16. @johnnyryan
1 O 1 O1
1 O
1 O 1 O1
1 O 1 O1
1 O 1 O1
Put a company’s
data under the
microscope.
17. @johnnyryan
1 O 1 O 1
1. An organization
collects some personal
data. It is lawful.
18. @johnnyryan
1 O 1 O 1
1. An organization
collects some personal
data. It is lawful.
2. The organization has
many purposes that it
wants to use the data for.
19. @johnnyryan
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 11 O 1 O 1
1. An organization
collects some personal
data. It is lawful.
2. The organization has
many purposes that it
wants to use the data for.
3. The organization has an internal
data free-for-all.
20. @johnnyryan
1 O 1 O 1
1. An organization
collects some personal
data. It is lawful.
2. The organization has
many purposes that it
wants to use the data for.
3. The organization has an internal
data free-for-all.
4. But this is vulnerable to
enforcement of GDPR Article 5(1)b.
21. @johnnyryan
1 O 1 O 1
Many purposes.
But few lawful
data.
@johnnyryan
42. Many companies trading personal data
without any control
One big company cross-using personal
data beyond intended purpose, and
bundling consents.
RTB external
data free-for-all
Big tech’s internal
data free-for-all
43. Big tech operates an internal
data free-for-all. It cross-uses
personal data from its many
disparate services for its
advertising business.
1
The market requires both internal
& external GDPR enforcement
44. Big tech operates an internal
data free-for-all. It cross-uses
personal data from its many
disparate services for its
advertising business.
This has created a big tech
monopoly.
1
2
The market requires both internal
& external GDPR enforcement
45. Big tech operates an internal
data free-for-all. It cross-uses
personal data from its many
disparate services for its
advertising business.
This has created a big tech
monopoly.
Enforcement of GDPR Article
5(1)f would stop the external
data free-for-all between
thousands of companies in the
“real-time bidding” (RTB)
market.
1
2
3
The market requires both internal
& external GDPR enforcement
46. 4
Big tech operates an internal
data free-for-all. It cross-uses
personal data from its many
disparate services for its
advertising business.
This has created a big tech
monopoly.
Failure to enforce GDPR
Article 5(1)b against big tech’s
internal data free-for-all could
then let big tech envelop the
whole RTB market.
Enforcement of GDPR Article
5(1)f would stop the external
data free-for-all between
thousands of companies in the
“real-time bidding” (RTB)
market.
1
2
3
The market requires both internal
& external GDPR enforcement
47. 4
Big tech operates an internal
data free-for-all. It cross-uses
personal data from its many
disparate services for its
advertising business.
This has created a big tech
monopoly.
Failure to enforce GDPR
Article 5(1)b against big tech’s
internal data free-for-all could
then let big tech envelop the
whole RTB market.
Enforcement of GDPR Article
5(1)f would stop the external
data free-for-all between
thousands of companies in the
“real-time bidding” (RTB)
market.
1
2
3
Robust enforcement of GDPR
Article 5(1)b against big tech’s
internal data free-for-all
would allow publishers to
compete with big tech fairly.
OR
4
The market requires both internal
& external GDPR enforcement
48. (b)collected for specified, explicit and legitimate
purposes and not further processed in a
manner that is incompatible with those
purposes; further processing for archiving
purposes in the public interest, scientific or
historical research purposes or statistical
purposes shall, in accordance with Article
89(1), not be considered to be incompatible
with the initial purposes
Personal data shall be:
@johnnyryan
-GDPR, Article 5 (1) (b)
51. UKGermanyAustria Belgium Bulgaria Croatia Cyprus Denmark Estonia Finland France Hungary Ireland Italy Latvia Lithuania Lux. Netherl.MaltaCzech
Republic
Romania Slovakia Slovenia Spain SwedenPortugalPolandGreece
101‡
4‡ 42641†8
21
28
3842†55† 7† 2 4
22
36‡
4
11‡
82
12
3,520 people work at European DPAs that regulate the private sector.
But only 8.6% are specialist tech investigators.
52. UKGermanyAustria Belgium Bulgaria Croatia Cyprus Denmark Estonia Finland France Hungary Ireland Italy Latvia Lithuania Lux. Netherl.MaltaCzech
Republic
Romania Slovakia Slovenia Spain SwedenPortugalPolandGreece
101‡
4‡ 42641†8
21
28
3842†55† 7† 2 4
22
36‡
4
11‡
82
12
This is the thin line
policing big tech
53. 2017 2019 2020
€16.5
€32.3
€56.1
€32.6
2018
But governments have reduced DPA
budget increases since the GDPR.
Total increases to DPA annual budgets,
in millions of Euro, rounded.
The GDPR was
applied on 25 May
54. 2010 20202000
Lead authority case load per country
Twenty years of
annual budgets
30
60 UK
56 cases
Germany (federal € only)
92 cases
Ireland
127 cases
France
64 cases
Luxembourg
87 cases
0
€61
MillionsofEuro,rounded.
The GDPR was
applied on 25 May
55. But only 3% of its staff are tech specialists.
Organigram of ICO staff whose roles or training are primarily technical.
Head of tech.
policy
Head of privacy
innovation
Tech. adviser
(secondment)
Tech. adviser
(secondment)
Data ethics
adviser
Executive director
Technology policy & innovation unit
Group manager
technology
policy
Group manager
digital economy
Principal tech.
advisor
Principal tech.
advisor
Post-doctoral
fellowship in AI
Senior tech.
officer
Senior tech.
officer
Team manager
Group manager
Cyber incident response & investigation unit
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Lead technical
investigations
officer
Lead technical
investigations
officer
Vacancy
Team manager
Lead technical
investigations
officer
The UK ICO is Europe’s biggest DPA.
It has 680 staff.
Its budget doubled from 2018 to 2020, to €61M.
22 people
56. Team manager
Group manager
Cyber incident response & investigation unit
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Lead technical
investigations
officer
Lead technical
investigations
officer
Team manager
8 peopleactually conduct tech investigations at the ICO
1 vacancy
+
57. BRAVE | Tracking on UK council websites
Regulatory failure to
protect the UK against RTB
Timeline of ICO inaction:
• January 2018 The ICO is contacted by Dr Johnny Ryan,
then an industry whistle blower, about the RTB data
breach.
• September 2018 Brave initiates a campaign of formal
GDPR complaints to stop the RTB data breach. The ICO
receives Brave’s evidence in GDPR complaints from Jim
Killock of the Open Rights Group and Dr Michael Veale.
• June 2019 The ICO announces that RTB is currently
unlawful, and gives the industry six months to clean up.
• December 2019 The ICO’s six month grace period for
the RTB industry ends. No substantive action is
proposed by industry.
• January 2020 The ICO announces it accepts the RTB
industry’s gestures, and will take no immediate action to
stop the continuing RTB data breach.
English non-metropolitan county councilsUK local and unitary councils
198 Councils use “real-time bidding”
advertising on their sites
Councils without real-time bidding
Councils with real-time bidding
58. 2017 2019 2020
37% requested from
government
10% actually given
79% 75%
60%
31%
% increase in budget
% increase in GDPR complaints received
Ireland’s DPA supervises Google and Facebook in Europe.
Even though increases in complaints are accelerating,
2018
56%
increases
to its budget are decelerating.
59. Annual budget (millions €)
Numberoftechspecialists
Spain
Netherlands
60
100
120
20
40
80
0
100604020 120800
Italy
Ireland UK
Germany
Greece
France
Other EU Member States
This includes Länder
(regional) and federal DPAs
60. German Länder DPAs
Not included on this chart:
Federal Commissioner for Data Protection and
Freedom of Information (BfDi): 185 staff, 22 of these
roles (including 10 vacancies) are tech specialists.
BfDI is responsible for postal and
telecommunications services, government
departments and federal institutions.
Bayern has a separate DPA that deals with the public
sector. Its 44 staff include 5 tech specialists. ‡Saarland tech specialist figure is an
estimate based on DPA response.
8 3
288
8 25
456
716
53
27
23
24
10
5
5
4
3
4
3
3
1
19
19
25
Baden-Württemberg
Bayern
Berlin
Niedersachsen
Hamburg
Bremen
Rheinland-Pfalz
Brandenburg
Hessen
Sachsen-Anhalt
Sachsen
Schleswig-Holstein
Vorpommern
Saarland‡
Nordrhein-Westfalen
Thüringen
1
465
283
5
29
49
61. Too few tech specialist
investigators.
Too few funds to defend
decisions in court.
62.
63. I have submitted a request to
the European Commission to
launch an infringement
procedure against European
Governments for their failure
to implement the GDPR.
64. EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE and CONSUMERS
Directorate C: Fundamental rights and Rule of Law
Unit C.3: Data protection
Brussels, 06.05.2020
JUST.C3/ks (2020)2747685
Dr Johnny Ryan
26 Dartmouth Road
Ranelagh
D06 FT98 Ireland
E-mail: johnny@brave.com
Dear Sir,
Thank you for your letter of 27 April 2020, which has been registered as a complaint under
reference numbers CHAP(2020)1136, 1137, 1138, 1140, 1141, 1142, 1143, 1144, 1145, 1146,
1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154, 1155, 1156, 1157, 1158, 1160, 1161, 1162,
1163 (please quote these references in any further correspondence).
Ref. Ares(2020)2393042 - 06/05/2020
65. National recommendations
● Far more specialist tech investigators, with competitive salaries to
attract talent.
● Finance to allow DPAs to defend decisions against expensive legal
appeals.
EU-level recommendations
● EDPB (secretariat run by the EDPS) should establish a tech
investigative unit to support national DPAs. Substantial permanent
staff, and a small rotating temporary staff from national DPAs.
● European Commission should should refer Member States to the
European Court of Justice if necessary.
66. 1. NEXT:
Purpose limitation = ‘big tech’ kryptonite.
Cross-use of personal data makes companies
vulnerable to Article 5(1)b enforcement.
2. WHY NOTHING HAPPENED BEFORE:
Governments have not invested. The European
Commission must see that they do.