Today, Ireland’s Data Protection Commission (DPC) has announced a major GDPR probe into “suspected infringement” by Google’s “DoubleClick/Authorized Buyers” advertising business. The probe was triggered by a formal complaint from Dr Johnny Ryan, Chief Policy Officer at Brave, the private web browser.

This week marks one year since the application of the GDPR.

The Irish Data Protection Commission has just announced that “a statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange”.

Google’s DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, according to BuiltWith .[1] Dr Ryan’s evidence to the DPC revealed a massive and ongoing data breach in which Google’s DoubleClick/Authorized Buyers leaks intimate data about the people visiting these websites to thousands of companies every day. Article 5(1)(f) of the GDPR requires that personal data be tightly controlled. Article 5(1)(a) and (b) also require that individuals be adequately informed about what will happen to their data.

Google bought DoubleClick/Authorized Buyers for $3.1B in 2007.[2] It is a driver of Google’s $19.9B[3] revenue from ads served on publishers’ websites and relies on broadcasting users’ personal data, unbeknownst to them.

Ireland’s Data Protection Commission is Google’s lead authority under the GDPR. The DPC issued Google formal notice that it will now “conduct inquiry into suspected infringement” under Section 110 of Ireland’s Data Protection Act.[4] It has the power to order Google to completely stop using personal data in its advertising system, and also to impose significant financial penalties.[5] This comes as the first anniversary of the GDPR approaches on 25 May.

Key facts

Google DoubleClick/Authorized Buyers is installed on 8.4+ million websites.[6]

It broadcasts personal data about visitors to these sites to 2,000+ companies,[7] hundreds of billions of times a day.[8]

The data can include people’s locations, inferred religious, sexual, political characteristics, what they are reading, watching, and listening to online, and unique codes that allow long term profiles about each person to be built up over time.[9]

There is no control over what happens to the data once broadcast.[10]

This appears to be by far the largest leakage of personal data ever recorded.

The Irish Data Protection Commission is now investigating Google’s “suspected infringement” of the GDPR under Section 110 of the Irish Data Protection Act.

Article 5(1)(f) of the GDPR requires that personal data be tightly controlled.

Article 5(1)(a) and (b) of the GDPR require that individuals be adequately informed about what will happen to their data.

Google may be forced to stop processing all personal data for its DoubleClick/Authorized Buyers ad business, and may be fined up to 4% of global turnover.[11]

“Surveillance capitalism is about to become obsolete,” said Dr Ryan of Brave. “The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google. We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR”.

Dr Ryan submitted his formal GDPR complaint to the DPC in September 2018. Duplicate complaints were also submitted to the UK Information Commissioner by Jim Killock , Executive Director of the Open Rights Group and Dr Michael Veale of University College London. Dr Ryan, Dr Veale and Mr Kilock are represented by Mr Ravi Naik of ITN Solicitors in London.

In Poland, Katarzyna Szymielewicz , CEO of the Panoptykon Foundation, submitted duplicate complaints in January. Similar complaints were filed on 20 May 2019 in the Netherlands, Belgium, Spain and Luxembourg.

Google’s DoubleClick/Authorized Buyers is a data protection free zone.

Every time a person visits a website that uses Google’s DoubleClick/Authorized Buyers system, intimate personal data about them and what they are viewing is broadcast in a “bid request” to tens or hundreds of companies, to solicit bids from potential advertisers’ for the opportunity to show an ad to this specific visitor.[12] This occurs hundreds of billions of times every day,[13] and is the most massive leakage of personal data recorded so far.

Ravi Naik, a partner at ITN Solicitors instructed by the complainants, said “For too long, the AdTech industry has operated without due regard for the protection of consumer data. We are pleased that the Data Protection Commissioner has taken action. The industry must change”.

There is no limit on or control over what is done with this information about internet users.[14] For example, Google relies on self-regulatory guidelines that rely on the companies that receive its broadcasts to inform it if they are breaking its rules.[15] Google says that over 2,000 companies are “certified” in this way.[16] Google DoubleClick/Authorized Buyers sends intimate personal information about virtually every single online person to these companies, billions of times a day.

But under the GDPR, a company is not permitted to use personal data unless it tightly controls what happens to that data. Article 5 (1)(f) of the GDPR requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss.”[17]

What data about you could be broadcast when Google places an ad?

WHAT YOU ARE READING, WATCHING, OR LISTENING TO[18]

The specific URL you are loading, which shows what you are reading or watching. ( Sometimes publishers using Google’s system prevent their URL from being shared.[19])

publishers using Google’s system prevent their URL from being shared.[19]) The category of content that you are reading/watching/listening, from Google’s category list , including topics such as “eating disorders”, “left-wing politics”, “male impotence”, and “Judaism”.

YOUR DEVICE[20]

Identification codes that are unique to your device so that it and you can be recognized again. These codes are encrypted, but recipients can decrypt them too.[21] (Google claims to impose what it calls “special constraints” on this in “some circumstances”, but neither constraints nor circumstances are defined).[22]

them too.[21] (Google to impose what it calls “special constraints” on this in “some circumstances”, but neither constraints nor circumstances are defined).[22] Your device’s operating system and version, and web browser software and version (some of this “user agent” information may be partially redacted).[23]

partially redacted).[23] Your device manufacturer, model, and version.

Height, width, and ratio of your screen.

Your language settings.

The mobile network carrier your device is using.

YOU[24]

Your Google ID, which is unique to your personal Google account (Google claims to impose what it calls “special constraints” on this in “some circumstances”, but neither constraints nor circumstances are defined).

to impose what it calls “special constraints” on this in “some circumstances”, but neither constraints nor circumstances are defined). Google’s “Cookie Match Service” results, which enables a company to determine if you are someone they already have a profile of, and to combine their existing data about you with new data in the bid request. (Google claims to impose what it calls “special constraints” on this in “some circumstances”, but neither constraints nor circumstances are defined).

about you with new data in the bid request. (Google to impose what it calls “special constraints” on this in “some circumstances”, but neither constraints nor circumstances are defined). Your interests, based on what you are reading/watching/listening to, from Google’s category list , including topics such as “eating disorders”, “left-wing politics”, “male impotence”, and “Judaism”.[25]

, including topics such as “eating disorders”, “left-wing politics”, “male impotence”, and “Judaism”.[25] Whether the website visitor is present on a particular “user list” of targeted people (which may be a category previously decided by an advertiser, or the data broker they acquired the data from, based on the broker’s previous profiling of this particular person).

YOUR LOCATION[26]

Latitude and longitude.

Zip/postal code, or postal code prefix if a full post code is unavailable.

Whether the user is present within a small “hyper local” area.

Contact:

Dr Johnny Ryan

johnny@brave.com

Notes:

[1] DoubleClick.Net Usage Statistics, (URL: https://trends.builtwith.com/ads/DoubleClick.Net).

[2] “Google Buys DoubleClick for $3.1 Billion”, New York Times, 14 April 2007 (URL: https://www.nytimes.com/2007/04/14/technology/14DoubleClick.html).

[3] Alphabet Inc. Form 10-K, for the fiscal year ended 31 December 2018 (URL: https://abc.xyz/investor/static/pdf/20180204_alphabet_10K.pdf?cache=11336e3).

[4] Section 110, Data Protection Act 2018 (URL: http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/pdf).

[5] Article 58 (2) (f) and (i), General Data Protection Regulation.

[6] DoubleClick.Net Usage Statistics, (URL: https://trends.builtwith.com/ads/DoubleClick.Net).

[7] “Ad Exchange Certified External Vendors”, Google Authorized Buyers (URL: https://developers.google.com/third-party-ads/adx-vendors), last updated 18 April 2019.

[8] “Number of bid requests per day”, evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 20 February 2019 (URL: https://fixad.tech/wp-content/uploads/2019/02/4-appendix-on-market-saturation-of-the-systems.pdf).

[9] See “Ryan report on behavioral advertising and personal data” (URL: https://brave.com/wp-content/uploads/Behavioural-advertising-and-personal-data.pdf) and “Examples of data in a bid request from IAB OpenRTB and Google Authorized Buyers’ specification documents” (URL: https://fixad.tech/wp-content/uploads/2019/02/3-bid-request-examples.pdf); and “Google’s publisher verticals list” (URL: https://brave.com/wp-content/uploads/Google-publisher-verticals-marked-up.pdf), evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 12 September 2018 and 20 February 2019.

[10] “Ryan report on behavioral advertising and personal data”, evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 12 September 2018 (URL: https://brave.com/wp-content/uploads/Behavioural-advertising-and-personal-data.pdf); see also “pubvendors.json v1.0”, an IAB document presented in evidence to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 20 February 2019 (URL: https://fixad.tech/wp-content/uploads/2019/02/2-pubvendors.json-v1.0.pdf).

[11] Article 58 (2) (f) and (i), GDPR.

[12] “Ryan report on behavioral advertising and personal data”, evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 12 September 2018 (URL: https://brave.com/wp-content/uploads/Behavioural-advertising-and-personal-data.pdf).

[13] “Number of bid requests per day”, evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 20 February 2019 (URL: https://fixad.tech/wp-content/uploads/2019/02/4-appendix-on-market-saturation-of-the-systems.pdf).

[14] “Ryan report on behavioral advertising and personal data”, evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 12 September 2018 (URL: https://brave.com/wp-content/uploads/Behavioural-advertising-and-personal-data.pdf); see also “pubvendors.json v1.0”, an IAB document presented in evidence to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 20 February 2019 (URL: https://fixad.tech/wp-content/uploads/2019/02/2-pubvendors.json-v1.0.pdf).

[15] Authorized Buyers Program Guidelines, Google Authorized Buyers, last updated 22 August 2018 (URL: https://www.google.com/doubleclick/adxbuyer/guidelines/).

[16] “Ad Exchange Certified External Vendors”, Google Authorized Buyers, last updated 18 April 2019 (URL: https://developers.google.com/third-party-ads/adx-vendors).

[17] Article 5(1)(f), GDPR.

[18] All items in this list are drawn from “Authorized Buyers Real-Time Bidding Proto”, Google Authorized Buyers (URL: https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide ).

[19] “Set your mobile app inventory to Anonymous or Branded in Ad Exchange”, Google Ad Manager Help (URL: https://support.google.com/admanager/answer/6274457?hl=en&visit_id=637187726616969336-4042047488&rd=1 )

[20] All items in this list are drawn from “Authorized Buyers Real-Time Bidding Proto”, Google Authorized Buyers (URL: https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide ).

[21] See “Decrypt Advertising ID”, Authorized Buyers, Google (URL: https://developers.google.com/authorized-buyers/rtb/response-guide/decrypt-advertising-id ).

[22] See “User Data Treatments”, Google Authorized Buyers (URL: https://developers.google.com/authorized-buyers/rtb/request-guide ).

[23] “Certain data may be redacted or replaced”, see “user_agent” in “Authorized Buyers Real-Time Bidding Proto”, Google, 5 September 2018 (URL: https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide ).

[24] All items in this list are drawn from “Authorized Buyers Real-Time Bidding Proto”, Google Authorized Buyers (URL: https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide ).

[25] “Google’s publisher verticals list” (URL: https://brave.com/wp-content/uploads/Google-publisher-verticals-marked-up.pdf), evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 20 February 2019.