See its 2020 security breach decision against Twitter and its 2021 transparency decision against WhatsApp.)

A draft DPC decision against Facebook that was made public by the complainant (against the DPC's wishes) last fall also looks laughably lenient. (That complainant also filed a criminal complaint against the regulator in November -- accusing the DPC of using “procedural blackmail” to try to gag it.)

It's not clear how quickly the ICCL lawsuit against the DPC might progress and potentially accelerate Ireland's GDPR enforcement of adtech. That may depend upon which of Ireland's courts chooses to hear it.

The regulator has faced a number of other legal challenges to its processes in recent years -- including a couple in relation to a long-running complaint against Facebook's EU-U.S. data transfers, one component of which it settled in January 2021 by agreeing to swiftly resolve the complaint. (However, a final decision on that issue is still pending.)

The U.K.'s Information Commissioner's Office, meanwhile, has also faced criticism over adtech inaction and litigation over RTB complaints starting in late 2020, after it closed a similar complaint without taking any enforcement action against the adtech industry (despite publicly acknowledging systemic lawlessness).

In that case, the legal action only went to a tribunal, which ultimately decided it lacked the jurisdiction to assess the validity of the outcome the ICO had claimed (but which the plaintiffs had sought to challenge).

A suit against the DPC that's heard in court should not face such powers-based uncertainties -- so if the ICCL and Ryan prevail in their arguments, the Irish regulator could face an order to investigate the security of Google's adtech that it can't simply ignore; it would be forced to enforce a security-minded cleanup of adtech. Which is quite a thought.

Google did not respond to a request for comment on the ICCL lawsuit.