Irish Data Protection Commission opens investigation into Google Ad Exchange

23 May 2019

Data Protection Commissioner Helen Dixon. Image: Luke Maxwell

The Irish Data Protection Commission has officially launched its first investigation into tech giant Google.

The Irish Data Protection Commission (DPC) has officially mounted a statutory inquiry into the processing of personal data by Google Ireland’s Ad Exchange business. This marks the data watchdog’s first investigation into Google in particular and the 19th investigation into a large tech company.

The purpose of the inquiry is to determine whether the processing of personal data carried out at each stage of advertising transactions is in compliance with the relevant provisions of GDPR. The ad service will also be examined in terms of GDPR principles of transparency and data minimisation, as well as Google’s retention practices.

The investigation was triggered by numerous submissions made to the DPC, including those by Dr Johnny Ryan, chief policy officer at private web browser Brave. The company contends that when a person visits a website, their personal data is passed on to scores of companies for the purpose of placing tailored ads.

“We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding,” the representative said. “Authorised buyers using our systems are subject to stringent policies and standards.”

Google was hit this year with a €50m fine in France over breaches of EU privacy laws in what was the first case of a US tech multinational being caught out under GDPR.

Under GDPR, organisations can be fined up to €20m or 4pc of their annual turnover, whichever is highest. Google’s revenue last year was $136bn, with advertising being its largest single source of income.

The complaint in France, enforced by French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés), charged Google with failing to comply with GDPR in instances where Android users followed the Android onboarding process when setting up a new phone. Similar to the case being undertaken by the DPC, the case in France revolved around failure to obtain adequate consent when processing data for the purpose of creating personalised advertising.

The DPC has opened investigations into numerous multinational tech companies headquartered in Ireland since 25 May 2018, including Facebook and its subsidiary WhatsApp, as well as Google, Twitter and LinkedIn.

Data Protection Commissioner Helen Dixon confirmed plans for these inquiries after appearing at a hearing of the US Senate committee on commerce, science and transportation. The hearings sought to examine consumer expectations for data privacy in the digital age.

In April 2019, the Irish DPC was the subject of a damning report by Brussels-based Politico. The report pointed out that Ireland is the designated lead regulator of GDPR globally by virtue of the fact that many of the world’s largest tech companies have their “place of central administrations” in Dublin.

The Politico report alleged that Dixon and the DPC were “in bed with the companies it regulates” and thus had failed to sufficiently enforce data privacy regulations.

Updated, 11:30am, 24 May 2019: This article was amended to clarify the timeline of investigations opened by the Data Protection Commission.

Eva Short was a journalist at Silicon Republic