PRIVACY BEAT:  Ryan goes after RTB in Germany local court; Public Knowledge opposes antitrust “safe harbor” for newspapers

Privacy Beat

Your weekly privacy news update.



Screen shot of internal IAB Tech Lab memo, supplied by ICCL (story below)

Ryan sues IAB Tech Lab in German local court to stop claimed privacy violations by “real-time bidding” in EU

Irish privacy watchdog Johnny Ryan launched a new approach this week to try and derail the use of “real-time bidding” (RTB)  that helps sell billions of dollars of digital advertising across the web. The Irish Council for Civil Liberties (ICCL), where Ryan works, said it filed a lawsuit in a local court in Hamburg, Germany naming the IAB Technology Laboratory Inc. and two other defendants.

IAB Tech Lab is based in New York, but has an agency office in Hamburg, hence the court filing there since the dispute involves European law.  The Ryan suit also references a suit brought in U.S. District Court in San Jose, Calif., in March, which also attacks RTP on data-privacy grounds. That case has a first hearing later this year.

IAB Tech Lab publishes a digital advertising audience taxonomy that is evidence in the ICCL lawsuit.  Ryan reveals in a nine-minute online video what appears to be an Internal IAB email and memo from 2017 which Ryan says shows the IAB knew in 2017 that RTB’s technology could not possibly operate as it does and comply with the European Union’s General Data Protection Regulation (GDPR).

“I obtained a confidential lobbying document that shows the industry knew this would be illegal under the GDPR,” Ryan says in the video. “And that document, which is part of our evidence in our lawsuit, dates from 2017 which is a year before GDPR went into effect.”

The document shown on screen appears to be a June 26, 2017 email from then-IAB Europe CEO Townsend Feehan to recipients  (redacted) which states “I am attaching a paper that attempts to capture why we honestly believe that the ePrivacy proposal as currently drafted could indeed mean the end of the online advertising business model . . . . ”  The paper, also shown by Ryan on the screen, states that RTB is “incompatible with consent under GDPR.”

“The scale of the data breach is astoundingly huge,” Ryan says. “But so far, Europe’s privacy watchdogs have done nothing to end the most massive data breach in history. GDPR enforcers have failed to act, but we can act.”

The prepared suit, posted in an English translation on Ryan’s Irish Council of Civil Liberties website, seeks monetary damages and prison sentences for individuals but also calls for a stop to operation of RTB in the EU.

Three attorneys from the Spirit Legal law firm in Germany who said they filed the suit appear in the Ryan video.  One of them, Elisabeth Niekrenz, says over 2,000 pages of evidence were filed with the suit this week. She added: “We expect the Hamburg court will be appalled when it learns how online tracking tech firms treat our data.”

For details of the lawsuit arguments see QUOTE OF THE WEEK below. 




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Public Knowledge goes on record against antitrust exemption for news industry lobbying of Google; cites other ways to help journalism 

Public Knowledge, a nonprofit consumer group in Washington, D.C.,  celebrating 20 years since its founding, has come out against a bill backed by a trade group of large U.S. newspaper publishers that seeks an antitrust exemption to be able to negotiate better deals with Google. The “safe-harbor” bill opposition is expressed in a June 17 blog posting by Lisa Macpherson, a senior policy fellow at Public Knowledge. The Journalism Competition and Preservation Act (JCPA) was championed by U.S. Rep. David Cicilline, D-R.I., after the “safe-harbor” iidea originated with the News Media Alliance publisher trade group.

“But the JCPA, unfortunately, is not a proposal we can support in its current form,” writes Macpherson on the Public Knowledge website. She says the organization is using its 20-year history of advocacy on mergers, competition law, and freedom-of-expression and information to seek other solutions to the loss of working journalists and newspapers over the last decade.

“[A]llowing a news media cartel by statute (as the JCPA explicitly proposes) may actually hurt local publishers by deepening existing power relationships between the largest platforms and largest publishers,” Macpherson writes.  She says large legacy news organizations, including News Corp., Gannett, McClatchy and the LA Times “were among the organizations recently traveling to Washington to advocate for the bill.”

Alternatives to help journalism advocated by Public Knowledge, she writes, include improved antitrust laws and enforcement, rules to promote digital-platform competition, federal privacy legislation and a dedicated digital regulator (besides the U.S. Federal Trade Commission) to oversee digital platforms.





California privacy board, noting its own significance, starts work in a hurry as July 1 rulemaking takeover looms

The five-member California Privacy Protection Agency (CPPA) governing board is hiring an executive director as soon as possible as it faces a statutory deadline of July 1 to take on rulemaking authority for the state’s landmark digital-privacy laws.  The board held its first meeting — virtually — on June 14. It has no office yet.

Until July 1, the California attorney general has authority over the California Privacy Rights Act (CPRA) and related laws.

Jennifer Urban, the UC-Berkeley law professor who chairs the board, noted in introductory remarks that it was “the first regulatory agency dedicated to privacy and data protection in the United States.” She added: “We are eager to get started. Because Congress has yet to enact any federal digital-privacy statute, her remarks underscore the impact of the CPPA board’s working.

“This is obviously a huge public-policy issue and a challenge ahead of us,” added board member Chris Thompson, a lobbyist for the Los Angeles Olympic Games committee with a long history of working on Capitol Hill for U.S. Sen. Dianne Feinstein and others.

The CPRA requires enforcement of the act beginning July 1, 2022.  But board advisor Phil Laird said that with required public notices and rulemaking hearings the board needs to get to work immediately.  “That’s a tough timeline but not undoable . . . a lot has to happen in the next year.”

Lawyers Anthony Le, Bethany Gayle Lukitsch and Justin Yedor of the McGuireWoods LLP law summarized additional details of the board’s first meeting in a blog post.







Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Half of publishers unclear about “cookie-less” future; uncertain about Google FLoC; don’t favor user log-in

A survey of 419 global publishers by digital-ad network company Teads found more than half of them are unclear about the impact of the “cookie-less” future on their business.  And almost two thirds — 65.3% — said they are not planning to ask more of their users to “log-in”.  “This is predominantly due to the potential disruption of user experience for readers,” writes Eric Shih, chief supply officer of Teads, in a posting on’s website. 

In summarizing what the publishers said, Shih said they are still uncertain about how Google’s cohort-based advertising targeting system — in beta — will work.  “The devil will be in the details with FLoC,” writes Shih. “But the key concern is that such an update will be limited to the open web and give Google further competitive advantages in market.”






Johnny Ryan suit claims: Billions of EU data breaches every day in RTB advertising system

  • The following are excerpts from press statements and web narratives released this week by the Irish Council for Civil Liberties (ICCL) and its researcher, Johnny Ryan, as it brought suit in Germany seeking to stop alleged uauthorized sharing of personal data for advertising via Real Time Bidding (RTB).

“[The] system is called Real Time Bidding. The RTB system broadcasts information about us, and about what we are doing online, to large numbers of companies. This happens hundreds of billions of times, every day.  One RTP-using company shares data with 1,600 other companies. Loading one page can trigger many companies, each share your sensitive information with hundreds of other companies.  “Hundreds of billions of times a day, every day. That means RTP is the biggest data breach in history.

“The private things we do and watch online are collected from a vast system that operates behind the scenes on virtually every website and app. The system is called “Real-Time Bidding” (RTB). Almost every time you load a page on a commercial website or use an app, a high speed auction happens behind the scenes that determines what ad will appear in front of you. This auction broadcasts private information about what you are doing online, and where you are, to many other companies in order to solicit their bids for the opportunity to show you their ad. 

“Though this RTB data can contain very sensitive information, industry documents confirm that there are no technical measures to limit what companies can do with this information, nor who they pass it on to. The RTB system broadcasts intimate data about us as we use websites and apps, including things like what you are reading or watching or listening to, inferences about your sexual preferences, religious faith, ethnicity, health conditions, your political views, and where you physically are – sometimes right up to your GPS coordinates.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp