The High Court has dismissed a claim by Dr. Johnny Ryan of the Irish Council for Civil Liberties (ICCL) that the Data Protection Commission (DPC) failed to fully investigate a complaint about an alleged data breach by Google.
The High Court has dismissed a claim by Dr. Johnny Ryan, a senior fellow of the Irish Council for Civil Liberties (ICCL), that the Data Protection Commission (DPC) failed to fully investigate a complaint made five years ago about an alleged data breach by Google. The complaint concerns the operation of a system called Real Time Bidding, used by Google for targeting individuals for online advertising based on their personal data. Mr Justice Garrett Simons dismissed the action, stating that the DPC was entitled to conduct its own inquiry into the alleged data breach before resuming its investigation into Dr. Ryan’s complaint.
The DPC, the State’s supervisory authority for GDPR and data controllers in Ireland, opposed Dr. Ryan’s application, denying all of his claims, including that it had delayed investigating issues raised in 2018. The DPC, represented by Joe Jeffers SC, said it opened an inquiry on its own volition in 2019, which is ongoing, and will complete its own inquiry before resuming Dr. Ryan’s complaint. The Commission argued that its approach would result in faster and more effective handling of the complaint, and that the proceedings were brought outside the legal time frame for a judicial review and were premature.
Dr. Ryan rejected the DPC’s arguments, but Mr. Justice Simons said the DPC’s decision to prioritize the own-volition inquiry was “proportionate” and “within the margin of appreciation allowed to it” under GDPR. He added that the DPC is engaged in a “complex and time-consuming inquiry into the advertising industry” and it was “entirely proportionate” to complete the own-volition inquiry first. The judge also said that the DPC was entitled to have its legal costs paid by Dr. Ryan as it was “entirely successful” in the proceedings.
In his action, Dr. Ryan raised concerns about the RTB systems used by Google, claiming they involve unauthorized and potentially unlimited disclosure and processing of large volumes of personal data to other third parties. He also raised issues about Google’s alleged inability to demonstrate compliance with GDPR requirements that personal data be processed lawfully and fairly, and that the processing of personal data be kept to a minimum.