‘Unacceptable’ delay in dealing with Google ‘privacy crisis’
One of Ireland’s most prominent civil advocacy groups has launched a stinging attack on the Office of the Data Protection Commission (DPC) in a letter to the minister for justice, questioning the commission’s ability to successfully advance “urgent investigations”.
The Irish Council for Civil Liberties’ ( ICCL) executive director Liam Herrick has written to Minister Helen
McEntee to express its unhappiness at the “unacceptable” delay in actioning a complaint first delivered to t h e D P C by its now-employee, Dr Johnny Ryan, two years ago today.
That complaint revolved around Google’s online marketing process of real- time bidding ( RTB), which sees users receive advertising based on profiles created using their internet activity and personal data.
The DPC launched an own- volition inquiry into that system in May 2019.
Last Monday, Dr Ryan submitted a dossier of files to the DPC, stating that realtime bidding has grown exponentially in that two-year period, leading to detailed profiling of Irish citizens, including those possibly suffering from HIV/Aids or substance-abuse issues.
Asked for comment, deputy commissioner with the DPC Graham Doyle said: “The investigation has progressed and a full update on the next steps has been provided to the concerned party.
“The DPC must operate under the legal framework that constrains it and issues of risk that the DPC has identified are being appropriately addressed in accordance with that framework.”
In his letter, seen by the Irish Examiner, Mr Herrick described the ICCL as being “deeply concerned” at the perceived failure of both the State and the DPC “to take effective measures to enforce the GDPR [general data protection regulation] in the two years since it was formally notified of this privacy crisis”.
“RTB is the most massive data breach ever recorded,” Mr Herrick said. “The DPC’s failure to act is of critical importance because it is the lead supervisory authority for Google in the European Economic Area,” he said.
“Continued failure will further harm citizens and damage tation.”
In his letter, Mr Herrick stated the ICCL’s belief “that it is incumbent on the Government and your department to establish whether the DPC is capable of advancing urgent investigations of this nature”.
While he acknowledged that the DPC operates independently of Government, he stated that it is the Government’s duty, under GDPR, to provide its regulator with
“the human, technical, and financial resources, premi s e s , a n d i n f r a s t r u c t u re necessary for the effective performance of its tasks”.
“We suggest that your department should examine whether the actual effective regulatory output of the DPC indicates that it has adequate resources, including technical and procedural competence, to discharge the tasks required of it,” he said.
The DPC had 70 GDPR investigations in progress at the end of 2019. Just two fines under GDPR have been applied by the commission to date, both to child and family agency Tusla in May this year, although a number of investigations are close to a final decision, according to the DPC.
Under GDPR, regulators have the power to apply fines of up to € 20m or 4% of a firm’s annual global turnoverfor non-compliance. For Irish State bodies, the maximum fine is €1m.