Business Cybersecurity

Data brokers illegally collect users’ sensitive information: report

Google and several data brokers are violating the EU’s privacy rules by harvesting people’s personal information to build highly detailed online profiles including some firms’ collection of information on sexual orientation, health status and religious beliefs, according to a report published on Monday.

The accusations – from Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, an NGO – come 18 months after Ireland’s privacy regulator began a probe into how Google collects and shares people’s online information for its advertising business.

Several other European data protection authorities subsequently received separate complaints into so-called real-time bidding (RTB), a system by which advertisers use data to target people with paid-for messages when they surf the web.

The online advertising industry, including Google, says it has bolstered privacy protections since the European Union started enforcing its updated rules, known as the General Data Protection Regulation, or GDPR, more than two years ago.

But Ryan, who filed a complaint with the Irish privacy regulator about these data practices in September 2018, said that little had changed since the new rules came online two years ago.

He called on Ireland’s Data Protection Commission (DPC) to act swiftly to clamp down on what he believed were wide-scale breaches of people’s online privacy, including the use of online profiles to target individuals around sensitive topics like whether they had AIDS and to influence voters during elections.

Ryan said the real-time bidding system, which broadcasted web users’ online behavior and habits to multiple advertising companies and data brokers, infringed on the region’s privacy rules that required data to be kept secure and used proportionately.

“The [Irish Data Protection] Commission has failed to stop that ongoing biggest data breach in history and as a consequence people across Europe and in Ireland are exposed to intimate profiling including of health conditions and political views and location over time, because the RTB system leaks that data into the data broker market,” he told in reference to Ireland’s privacy regulator.

Because Dublin is home to many of the world’s largest tech companies like Google and Facebook, it has the responsibility to oversee how they comply with Europe’s privacy standards.

Under the region’s data protection rules sensitive data, including information about a person’s health status, sexual orientation or religious beliefs, must be handled more carefully than other information, and companies have to explicitly ask individuals if such information can be collected about them.

“The question for Ireland and the Irish government that must be answered is whether DPC is capable of advancing critical urgent investigations of this nature,” he added. “Does it have adequate resources, including technical and procedural competence to discharge its tasks?”

In response, Ireland’s privacy agency said that it had met with Ryan to discuss his concerns and that work on its Google investigation continued. The watchdog also has a separate ongoing probe into the data practices of Quantcast, a major online advertising firm, though it has yet to bring an enforcement action or fine against any non-Irish company or organization under Europe’s privacy rules.

“The investigation has progressed and a full update on the next steps [was] provided to the concerned party,” said Graham Doyle, deputy commissioner at Ireland’s privacy agency, in reference to Ryan’s complaint about how Google and others collect and use people’s data. He declined to comment on what the next steps would be or when a decision would be taken in the investigation into the search giant.

Google said that it had also safeguards in place to protect people’s personal data, including in its real-time bidding network.

“We do not allow advertisers to select ads based on sensitive personal data and we do not share people’s sensitive personal data, browsing histories or profiles with advertisers,” Alex McPhillips, a Google spokesman, said in a statement.

In his report, Ryan outlines what he says are ongoing privacy failures by many of the world’s largest online advertising firms and data-brokers linked to the global real-time bidding industry.

That includes OnAudience, a data broker, that holds data on people in almost every country on the planet, according to its website.

It used that information, for instance, to target 1.4 million people who supported gay rights during last year’s Polish parliamentary election, based on a company presentation. To do that, OnAudience created online profiles of people based on whether they had read, watched or searched for content associated with LGBTQ+ rights ahead of the vote, and used that data for a get-out-the-vote campaign for a local group.

The company also uses its database to allow clients to target people who have displayed an interest in other sensitive data topics such as AIDS and HIV, diabetes, incest and abuse support. Such information is considered sensitive and must be handled with additional care under Europe’s privacy rules.

An OnAudience representative did not respond to a request for comment. On its website, the company says that it only collects anonymized data on people’s online activities and that its services comply with the region’s data protection standards.

“The most intimate thing about anyone that you can buy is their health data because this dictates their life expectancy, their ability to pay their mortgage, the risk of giving them health insurance and potentially influences decisions about whether to employ them,” Ryan said.

The source: POLITICO

Leave a Reply