A GDPR complaint has been submitted by the owners of the Brave internet browser with authorities in Ireland and the UK in connection with privacy breaches caused by Google and other ad tech firms.
Chief Policy Officer for Brave, Dr. Johnny Ryan, issued a statement on Brave.com which said that his company thinks that Google and other advertising companies release private user data during a process titled ‘bid request’ – this is a process that involves a user being shown a specific type of advert when they visit a website. Brave said that the code for these ad slots gathers a massive amount of user data and sends it back to the advertising service, distributing the site visitor’s data to potential ad buyers who wish to use a process referred to as real-time bidding (RTB) to display an online advertisement to that specific user.
Dr Ryan remarked: “A data breach occurs because this broadcast, known as a ‘bid request’ in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.”
Brave claims that a range of the data exposed along with these bid requests includes what the user is viewing online, location data, IP address, device details, and a number of different tracking IDs.
Brave aims to use Article 62 of GDPR legislation to initiate an EU-wide investigation on how Google and the digital advertising industry are using private personal data. Brave claims that Google and other ad tech firms are sharing that data with advertisers without the knowledge of individuals, and this may be breaching Article 5(1) of GDPR, which requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss.”
Brave are being backed up in their official GDPR complaint by Open Rights Group and Michael Veale of University College London. Jim Killock of the Open Rights Group commented: “The online ad industry is opaque and needs investigation. People do not – and cannot – fully understand or know how and where their data is used. This seems highly unethical, and does not square with Europe’s data protection laws”.
It is envisaged that the GDPR complaints will result in an official investigation by the European Union, and locally in Ireland and the UK. In the statement issued Dr Ryan stated: “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data.”
A Google representative told ZDNet, a business technology news agency: “We build privacy and security into all our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. We provide users with meaningful data transparency and controls across all the services that we provide in the EU, including for personalised advertising.”