On May 22, CNBC broke the news that Ireland’s data protection regulator had initiated an investigation into Google’s potentially improper exposure of personal data within its programmatic platform, in violation of GDPR. The investigation was launched due to a complaint from Dr. Johnny Ryan, Brave’s Chief Privacy Officer.

According to the statement on its site, the Irish Data Protection Commission (DPC) said, “The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR). The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.”

Ryan’s complaint is more than just with Google. It’s about how the entire programmatic ecosystem uses and disseminates data. In a pdf report, Ryan argues that the data sharing inherent in the current real-time bidding (RTB) framework improperly exposes personal data without corresponding protection:

The overriding commercial incentive for many ad tech companies is to share as much data with as many partners as possible, and to share it with partner or parent companies that run data brokerages. Clearly, releasing personal data into such an environment has high risk.

Despite this high risk, RTB establishes no control over what happens to these personal data once an SSP or ad exchange broadcasts a “bid request”. Even if bid request traffic is secure, there are no technical measures that prevent the recipient of a bid request from, for example, combining them with other data to create a profile, or from selling the data on. In other words, there is no data protection.

During a conference last year, Ryan expressed the view that programmatic advertising is incompatible with GDPR. Data about user behavior, site visitation and identity are sent out to solicit bids for ad placements. Ryan argues that, once the data is in the bid stream, it is vulnerable to misappropriation, which creates significant legal exposure for publishers and advertiser.

In the report, Ryan tried communicating these concerns to the IAB a number of times over the the past couple years, which got dismissed. This all resulted in the formal complaint. Ireland is where Google’s European Headquarters is located.

A statement was released by Google in response to the news of the investigation:

“We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorized buyers using our systems are subject to stringent policies and standards.”

Source –Greg Sterling