Approximately 3 to 4 years ago, Dr. Johnny Ryan, a senior member of the Irish Council of Civil Liberties (ICCL), initiated a legal case against the Data Protection Commission (DPC) in the high court. He alleged that the DPC had inadequately addressed a significant data breach that occurred on Google’s servers.
However, Mr. Justice Garrett Simons rejected the claim, asserting that the DPC was the appropriate entity to investigate any instances of data breach or misuse involving the servers of private American technology firms, such as Google, a subsidiary of Alphabet Inc.
Ryan, responsible for highlighting data protection concerns at ICCL, contended that Google was abusing its authority by exploiting user personal data for Real Time Bidding (RTB) analysis carried out by a third party. This practice involved targeting advertisements based on users’ web browsing activities, which contravened the 2018 Data Protection Act and the General Data Protection Regulation (GDPR). These regulations strictly prohibited web companies from sharing substantial amounts of data with third parties.
In his lawsuit, Ryan asserted that the DPC had merely observed the situation without delving into a comprehensive investigation.
Contrary to this, DPC, represented by Joe Jeffers in the high court, argued that an inquiry had been initiated in 2019 and was still ongoing. The watchdog, headquartered in Ireland, assured that once the 2019 inquiry concluded, it would examine Ryan’s allegations. This approach aimed to expedite and enhance the handling of data misuse concerns.
Dr. Johnny Ryan dismissed these assertions, stressing that the delay in proceedings was providing the advertising giant with extra time and fostering a misguided belief that the law favored their actions. This could potentially bolster the internet powerhouse’s confidence in the legitimacy of its existing data handling procedures.
It’s important to note that a comparable complaint lodged by Dr. Ryan gained traction with the International Advertising Bureau (IAB) Europe and is currently under review by the Belgian Data Protection Authority, also known as the Belgian DPA.