Irish Regulators Begin Investigating Google For GDPR Infringement

Real-time bidding is under the gun in Europe.

On Wednesday, Ireland’s Data Protection Commission (DPC) opened a formal investigation into whether Google’s ad-exchange data-processing practices violate the General Data Protection Regulation (GDPR).

GDPR celebrates its first birthday on May 25.

A complaint filed in September 2018 with regulators in Ireland and the United Kingdom triggered the probe. It argued that RTB is analogous to a systematic data breach: Consumers usually have no idea – let alone give consent – that nearly every time they visit a website, their personal browsing history is tied to a unique identifier used for behaviorally targeted advertising.

The original complaint, brought by Johnny Ryan, chief policy officer at web browser Brave, and two other privacy advocates, called out IAB Europe, ad tech vendors in general and Google in particular for its role in facilitating the programmatic ecosystem.

The Irish investigation will only consider whether Google Ireland’s processing of personal data through its online ad exchange violates the law.

As Google’s lead authority in Europe under GDPR, the Irish DPC has the power to order Google to stop using personal data in its ad products and to impose hefty fines.

“It is likely that the RTB industry will have to clean up after this – no more data Wild West,” Ryan told AdExchanger. “Our colleagues at the IAB and Google will have to consider how to operate in a way that protects personal data … I suspect the best way to do that is to remove personal data from the bid request.”

The Irish DPC’s decision in this case will be binding on other data protection authorities (DPAs), unless an objection is filed, Ryan said.

In January, Ryan and his watchdog crew enlisted a Polish digital privacy rights group to bring the same complaint in Poland. Earlier this week, the complaint spread to DPAs in the Netherlands, Spain, Belgium and Luxembourg.

Google’s privacy troubles this week were not restricted to the EU. On Tuesday, AppNexus founder and former CEO Brian O’Kelley called for Google’s breakup when he testified before the Senate Judiciary Committee.

O’Kelley derided the “advertising antitrust exemption,” or current antitrust law that is built around pricing but doesn’t really apply to free, ad-supported services.

Ryan also testified Tuesday during the same digital advertising, data privacy and online competition hearing as O’Kelley, along with two professors and a lawyer for good measure.

“The GDPR is risk-based, and that means big tech companies that create big risks get big scrutiny and face the prospect of big penalties,” Ryan told the committee. “Regulators are slowly starting to enforce, but it’s early days, and it will take years for the GDPR to have full effect. But things, I think, are already looking very bleak for our colleagues at Google and at Facebook.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Ramon Jimenez

    In light of California Consumer Protection Act (that comes into affect January 2020. This will be an interesting enforcement test case. With a population of 4.8 million, Ireland maintains a data privacy unit of 140 officers to enforce GDPR. While the California Attorney General will only have a staff of 23 for population of 39.5 million Californians.

  2. The biggest difference with CCPA (versus GDPR) is that CCPA focused on the sale/exchange of a consumer’s data, whereas GDPR is broader in scope and attempts to give users upfront control of their data use in general. The number of resources doesn’t feel as out of balance when you take scope into consideration.