Irish DPC Opens Probe of Smartphone Location Data Sale
The Irish Data Protection Commission (DPC) said Friday it identified the two companies and dataset at the heart of a scandal involving the sale of smartphone location data and is investigating. The Irish Council for Civil Liberties (ICCL) accused the DPA of failing to act on its earlier whistleblowing complaint.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The breach was exposed by Irish public broadcaster RTE on its Sept. 18 Prime Time program following an undercover investigation.
RTE reported that data "showing the specific movement of tens of thousands of smartphones in Ireland" is available for sale in the country. The data included individual phones that could be tracked back to specific residential addresses after "entering high-security prisons, military bases, and Leinster House [the seat of Ireland's Parliament]," as well as sensitive locations such as health clinics and mental health facilities, RTE added.
The data also showed minute-by-minute movement of phones, and locations were specific enough to show movement with home addresses and the patterns of life of the smartphone owners, the broadcaster said.
A sample containing the movement of 64,000 phones in Ireland over two weeks earlier this year was given to RTE Prime Time for free during the investigation in which a team of journalists posed as founders of a new data analytics and marketing firm, it said.
The sample data was offered for sale by one company and the undercover team learned that data could be provided in a constantly updated feed with a 24-to-72-hour delay.
Prime Time said the story "has sparked concern at a European level, and is likely to be discussed at a meeting of the European Data Protection Board [EDPB]."
On Sept. 18, the DPC said it was "extremely concerned" about the situation because "location data can reveal a significant amount of information" about people and can pose a threat to their security and wellbeing.
The watchdog added it was trying to identify the data broker in question and determine if it was located in Ireland. An update Friday, said it had obtained the identity of both companies and the dataset, and that one company is based in Dublin. The other, it said, is headquartered in another EU country and the "DPC is engaging with the relevant EU Data Protection Authority."
The EDPB emailed Friday that it can't comment on ongoing cases. It stressed that under the GDPR, enforcement of data protection rules is the responsibility of national DPAs, which don't need to inform the board about cases they're handling.
The data RTE obtained included GPS coordinates, timestamps and mobile advertising IDs for around 65,000 people in Ireland, including those who work in the government and the military, ICCL Enforce Director Johnny Ryan emailed Privacy Daily Friday. The data comes from an online advertising technology company called Real-Time Bidding (RTB), which runs advertising auctions on websites and apps, he said.
Although the watchdog said it wasn't previously aware of the location data issue, it "has known about the source of these data since 2017, when I informed it as an industry whistle-blower, but failed to enforce against major RTB firms, including Google, who are the source of the data," Ryan wrote.
He accused the DPA of refusing repeated demands to tackle security problems in RTB for eight years. "To fix this problem, the DPC must enforce against Google, Microsoft, and other major RTB firms that have their European headquarters in Ireland, under the DPC’s jurisdiction," Ryan added. The DPC didn't immediately comment.
ICCL won permission from the Irish High Court earlier this year to file a class action lawsuit against Microsoft's RTB system for personalizing ads (see Ref:2506010001]).