Yesterday CNBC broke the news that Ireland’s data protection regulator had initiated an investigation into Google’s potentially improper exposure of personal data within its programmatic platform, in violation of GDPR. The investigation was launched in response to a formal complaint from Brave’s Chief Privacy Officer Dr. Johnny Ryan.
It’s about more than Google. In a statement on its site, the Irish Data Protection Commission (DPC) said, “The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR). The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.”
Yet Ryan’s complaint isn’t just about Google, it’s about the way the entire programmatic ecosystem uses and disseminates data. Indeed, Ryan argues in a report (.pdf) that the data sharing inherent in the current real-time bidding (RTB) framework improperly exposes personal data without corresponding protection:
The overriding commercial incentive for many ad tech companies is to share as much data with as many partners as possible, and to share it with partner or parent companies that run data brokerages. Clearly, releasing personal data into such an environment has high risk.
Despite this high risk, RTB establishes no control over what happens to these personal data once an SSP or ad exchange broadcasts a “bid request”. Even if bid request traffic is secure, there are no technical measures that prevent the recipient of a bid request from, for example, combining them with other data to create a profile, or from selling the data on. In other words, there is no data protection.
Complaint argues RTB now incompatible with GDPR. I saw Ryan speak at a conference in Europe last year pre-GDPR. He expressed the view that programmatic advertising (as currently constituted) is incompatible with GDPR. Data about user behavior, site visitation and identity are sent out to solicit bids for ad placements. Once in the bid stream, this data is vulnerable to misappropriation, Ryan argues. This creates significant legal exposure for publishers and advertisers, he says.
Ryan writes in his report that he tried to communicate these concerns to the IAB several times over the course of the past couple of years, but they were dismissed, resulting in his formal complaint. Ireland is where Google’s European Headquarters reside.
Google issued a statement in response to news of the investigation: “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorized buyers using our systems are subject to stringent policies and standards.”
Why you should care. Ryan reportedly filed his complaint to the Irish DPC in September, 2018. Identical or very similar complaints were submitted by others in the UK, the Netherlands, Belgium, Spain and Poland. This is really an indictment of the current state of programmatic advertising and not just Google. Ryan would probably argue that gaining additional consent for broader data use cases (i.e., IAB consent framework 2.0) is unlikely to cure the “structural” problems he identifies.
We won’t know the outcome of the Irish investigation for some time. However, it’s likely that changes in RTB will be mandated. The question is whether those changes will be relatively minor or go to the heart of how data is exposed and processed in programmatic advertising.