Complaint alleges that Google is circumventing GDPR with RTB personal data sharing

A year ago, Brave’s Chief Policy Officer Dr. Johnny Ryan filed a complaint against Google before the Irish Data Protection Commission (DPC). Calling it a “massive data breach,” the complaint alleged that Google’s programmatic platform, Authorized Buyers (formerly DoubleClick Ad Exchange), improperly and routinely exposes personal data in violation of the EU’s General Data Protection Regulation (GDPR).

The complaint is not simply aimed at Google, it’s an indictment of the entire RTB/programmatic ecosystem as presently operated in Europe.

Alleged GDPR workaround. New evidence presented by Brave to the Irish DPC claims to be a “smoking gun” of sorts. Ryan and Brave ague that Google uses a “a surreptitious mechanism” to share personal data with third parties as a “GDPR workaround that circumvents Google’s own publicly stated GDPR data safeguards.”

This discovery was based on research (pdf) conducted by Brave and a third party, analyzing Ryan’s own browsing behavior on Chrome. “Analysis of the network log shows that [Ryan’s] personal data has been processed in Google’s Authorized Buyers RTB system. It further shows that Google has also facilitated the sharing of personal data about the Data Subject between other companies.”

‘Push pages’ allow data matching. Brave labels this data-sharing mechanism “Push Pages,” which are generated to log browsing behavior for the purpose of sharing it with third parties, according to Brave, and are unique to individuals. These are “hidden pages,” hosted by Google, that share identifiers with third parties when a page is loaded. This permits matching of browsing data with third-party data and “allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.”

Ryan and Brave assert these “hidden” push pages allow for extensive and personalized data sharing to happen among hundreds and even thousands of companies participating in the auction. Under the framework of GDPR, Ryan argues this is a “data breach” or “leakage” of potentially sensitive personal data (i.e., location, political views, religion, health conditions, etc.) that can be used to identify an individual.

In the U.S. all this would be perfectly legal. But under GDPR, as alleged, it is not.

In response to the allegations Google spokesperson said, “We do not serve personalised ads or send bid requests to bidders without user consent. The Irish DPC — as Google’s lead DPA — and the UK ICO are already looking into real time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”

Why we should care. Ryan argues that RTB must “reform” and that the Irish investigation and investigations in other EU countries will force major changes in the way the programmatic ecosystem works. What that potentially means is an end to any and all non-consensual data sharing. Ryan’s position is that everyone participating in RTB (publishers, advertisers, martech) is now subject to potential liability under GDPR.

In the U.S. none of this applies. However, what happens in Europe is and will be influential in shaping the privacy debate and U.S. policy going forward.