Irish Examiner

‘Unacceptab­le’ delay in dealing with Google ‘privacy crisis’

- Cianan Brennan

One of Ireland’s most prominent civil advocacy groups has launched a stinging attack on the Office of the Data Protection Commission (DPC) in a letter to the minister for justice, questionin­g the commission’s ability to successful­ly advance “urgent investigat­ions”.

The Irish Council for Civil Liberties’ ( ICCL) executive director Liam Herrick has written to Minister Helen

McEntee to express its unhappines­s at the “unacceptab­le” delay in actioning a complaint first delivered to t h e D P C by its now-employee, Dr Johnny Ryan, two years ago today.

That complaint revolved around Google’s online marketing process of real- time bidding ( RTB), which sees users receive advertisin­g based on profiles created using their internet activity and personal data.

The DPC launched an own- volition inquiry into that system in May 2019.

Last Monday, Dr Ryan submitted a dossier of files to the DPC, stating that realtime bidding has grown exponentia­lly in that two-year period, leading to detailed profiling of Irish citizens, including those possibly suffering from HIV/Aids or substance-abuse issues.

Asked for comment, deputy commission­er with the DPC Graham Doyle said: “The investigat­ion has progressed and a full update on the next steps has been provided to the concerned party.

“The DPC must operate under the legal framework that constrains it and issues of risk that the DPC has identified are being appropriat­ely addressed in accordance with that framework.”

In his letter, seen by the Irish Examiner, Mr Herrick described the ICCL as being “deeply concerned” at the perceived failure of both the State and the DPC “to take effective measures to enforce the GDPR [general data protection regulation] in the two years since it was formally notified of this privacy crisis”.

“RTB is the most massive data breach ever recorded,” Mr Herrick said. “The DPC’s failure to act is of critical importance because it is the lead supervisor­y authority for Google in the European Economic Area,” he said.

“Continued failure will further harm citizens and damage tation.”

In his letter, Mr Herrick stated the ICCL’s belief “that it is incumbent on the Government and your department to establish whether the DPC is capable of advancing urgent investigat­ions of this nature”.

While he acknowledg­ed that the DPC operates independen­tly of Government, he stated that it is the Government’s duty, under GDPR, to provide its regulator with

Ireland’s repu

“the human, technical, and financial resources, premi s e s , a n d i n f r a s t r u c t u re necessary for the effective performanc­e of its tasks”.

“We suggest that your department should examine whether the actual effective regulatory output of the DPC indicates that it has adequate resources, including technical and procedural competence, to discharge the tasks required of it,” he said.

The DPC had 70 GDPR investigat­ions in progress at the end of 2019. Just two fines under GDPR have been applied by the commission to date, both to child and family agency Tusla in May this year, although a number of investigat­ions are close to a final decision, according to the DPC.

Under GDPR, regulators have the power to apply fines of up to € 20m or 4% of a firm’s annual global turnoverfo­r non-compliance. For Irish State bodies, the maximum fine is €1m.

Newspapers in English

Newspapers from Ireland