Irish court ruling over Google ad practices could have global impact

An Irish civil liberties group went to court late this week to accuse the Irish Data Protection Commission (DPC) — the national independent authority responsible for upholding data privacy rights across Europe — of failing to properly investigate Google’s online advertising system, which it says is responsible for the biggest data breach ever recorded.

Because of the DPC’s position as an arbiter for data privacy practices across Europe, the court’s decision in the case, expected later this year, could potentially have a significant impact on online advertising practices worldwide.

The Irish Council for Civil Liberties (ICCL) has asked the Irish High Court to force the DPC to investigate the Google system, which produces personalized ads that populate millions of websites. ICCL says the technology often harvests deeply sensitive personal data that Google then sells to advertisers targeting individuals worldwide.

Johnny Ryan, an ICCL senior fellow and “real-time bidding” expert who once worked in the industry, is the plaintiff in the case, which the Irish High Court is expected to rule on later this year. Ryan first brought his claims to the DPC in 2017 and submitted a formal European General Data Protection Regulation complaint in 2018, ICCL said in a statement.

Ryan, who considers himself a whistleblower, says Google’s Real-Time Bidding (RTB) system moves at a lightning-fast pace as it auctions user data to tracking firms, which then bid on specific advertising slots targeting types of individuals.

Google’s profiling and ad targeting happens billions of times a day “in the split seconds as web pages and apps are loaded,” according to the ICCL statement.

ICCL asserts that Google’s own documents show it sends individuals’ data to Russian and Chinese companies, among others. It says the data Google shares reveals users’ sexual preferences, religion, ethnicity, illnesses, political views and physical locations — and that the company even sends marketers individual identification codes that allow them to “maintain living dossiers about your activity and movements in the real world.”

“For five years, the DPC has refused to investigate this primary concern,” the ICCL statement said. “Instead, it bypassed the complaint and launched a separate investigation in 2019 that excluded the data breach from its scope.”

Google did not respond to a request for comment. DPC Deputy Commissioner Graham Doyle said in a statement that while it is inappropriate for him to comment on a matter in active litigation, “the DPC will be strongly defending its position.”

DPC denied all of Ryan’s claims in court this week and said it had not put off investigating assertions Ryan made five years ago, according to the Irish Independent newspaper. The commission also told the court it had opened its own probe in 2019 and said that investigation remains active, the Independent reported.

DPC has a history of strongly enforcing privacy violations and in May levied a $1.3 billion fine against Meta for its treatment of users’ data, saying the Facebook and Instagram parent must stop transferring it to the U.S. within 5 months. DPC alleged that Meta continued to transfer data despite a court ruling in 2020 which struck down an EU-U.S. data transfer pact.

Meta told Reuters at the time that it would appeal the decision, citing the “unjustified and unnecessary fine that sets a dangerous precedent for countless other companies.”

Despite this track record Ryan said that in the face of what ICCL called Google’s “highly invasive profiling,” the DPC has failed to uphold its responsibilities under the 2018 Data Protection Act and GDPR, according to the Independent.

Industry data ICCL said it obtained shows that the online activity and location of the average Irish web user is revealed on average 392 times a day by the RTB industry, in which it said Google is the “dominant actor.”

“Google’s European totals are staggering,” the ICCL’s statement said, alleging the company exposes the data of web users 42 billion times a day on the continent.

ICCL’s statement noted that while Google is the dominant player in the industry other companies are also culpable. One unnamed company sold RTB data that identified Irish sexual abuse survivors, ICCL said.

“ICCL reported this to the DPC,” the statement said. “To ICCL’s knowledge, no action was taken.”

Suzanne Smalley

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.