Brave urges UK's data watchdog to join Ireland in probing claim Google adtech breaches GDPR Lawyers for the privacy-focused Brave browser have written to the UK's Information Commissioner's Office (ICO) with what they claim is evidence that Google's online ad-selling policies break the EU's General Data Protection Regulation (GDPR) – namely Article 5(1)(f). Brave kicked off this fight back in September last year. At …
It's quite clear that IP address is personally identifiable information, and when combined with some sort of user-ID token that also links to other data such as general or specific location, age range or specific age, gender, income bracket, general interests etc etc (all things used by ad networks to place ads), it's even more personally identifiable.
I would say that 'prima facie' it's quite evident that ad targeting in any form whatsoever is incompatible with GDPR. I would also add, it's not just the targeting, it's the tracking and data collecting.
Well I have had to go over this a lot in my job, and as I understand it (from my legal friends) GDPR is about control, not restriction. So absolutely, you are right, this is PII. The key test is whether Google is clearly identified as the data processor, what that processing is and for what purpose, and finally whether it is equally frictionless to withdraw permission as to give it.
I would say Google skates very close to the wire in that withdrawing permission is tricky, and not terribly sticky (different browsers will change the default as they won't have the "no track" cookie set and you may not always login). Furthermore, it is ubiquitous (much as facebook's is) so giving permission on one web-site is extended to all the rest.
However, they try just a fraction harder than the traditional ad guys (like Criteo and Adroll), and so stay third on the list of priorities.
"whether Google is clearly identified as the data processor, what that processing is and for what purpose, and finally whether it is equally frictionless to withdraw permission as to give it."
I would add to that, what data is shared with advertisers, other ad networks and other third-parties in general
It's quite clear that IP address is personally identifiable information,
Maybe...
I currently have 2 IP addresses. One is the RFC1918 10.x.x.x address on my company's internal network. It will identify me to someone in the company, but not to an outside agency like Google. The other IP address, the one that will show up in El Reg logs, is the company proxy server that, and many thousands of others, use to reach the internet. With the aid of a subpoena to my company's IT department I could probably be identified from them, but I'm not sure that either could be considered as PII from Google's perspective.
Depends, as GDPR factors in whether you can be identified by tying a bit of information with other available information.
A fairly extreme example follows:
So, your publicly routable IP 1.2.3.4 identifies that you work at Acme Corp.
The targetting their doing on their ads identifies that you regularly browse
- Furry sites
- Ebay classic motor parts
- Costume shop
So they can now say that "you" are most likely the person who works at Acme Corp who drives a Daimler DE7 and spends their weekend dressed as a squirrel.
They've not got your name (assuming you haven't googled yourself), but that's still sufficient to identify you to within a reasonable margin of error.
All that though is fairly moot as GDPR stats IP addresses should be considered as personal data as it counts as an online identifier. The exact topic that was assessed was dynamic IPs. The conclusion was that because the web-host's (in this case Google) data _could_ be joined with the ISPs records to identify the person, it counted as personal data even though the chances are small as the ISP would need to comply with GDPR when disclosing.
That's no different to your case really, Google are still Google, and the ISP is your company IT Dept.
TL:DR IP addresses are PII under GDPR, and all the what-ifs we love to argue about have already been considered - the advice is to err on the side of caution and treat all IP's as PII.
What about when you login from home rather than from your company; even if you have DHCP your IP address is often sticky for days or even months at a time. Or if you login from your phone and your carrier is assigning you a fixed IPv6 address?
even if you have DHCP your IP address is often sticky for days or even months at a time
Indeed, which is why I said "Maybe". Sometimes an IP address is PII, sometimes not. That's too gray an area for politicians, though, they prefer black&white.
It's quite clear that IP address is personally identifiable information
It's clear it's nothing of the sort and if you'd like me to avail you of case law from both sides of the Atlantic clearly demonstrating this I'd be happy to. Ignoring that it isn't, any more than a random street address or a random car numberplate isn't private data.
Potentially tagging data *to* that address, or that number plate or that IP address is private, but the identifier itself isn't, it's the data that you tag to it that's potentially private. Also you see how I use the word potentially?
@streaky - you aren't entirely correct, at least in the EU . Your analysis first of all assumes dynamic addresses - static addresses are prima facie PII. With dynamic addresses, the leading case is Case 582/14 – Patrick Breyer v Germany (2016), in which the ECJ decided that a dynamic IP address will be personal data if the data controller can link the dynamic IP address to the identity of an individual. Google can definitely link IP addresses to identities (it is its raison d'etre) , therefore IP address = PII
But it is still possible to retrieve that last octet - that was a second part of the Breyer case - that the "website operator" has a "legal means" of obtaining access to the IP address in order to identify the individual. I will be intrigued to see Google's arguments should this get to court - I'm hoping El Reg will have ringside seats just like they have for the Autonomy case :-)
Johhny Ryan and Brave Lawyers is surely a comic book waiting to happen. While reading the article I couldn't get the image out of my head of a trio of suited lawyers, chins and chests thrust out, hair blown back in the wind holding pink-ribboned writs like light sabres.
Maybe I've had too much coffee this morning.
The only and the main goal of personalization is in the detection of patterns
- which are related to our topics of our searching on Internet
- into our personal profiles.
These patterns explain, annotate our search queries. Google and FB live by selling these patterns (stolen from us) to advertisers, the CIA and FBI because they own our profiles.
In order to stop this theft once and for all enough to switch from Internet to AI database. In this database our personal profiles are our property, Google and FB have nothing to do with them and cannot steal and spy on us.
i wouldn’t put it past Google to have broken the EU’s General Data Protection Regulation. I imagine, like the Cambridge Analytica scandal, it will be quietly brushed under the carpet whilst people are distracted by some other news. Isn’t that how it usually works?
The user of a non-corporate IP address who's not using a VPN can certainly indentify your location with reasonable accuracy. Just search for "where am i?", choose a website offering to tell you, then permit it Allow Location Access. A properly configured browser will reveal to the website quite a lot of information such as the language you use. Look at BrowserHawk from cyScape as a powerful tool which shows how wide open you've left your kimono.
For other of your characteristics, how much of the personalisation is stored in cookies on your machine and how much is returned to a server? If the personal info remains on your own device, how is that covered by GDPR?
I normally run with all third-party cookies diabled and disable all personalisation that I can control. It's because I'm the shy, retiring sort. I don't want others to show me things they think I might be interested in but prefer to find things out by myself.
The major pain is that I need to control the options per browser, per device, and to an extent per website.
A couple of clarifications:
[1] references to 'PII' - this is a hangover from implementations of the Directive, and is no longer a valid concept. Under the GDPR, a cluster of data points, none of which individually is 'PII' is still personal data if it allows the data subject to be identified, even if no name is attached. For example, a person whose zip code is shared by an entire block can not claim that the zip code is personal data, but if they're the only one on the block who has climbed Everest, the zip code and that fact together become personal data. This means that naive 'pseudonymisation' (e.g. the Google tracking 'user ID') has negligible scope to remove data sets from the realm of the regulation, as identification capacity of the rest of the data nullify it.
[2] An IP address (even a dynamically allocated IP address) can be personal data - see this 2016 European Court of Justice ruling
So depending on the scope of the profile constructed, the data set used for targeting ads may become personal data under the Regulation. Scope includes breadth of sources and both nature and depth of detail. Thus a profile consisting of a complete browsing history is very likely to be personal data as it is essentially unique to an individual, and the wider the range of sites recorded as visited, the more 'personal' it becomes. Furthermore, supposing the history contains records of visits to sites relevant to the special categories (Article 9), specific informed consent would probably be required for the processing.
Finally, I have a strong impression that targeted online advertising could be construed as electronic direct marketing, and therefore be subject to the consent requirements of other legislation in addition to the GDPR (e.g. Privacy and Electronic Communications Regulations 2003 in the UK). I've obtained verbal confirmation of this from the ICO's help line.
So let's hear it for Brave, not least for being brave enough to take on the ad slurpers. I hope they prove their point.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
