A GDPR complaint has been filed by the operators of the Brave internet browser with authorities in Ireland and the UK in relation to privacy breaches caused by Google and other ad tech companies.
Chief Policy Officer for Brave, Dr. Johnny Ryan, released a statement on Brave.com which said that his company believes that Google and other advertising companies release private user data during a process called ‘bid request’ – this is a process that involves a user being presented a specific type of advert when they visit a website. According to Brave, the code for these ad slots collate a massive amount of user data and sends it back to the advertising platform, distributing the site visitor’s data to potential ad buyers who wish to use a process known as real-time bidding (RTB) to display an online advertisement to that specific user.
Dr Ryan said: “A data breach occurs because this broadcast, known as a ‘bid request’ in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.”
Brave alleges that a variety of the data exposed along with these bid requests includes what the user is viewing online, location information, IP address, device details, and a number of different types of tracking IDs.
Brave hopes to use Article 62 of GDPR legislation to spark an EU-wide investigation on how Google and the digital advertising industry are managing people’s private data. Brave claims that Google and other ad tech companies are sharing that data with advertisers without the knowledge of individual users, and this may be in direct violation of Article 5(1) of GDPR, which requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss.”
Brave are being supported in their official GDPR complaint by Open Rights Group and Michael Veale of University College London. Jim Killock of the Open Rights Group said “The online ad industry is opaque and needs investigation. People do not – and cannot – fully understand or know how and where their data is used. This seems highly unethical, and does not square with Europe’s data protection laws”.
It is hoped that the GDPR complaints will lead to official investigation by the European Union, and locally in Ireland and the United Kingdom. In the statement released Dr Ryan said: “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data.”
A Google spokesperson told ZDNet, a business technology news website, that “We build privacy and security into all our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. We provide users with meaningful data transparency and controls across all the services that we provide in the EU, including for personalised advertising.”