Brave, a privacy-focused web browser set up by Silicon Valley engineering guru Brendan Eich, filed privacy complaints in Britain and Ireland that could become a test case against search company Google and other digital advertising firms.
The petitioners say they want to trigger an article in the new European General Data Protection Regulation (GDPR) requiring an EU-wide investigation, making it a test case for a new European Data Protection Board created to give the privacy regime more teeth.
The GDPR seeks to ensure that individuals have greater control over the data that companies hold about them. Brave and the co-plaintiffs say Google and others are playing fast and loose with people's data.
"There is a massive and systematic data breach at the heart of the behavioural advertising industry. Despite the two-year lead-in period before the GDPR, adtech companies have failed to comply," Brave's chief policy officer Johnny Ryan told Reuters.
The complaint argues that when a person visits a website, intimate personal data that describe them and what they are doing online is broadcast to tens or hundreds of companies without their knowledge in order to auction and place ads.
This, it says in the complaints filed on Wednesday, violates the GDPR's requirement for personal data to be processed in a way that ensures they are properly secured, including against unauthorised or unlawful processing and against accidental loss.
Google says it is has already implemented strong privacy protections in consultation with European regulators and is committed to complying with the GDPR.
Brave operates as a private browser, preventing the use of trackers on web pages to harvest data about people's online behaviour - giving it detailed insight into the inner workings of the online ad industry.
The new data privacy law could also have a huge impact on the small army of tech firms that comes between giants like Google and its users to harvest and crunch data from websites to form very specific consumer profiles.
Were the regulator to find in favour of the plaintiffs, that could undermine the foundations of the data-driven model on with the online ad industry - forecast by research firm eMarketer to grow to $273 billion (roughly Rs. 19.6 lakh crores) this year - depends.
The GDPR is the first data privacy regime that foresees heavy fines for serious violations - of up to 4 percent of a company's global turnover.
The filing, on behalf of Ryan, Jim Killock of the Open Rights Group, a non-profit organisation, and academic Michael Veale of University College London, coincided with the opening of a major digital marketing fair in Cologne, Germany.
A copy of the complaint seen by Reuters argues that Google and the adtech industry commit "wide-scale and systematic breaches of the data protection regime" through the way they place personalised online ads.
This happens through a process called "real-time bidding" and does so through two main channels. One, called OpenRTB, is used by most players in the industry, while a second, called Authorised Buyers, is run by Google.
The complaint argues that these gather and broadcast more personal data than could be justified for advertising purposes; that this data is then subject to further unauthorised processing; and that it can include sensitive information such as sexuality, ethnicity or political opinions.
Ravi Naik, a partner at ITN Solicitors in London who is representing the plaintiffs, said this case addressed a long-standing data-protection concern that "is likely to have far reaching and dramatic consequences, which may change our fundamental relationship with the Internet".
© Thomson Reuters 2018