Johnny Ryan – Court Ruling (Ireland, 2024)

On 12 September 2018, a data subject submitted a petition to the DPC concerning Google Ireland Ltd’s (the controller) data processing for targeted advertising through its real time bidding (RTB) online advertising system. A petition is an informal request which does not give a petitioner party rights in a GDPR procedure. Thus, in 2019, the data subject followed up his petition with a complaint alleging violations of Articles 5(1)(a), (c) and (f) GDPR. In particular, the complaint emphasised the lack of adequate safeguards to ensure the integrity of personal data. The complaint claimed that the controller’s use of the RTB system on millions of websites and broadcasting of personal and sometimes sensitive data to other tracking companies with no controls constituted the biggest data breach ever seen. In January 2020, the DPC informed the data subject that it had initiated an ex officio inquiry into substantially the same issues as the complaint. While the DPC confirmed that the data subject’s case was being treated as a complaint, the DPC also said that it was examining matters in the context of an inquiry that could substantially overlap with and influence the outcome of the complaint. Thus, it stated that it would handle the complaint in line with and based upon the progress of the inquiry. As the inquiry unfolded, it became clear that the data subject and DPC disagreed about how confidentiality and security concerns were implicated. The scope of the DPC's inquiry focused on legal basis and transparency issues rather than the Article 5(1)(f) GDPR claims. In several communications, the DPC stressed that it would “continue[] to have an open mind in relation to the central matters” of the inquiry and that when it resumed its examination of the Complaint, it would again consider whether issues relating to data security should be the subject of scrutiny. It also noted that the result of its investigation may end up being functionally the same, with the effect that the