“Biggest Data Breach Ever Recorded”: Leading Technologist Highlights Issues with Digital Consent at ADAPT Centre International Workshop

08 September 2021

Speaking at the 1st international workshop on digital consent today organised by the SFI ADAPT Centre for AI Digital Content Technology, Senior fellow at the Irish Council for Civil Liberties (ICCL), Dr Johnny Ryan, claimed ‘consent spam’ was the cause of the “biggest data breach ever recorded”.  During his keynote address Dr Ryan outlined how the consent that is sought by the websites or apps we use has become a type of ‘consent spam’ and has resulted in GDPR being undermined. 

Tracked Online 

Every time we visit a commercial website or use a commercial app a consent pop-up loads. From that data, snippets of information about our interests is broadcast to tens or potentially hundreds of companies and that lets the technology companies who represent advertisers in theory compete for the opportunity to show the user an ad.  The kinds of things about you that are included in those broadcasts can include a broad range of information including inferred sexual orientation, political views, religion, health conditions, what a person is reading or watching or listening to. Accompanying these are ID codes that are as unique to the individual as a PPS number and that means that all of those data pieces can be used to create a hidden dossier on the individual.  Few of us are aware that a dossier of personal information exists or that the data is then sold to the advertising industry through real-time bidding (RTB) and we give consent to it happening through the pop ups that load when we visit sites online.  

“This is the biggest data breach ever recorded.  It occurs hundreds of millions of times every day and what the advertising industry calls consent is just a thin veneer of compliance theatre covering this breach and it is a nuisance to us all and it also happens to be unlawful under the GDPR,” Dr Ryan explained.  “Those hidden dossiers about what you are doing online every day matter because they can affect your employment prospects, what deals you are offered, or they might expose you to micro targeted disinformation.”

The practice of RTB is prevalent throughout the industry and Dr Ryan referred to a number of legal challenges that are ongoing in Europe that aim to protect the user and their data.  With data privacy in the spotlight following global cyber attacks, consumers and organisations have data privacy and the ethics related to how data is collected and used front of mind. 

Following the introduction of General Data Protection Regulation (GDPR), consent must satisfy a greater set of conditions, such as being informed and freely given, in order for companies to use it to process personal data.  Internet users have become accustomed to clicking through lengthy privacy policies and often don’t read the notices, discount the risks to their data or don’t understand how their data could be used.

COnSeNT 2021 featured international experts including industry practitioners, academic researchers, and data protection authorities along with six presentations exploring a diverse set of research related to consent.  The workshop took place alongside the IEEE European Security and Privacy Conference and aimed to explore digital consent in all its forms through leading research and trends.

Speaking about the conference, Dr Harshvardhan Pandit of the ADAPT Centre at Trinity College Dublin said: “Data protection and privacy are priorities for individuals.  Consent Management as a discipline is only now becoming prominent as it creates challenges across multiple domains such as legal, technological, sociological, usability, privacy and security.  This impacts all of us and the COnSeNT workshop will offer an international forum for researchers and practitioners across all areas to exchange lessons learned and bring new perspectives and insights to the state-of-the-art practice of consent management.”  The ADAPT Centre is also running a series of public events and Citizen’s Think-Ins exploring digital privacy and trust as part of its ‘Discuss AI’ initiative (https://www.adaptcentre.ie/discussai/).

Other contributors at the event included:

Robin Berjon, VP of Data Governance at the New York Times. He is an expert in Web technology and its standardisation with almost two decades’ worth of experience in developing and driving standardisation efforts, primarily in W3C, and notably as the Editor of the HTML Specification. He is a co-author of the Global Privacy Control specification.

Townsend Feehan, CEO of Interactive Advertising Bureau (IAB) Europe, the EU-level association for the digital marketing and advertising ecosystem conducting research and development of standards and specifications powering much of the online advertising ecosystem. Prior to joining IAB Europe, Townsend worked for Microsoft Legal & Corporate Affairs in Brussels.

Dr Rob van Eijk is Managing Director of the Future of Privacy Forum for Europe. Prior to this, Dr. van Eijk obtained a PhD focusing on online advertising (real-time bidding) and has worked at the Dutch Data Protection Authority (DPA) for nearly 10 years. He worked within the Article 29 Working Party in multi-stakeholder negotiations of the World Wide Web Consortium on Do Not Track.

Dr Irene Kamara is Assistant Professor of Cybersecurity Governance at Tilburg University. She is an expert in standardisation, with a doctoral thesis exploring the interplay between standardisation and the regulation of the right to protection of personal data. She has prior experience working as a trainee at EDPS, CEN and CENELEC, and is a member of the ENISA Experts List.

Mark Lizar is the CEO & Founder of the OpenConsent Group, and is a co-inventor of the Kantara Consent Receipt specification. Mark is active in Canadian standards, conformance and the Kantara Initiative as an International Liaison and previously Co-Chair of the Consent and Information Sharing WG and Vice Chair of the Leadership Council.