A report by the Irish Council for Civil Liberties (ICCL) has criticised the Data Protection Commission (DPC) for alleged inaction on illicit profiling of web users by online advertising industry data brokers.

Highly-personal information on web users’ health conditions, political views, and location, gleaned from their browsing habits, are being bought and sold in the ‘dark data’ market, the ICCL believes.

User location

The data breach occurs in online advertising’s real-time bidding (RTB) system which gleans both user location and browsing information from websites and apps.

However, the DPC has said that it has given the complainants extensive updates, meetings and correspondence on the matter.

“The investigation has progressed and a full update on the next steps provided to the concerned party,” Graham Doyle, deputy DPC commissioner told the Irish Examiner this morning.

The ICCL report includes a list of 968 companies that search behemoth Google allegedly feeds with information about users’ private browsing habits.

This data builds an intimate profile for targeted advertising.

'Obscenely large amounts of data'

One RTB platform refers to buyers getting ‘obscenely large amounts of data for free,’ the ICCL report says.

Web users can try to avoid this data collection though using secure browsers such as Duck Duck Go which does not track data, browsing in a private window, and installing ad blockers.

Brave is a free open-source web browser with a built-in ad blocker. 

RTB information for sale includes a bundle of 1,200 Irish people in a ‘substance abuse’ category, and gathering other web users under headings such as ‘diabetes’ (3,500 people), ‘chronic pain’ (4,900 people), and ‘sleep disorder’ (3,900).

A total of 1,300 people in Ireland have been profiled in an AIDS and HIV category.

Other categories from the same data broker include ‘incest and abuse support’ (200 people), brain tumour (100 people), and ‘incontinence’ (200 people).

Characteristics 

‘Infertility’, ‘STD’ and ‘conservative’ are other intimate personal characteristics profiled by ad brokers.

Personal information such as affluence, monthly mortgage payments or debt levels are also gleaned, and users have also been coded by their religious beliefs.

The ICCL claims this is an infringement of article 5(1) f of the EU’s General Data Protection Regulation (GDPR), which requires appropriate security of the personal data, including protection against unauthorised or unlawful processing.

Now a senior fellow at the ICCL, Dr Johnny Ryan reported the matter to the DPC in September 2018, when he was working in the private sector.

Subsequently, the DPC started an investigation into Google Ireland’s processing of personal data through its online Ad Exchange in May 2019.

The probe’s goal is to establish whether or not the data processed by Google as part of its online advertising auctions is compliant with GDPR rules.

Intimate data

Dr Ryan said: “Today, two years after I formally notified the DPC about the RTB privacy crisis, my intimate data continues to be broadcast to countless companies through the RTB system.

“So does yours.”

The DPC has Europe-wide GDPR supervisory authority for Dublin-headquartered Google.

The ICCL report also says that Google sends data from its real-time bidding system to 1,218 companies listed as ‘certified external vendors’ , which are in receipt of data outside the EU.