Google and other ad tech firms have been accused of a massive and systematic data breach by three privacy campaigners.
“There is a massive and systematic data breach at the heart of the behavioral advertising industry,” says Dr Johnny Ryan of Brave, the private web browser.
He, along with Jim Killock, Executive Director of the Open Rights Group, and Michael Veale of University College London, has claimed that Google and other ad tech firms are responsible for a “massive and ongoing data breach that affects virtually every user on the web.”
They have addressed their complaint to European data protection authorities.
Article 5, paragraph 1, point f, of the GDPR says that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” Citing this clause, the trio of campaigners say that “Every time a person visits a website and is shown a ‘behavioural’ ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies.”
Dr Ryan said: “Despite the two year lead-in period before the GDPR, ad tech companies have failed to comply. Our complaint should trigger an EU-wide investigation into the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data.”
Jim Killock of the Open Rights Group said “The online ad industry is opaque and needs investigation. People do not – and cannot – fully understand or know how and where their data is used. This seems highly unethical, and does not square with Europe’s data protection laws”.
Ravi Naik, a Partner at ITN Solicitors who worked with David Carroll on the Cambridge Analytica complaint to the UK Information Commissioner, is working on the case.
Mr Naik said “We have been instructed by clients in numerous jurisdictions to file complaints concerning the behavioural advertising industry. The complaints have been lodged with a number of data protection authorities, with a request for a Europe-wide investigation into the industry using new powers within the GDPR. Those complaints are significant and the consequences could be far reaching. We are confident that any proper appraisal by the authorities of the concerns will lead to a fundamental shift in our relationship with the internet, for the better”.
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.