The Irish Council for Civil Liberties (ICCL) has lodged a case in Hamburg against the Interactive Advertising Bureau TechLab (IAB), the online advertising industry trade body, in respect of what it calls the “world’s biggest data breach”. This rhetoric will be familiar to those that followed the various complaints instigated by Johnny Ryan (and others), who is now a Senior Fellow at ICCL. As with those complaints, this action is founded on the basis that valid consent is not obtained in respect of the data (including data relating to a website users’ interests) that is gathered and shared as part of the real time bidding process. The ICCL point out the potential for harm to users: “a retailer might use the data to single you out for a higher price online. A political group might micro target you with personalised disinformation”.

Why Hamburg?

Hamburg is known for its fierce protection of data subjects’ rights and the GDPR in general so it appears a good forum to bring this case for ICCL. There needs to be some connection to the jurisdiction and ICCL believe this is satisfied as the IAB has a representation in Hamburg through a consultancy it hired that is based there. TechCrunch reports that this action has been brought following inaction by the UK’s ICO and Ireland’s DPC. The ICO resumed their investigation into the industry in early 2021 but is yet to take any substantive action (the gist of the last update being that this is a complex area and it’ll take some time to see progress).

What now?

This case will be one to watch. Changes are afoot in the real time bidding sector, but it remains to be seen whether this case will be the catalyst and/or whether it prompts other regulators, including the ICO, into action.