Membership is FREE!   Professional Designations for Business & Technology Professionals


Web sites shared over 100 trillion pieces of our personal data last year: time to stop real-time bidding’s blatant disregard of privacy

3 Mins read

Last week Privacy News Online wrote about developments in the long-running battle between the privacy campaigner Max Schrems and Facebook. One of the key issues there is the failure by the Irish Data Protection Commission (DPC) to act on the initial complaint made by Schrems seven years ago. That matters, because under EU law, Ireland is effectively the data protection agency for the whole of the European Union. Like Facebook, Google too has its European headquarters in Dublin. That means complaints against the company must also be dealt with by Ireland’s DPC. As this blog reported two years ago, just such a complaint was submitted to both the UK and Irish data protection authorities, regarding the use of real-time bidding systems (RTB) by Google. The problem of RTB, and how it goes against core requirements of the EU’s GDPR legislation, was first discussed here three years ago, with updates noting the serious implication for privacy. The UK’s Information Commission Office published the preliminary results of its investigation into RTB (since paused because of Covid-19) last year, and they didn’t look good for Google. The Irish DPC has been very slow to take action. As a result, one of the people involved in the initial complaint, Johnny Ryan, has released new evidence of how serious the problem is:

September 2020 is the two year anniversary of my formal complaint to the Irish Data Protection Commission about the Real-Time Bidding privacy crisis. In these two years, RTB has been allowed to continue to infringe Article 5(1)f of the GDPR, which requires security of personal data. In fact, this vast data breach appears to have worsened.

Today, we at the ICCL [Irish Council for Civil Liberties] submitted evidence to the DPC that show the consequence of failure to enforce the GDPR to stop the vast RTB data breach at the heart of the online advertising industry.

Ryan’s hand has been strengthened by his move last month from the software company Brave, where he was Chief Policy & Industry Relations Officer, to join the ICCL, where he is a Senior Fellow on its Information Rights Programme. He explained his decision to join the ICCL as follows:

What happens in Dublin has global consequence. Big tech’s data use across the EU is regulated from Dublin. Failure to enforce the GDPR here puts all European citizens in jeopardy. I am joining ICCL to focus all of my energy on holding Big Tech – and its enforcers – to account.

The new evidence shows the scale of the problem. According to Ryan’s research, Google’s RTB system sends Web site users’ highly-personal data to 968 companies as a matter of routine. Google’s RTB data allows advertisers to target people profiled in a “substance abuse” category. Health conditions include “diabetes”, “chronic plain”, and “sleep disorders”. The industry-standard Internet Advertising Bureau’s RTB categories include “Incest & Abuse Support”, “Brain Tumor”, “Incontinence”, and “Depression”, and “AIDS & HIV”. Specific uses of RTB data noted by Ryan include tracking the movements of people in Italy to check whether they were observing the Covid-19 lockdown there, and targeting LGBTQ+ people during the 2019 Polish Parliamentary election.

Moreover, the situation has deteroriated since Ryan’s original RTB complaint two years ago. The number of Web sites using Google’s RTB system has increased from 8.4 million to 13.5 million in that period. More broadly, the number of RTB broadcasts of personal data by three of the biggest RTB ad exchanges – OpenX, IndexExchange and PubMatic – has increased from 180 billion to 320 billion. That’s per day; overall, these three ad exchanges have made around 113.9 trillion RTB broadcasts in the last year, according to the ICCL figures.

Given this almost unimaginable scale of personal data that is being sent across the Internet every day, in a completely uncontrolled fashion, it is no wonder that online privacy is practically non-existent. These RTB broadcasts provide so much cumulative data about anyone using the Internet for any length of time that extremely detailed profiles of our most intimate interests can be built up.

What’s depressing is…

Read The Full Article

Related posts

'We don't collect subscribers' genetic, religious, health and sexual data,' Airtel clarifies

2 Mins read
Airtel has said that it does not collect any sensitive data related to subscribers’ genetic data, religious or political beliefs, and health…

European Privacy Regulator Turns Up Heat on Ad Tactics Used by Google and Rivals

2 Mins read
Belgium’s data-protection authority takes aim at collection of personal information in digital-ad auctions Tactics Google and other large online-ad players use in…

Privacy guidance for manufacturers of Internet of Things devices

13 Mins read
Overview As a manufacturer of Internet of Things (IoT) devices, you are responsible for the personal information under your control and have…

Yes, I have read and live by this Code of Ethics - We are BIZTEK, located in Mississauga, Ontario. Business Certification is an important part of doing business in Canada. Join us to set new standards and professionalism to the technology sector. We will email you regarding issues that affect business and technology professionals in Canada. Contact us at or call us at 647 499 2744. You can unsubscribe at any time.


Leave a Reply

Your email address will not be published. Required fields are marked *