Irish Data Protection Commissioner Under Fire for Allowing Real-Time Bidding

Last updated June 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The Irish Data Protection Commissioner (DPC), which is actually one of the most active and strict GDPR-enforcers in Europe, is accused of knowingly allowing what is characterized as the “biggest data breach of all time: Real-Time Bidding.” The grave accusations come from the Irish Council for Civil Liberties (ICCL), who has reportedly warned the Irish DPC of the violations over two years ago.

This is the same topic that we covered exactly one year ago, publicized by Dr. Johnny Ryan again.

The evidence that is now presented by the ICCL points to multiple infringements of Article 5(1) of the GDPR, which refer to the security of personal data. The culprit for these violations is Google and its vast network of advertisers.

The ICCL data involves 968 companies who were receiving sensitive data from Google, profiling internet users, and learning a lot about their private lives. From their health status and potential problems they’re facing to their political views and their very movement during COVID-19 lockdowns, everything is allegedly for sale to data brokers.

proof of dossier

Source: ICCL

As J. Ryan explains, these companies don’t have to honor any limitations on how they use this data. They can practically pass them onto more companies without Google or the user ever knowing about it. In the case of a data leak, there are no requirements to verify what has happened to that data, so GDPR’s provision for personal information security is basically thrown out of the window in its entirety.

The consequences of this unlimited use and data sharing can be dire and widespread. AI-based systems could use these secret dossiers to understand what you care about and help retailers maximize selling prices to you. They could also exclude you from a job position that has just opened, or have a political group micro-target you and influence your view of the world with fake news.

Related: The ‘Google App Engine’ Could Be to Blame for Stealthy Phishing Attacks

So, this “underground” deal between Google and some advertisers was reported to the Irish DPC two years ago, but none of the EU-based privacy watchdogs took no action. On the contrary, things have reportedly gotten even worse, as all data protection commissions looked elsewhere and focused on imposing penalties for way more superficial violations.

Maybe Google’s real-time bidding system was too big and overwhelming for them to even investigate, but this isn’t an excuse for not even a single office launching a probe against the tech giant during these last two years.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: