The Irish Data Protection Commission (DPC) is being taken to court in Ireland, before the High Court, which has jurisdiction over civil cases in the country, by the Irish Council for Civil Liberties (ICCL), according to the March 14 local press. The association, in the person of Johnny Ryan, criticizes the DPC for its handling of a complaint against Google and the IAB Europe of 2018.
A case that has lasted for 3 long years
The year the General Data Protection Regulation (GDPR) came into force in the European Union, Johnny Ryan filed a complaint against Google’s advertising technologies and the IAB. This complaint related more specifically to the operation of Real-Time-Bidding (RTB). A method used for personalized targeting of online advertisements.
The White House exchanges with about thirty Tiktok influencers on the situation in Ukraine
This real-time sales technology of an advertisement. Its operation on Google’s advertising platforms is accused of mobilizing personal data without authorization and sharing it with several actors, without notifying users. For the ICCL, this technology violates several points of the GDPR.
For Johnny Ryan his complaint was not handled properly by the DPC. He stated to TechCrunch“ For 3.5 years I have called on the Irish Data Protection Commission to investigate and act on the biggest data breach on record. And she didn’t, so all Europeans were exposed to this case “.
The DPC opened a formal investigation into Google’s RTB in May 2019 and notified Johnny Ryan. According to the latter, the Irish CNIL has decided to exclude the data security aspect of its investigation, yet the most important in its eyes. He adds that his request was not processed within a reasonable time.
Formally, the DPC is competent only on elements involving Google. The one-stop-shop system wants GDPR-based complaints to be submitted to the regulator where the head office of the accused company is located. The European headquarters of Google being in Ireland, the DPC is competent, for its part, IAB is under the responsibility of the Belgian regulator.
IAB, for example, was recently condemned in Belgium for its Transparency & Consent Framework (TCF), used by many sites to collect user consent. On this point, Johnny Ryan accuses the DPC of not having transmitted his complaint to the CNIL concerned.
Faced with this approach, Graham Doyle, deputy commissioner of the DPC, simply replied to TechCrunch not have ” much to say at this stage, except that our investigation is progressing “.
The bad reputation of the DPC precedes it
For more than a year, the DPC has been attracting criticism from all over the old continent for its slowness, even its leniency when dealing with its complaints. A corruption complaint was even filed against it by European data privacy advocacy figure Max Schrems.
The Commission is all the more exposed as Ireland concentrates a large number of head offices of European digital companies. Some EU governments believe that it is responsible for the partial application of the GDPR and hope to evolve the one-stop-shop system. This new procedure against the DPC will not improve its image.