EMBARGO – Monday, 20 May 2019, 4AM GMT



GDPR complaints about Real-Time Bidding (RTB) in the online advertising industry were filed today with Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg. The complaints detail the vast scale of personal data leakage by Google and other major companies in the “Ad Tech” industry. This week marks one year since the introduction of the GDPR.

The new complaints have been filed by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch), David Korteweg (Bits of Freedom), Jef Ausloos (University of Amsterdam), Pierre Dewitte (University of Leuven), and Jose Belo (Exigo Luxembourg). Today’s filings extend the complaints initially filed in Ireland, the UK and Poland, to a total of seven EU countries. This week marks one year since the GDPR.

“We hope that this complaint sends a strong message to Google and those using Ad Tech solutions in their websites and products”, said Gemma Galdon Cavell, CEO of Eticas. “Data protection is a legal requirement must be translated into practices and technical specifications”.

Every time a person visits a website that uses RTB systems, intimate personal data about them and what they are viewing is broadcast in a “bid request” to tens or hundreds of companies, to solicit bids from potential advertisers’ for the opportunity to show an ad to this specific visitor. The data can include people’s exact locations, inferred religious, sexual, political characteristics, what they are reading, watching, and listening to online, and unique codes that allow long term profiles about each person to be built up over time.

As today’s GDPR complaints show, this occurs hundreds of billions of times every day, and is the most massive leakage of personal data recorded so far.

Google’s DoubleClick (recently renamed “Authorized Buyers”) is active on 8.4 million websites, and broadcasts personal data about visitors to these sites to over 2,000 companies. The next biggest ad exchange is AppNexus, owned by AT&T, which conducts 131 billion personal data broadcasts every day.

There is no control over what happens to the data once broadcast, which is similar to the Facebook data leakage that enabled Cambridge Analytica to profile people, but for the fact that it is far greater in scale. For example, Google relies on self-regulatory guidelines that rely on the companies that receive its broadcasts to inform it if they are breaking its rules. Google says that over 2,000 companies are “certified” in this way. Google DoubleClick/Authorized Buyers sends intimate personal information about virtually every single online person to these companies, billions of times a day.

Under the GDPR, a company is not permitted to use personal data unless it tightly controls what happens to that data. Article 5 (1)(f) requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss”.

Notes to editors:

In September 2018, Dr Johnny Ryan, of the privacy browser Brave, submitted a formal GDPR complaint to the Irish DPC. Simultaneous complaints were submitted to the UK Information Commissioner by Jim Killock, Executive Director of Open Rights Group and Dr Michael Veale of University College London. In January 2019, Katarzyna Szymielewicz, CEO of the Panoptykon Foundation in Poland submitted a complaint.