Google’s lead data regulator in Europe has opened a formal investigation into its processing of personal data in the context of its online Ad Exchange, TechCrunch has learnt.
This follows a privacy complaint pertaining to adtech’s real-timing bidding (RTB) system filed under Europe’s GDPR framework last year.
The statutory inquiry into Google’s adtech that’s being opened by the Irish Data Protection Commission (DPC), cites section 110 of Ireland’s Data Protection Act 2018, which means that the watchdog suspects infringement — and will now investigate its suspicions.
The DPC writes that the inquiry is “to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation, including the lawful basis for processing, the principles of transparency and data minimisation, as well as Google’s retention practices”.
We’ve reached out to Google for comment. Update: A Google spokesperson said: “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorised buyers using our systems are subject to stringent policies and standards.”
As we reported earlier this week complaints about the RTB system used by online advertisers have been stacking up across Europe.
The relevant complaint in this instance was lodged last fall by Dr Johnny Ryan of private browser Brave, and alleges “wide-scale and systemic breaches of the data protection regime” by Google and others in the behavioral advertising industry.
Where Google is concerned the complaint focuses on its DoubleClick/Authorized Buyers ad system.
In a nutshell, the RTB complaints argue the system is inherently insecure — and that’s incompatible with GDPR’s requirement that personal data is processed “in a manner that ensures appropriate security”.
Commenting on the Irish DPC opening an inquiry in a statement, Ryan said: “Surveillance capitalism is about to become obsolete. The Irish Data Protection Commission’s action signals that now — nearly one year after the GDPR was introduced — a change is coming that goes beyond just Google. We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR”.
Similar complaints against RTB have been filed in the UK, Poland, Spain, Belgium, Luxembourg and the Netherlands.
Ireland is leading the investigation of Google’s adtech as the company designates Google Ireland as the data controller for EU users.