Johnny Ryan has spent the last year and a half trying to convince European regulators that the business model that props up the biggest tech companies in the world — behavioral advertising — is illegal. Now, he is gearing up for a new fight. This time, he wants regulators to crack down on how tech giants use data inside their own virtual walls.

Get daily insights from the Protocol team in your inbox

The charismatic Irishman is the chief policy officer for the web browser company Brave. Back in 2018, he filed a complaint with Ireland's Data Protection Commissioner accusing Google and the Interactive Advertising Bureau in Europe of violating European data protection laws through the wanton broadcasting of sensitive personal information in online ad exchanges. Flexing his media savvy, Ryan drummed up tons of press about it, and strategically coordinated with other data rights groups throughout Europe to file similar complaints. It caused a stir.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

His complaint ricocheted around Europe and has since been replicated in more than a dozen countries across the European Union, sparking investigations and reviews by data regulators in Ireland, the United Kingdom and Belgium.

But those complaints only address what happens when companies share data externally, Ryan says. The flip side of that problem is what tech giants are doing with customer data internally.

"Right now, big tech companies are taking data from one bit of their business, and they have an internal free-for-all that allows them to use that data to prop up another bit of their business," Ryan says. Ryan argues that's illegal under GDPR, which says that data must be processed in a "transparent manner" for "specified, explicit and legitimate purposes."

He wants regulators to step in. And so, Ryan is in the process of preparing another legal complaint against one of the Silicon Valley giants. He's not saying who just yet, but earlier this month, Ryan laid out a withering case against Google's internal uses of data in a letter to the U.K.'s antitrust regulator.

"Preliminary analysis conducted by Brave indicates that Google has several hundred processing purposes that are conflated in a vast, internal data free-for-all," Ryan wrote in the letter. "Google's internal data free-for-all should therefore be remedied by data protection enforcement."

If European regulators were to enforce these so-called "purpose limitation" requirements against even one company, Ryan and his attorney Ravi Naik of the London-based law firm AWO say it could have a domino effect across the continent. "If it applies to one company, it applies to all companies," Naik says. "If anyone has a policy that's not transparent, they should be paying attention."

If it applies to one company, it applies to all companies. — Ravi Naik, Ryan's attorney

Ryan wasn't always such a skeptic about technology. Quite the opposite. In his 2011 book, "A History of the Internet and the Digital Future," Ryan, then a doctoral candidate at the University of Cambridge, marveled at the "newly enfranchised internet activists" reinventing democracy.

Almost a decade later, Ryan confesses, "I was far too utopian." He went on to become chief innovation officer of The Irish Times, where, he says, he had little idea how much personal data might have been driving the ads that landed on the page.

All that changed when Ryan began working for PageFair, an ad tech company that helped publishers measure and counter the impact of ad-blocking technology. That gave him his first look under the hood of real-time bidding markets. He came to understand that billions of times every day, companies like Google are broadcasting granular data about what people are looking at when they're browsing the web, in order to find them just the right ad at just the right time. This information is packaged up into bid requests and disseminated instantaneously to so-called "demand side platforms," which take bids from advertisers. In some cases, Ryan found, those bid requests include sensitive data, like precise GPS coordinates and URLs that might hint at a person's sexual orientation or ethnicity.

In January 2018, Ryan wrote an email to the United Kingdom's Information Commissioner's Office, which oversees violations of data privacy law, saying he wanted to report a data leak.

"I want to very privately whistle blow, and I am unsure of how to do so," Ryan wrote in an email reviewed by Protocol. He says at first they were interested. He spoke on the phone a few times with ICO officials. But after a while, he says he heard nothing back. GDPR went into effect four months later, and the behavioral advertising industry went on largely uninterrupted. That is, except for the widespread proliferation of pop-up notices asking people for consent to do who knows what with their data. That, to Ryan, didn't constitute consent at all.

Under the law, he says, "You cannot even ask for my consent unless you know what's going to happen to the data so you can tell me. If you have no idea and no control, you're not in a position to ask."

Ryan decided the only way to get regulators' attention was through a formal complaint. This wasn't an exclusively altruistic endeavor. By then, Ryan was working for Brave, a company whose main product is a browser that tries to distinguish itself from, say, Google Chrome, by blocking behavioral ads and trackers. Its co-founder and CEO, Brendan Eich, co-founded Mozilla.

"I think it's fair to say it's no different than when Apple or Tim Cook speaks out on privacy," says Jason Kint, CEO of Digital Content Next, a trade association representing digital companies. "The common refrain is, 'That will help Apple's business because they don't have ads.' Yeah, sure, but the fact that Apple is making that human right a priority that aligns with their business interest is great."

Ryan says Eich was immediately on board with the idea. "With the privacy wave rising in Europe and the U.S., it is crucial that regulators are aware of what's happening behind the scenes in tech so that they can best protect users," Eich told Protocol in a statement.

Ryan got to work on what would become known as the Ryan Report, a 32-page document that summarized his concerns about Google's Authorized Buyers and the IAB Europe's OpenRTB framework, the two programs that write the rules around what goes into just about every bid request in the world. His main argument: These organizations have no control over what happens to the data they broadcast through real-time bidding, and thus, are violating a core principle of GDPR that requires that data be "processed in a manner that ensures appropriate security of the personal data."

Ryan's findings soon became the basis of identical complaints across Europe. Regulators took notice. In May 2019, Ireland's Data Protection Commissioner said it would investigate Google's compliance with GDPR based, in part, on Ryan's complaint. The British ICO similarly cited Ryan's work in its own report last June, which gave adtech players six months to change their ways. In a statement to Protocol, Ireland's DPC said only that its Google investigation is "ongoing."

These investigations made Google blink. Last year, the tech giant announced it would expand audits of its Authorized Buyers program and strip out the content categories that describe the type of web page a user is browsing from bid requests. Those categories had included things like "male impotence" and "substance abuse," according to Ryan's research.

This appeared to be enough to satisfy the British Information Commissioner, at least for now. The regulator issued a blog post in January saying it was "encouraged" by Google's actions and would "continue to look at the changes Google has proposed."

In a statement to Protocol, a Google spokesperson said the company doesn't serve personalized ads or send bid requests out without user consent. "We have strict policies in place to protect user privacy, and we take action if we find that our policies have been violated," the spokesperson said.

IAB Europe, meanwhile, directed Protocol to its past statements on Ryan's complaints. One such statement argues that GDPR doesn't require "the absolute technical impossibility for data to be processed unlawfully."

"Automobiles are not required to integrate functionality that absolutely prevents them from exceeding the speed limit," one February 2019 blog post read. "Instead, drivers are educated and trained in traffic rules, and drivers who violate speed limits are sanctioned with fines and/or deprived of their permits."

Ryan believes real-time bidding has created the "biggest data breach of all time."

Naik, however, says the IAB is using the wrong analogy. "This isn't equivalent to broad rules of the road," he says. "This is like building a car with no windshield wipers or seatbelts."

Still, in the nearly two years since GDPR went into effect, no regulator has taken action on Ryan's claims. That explains his plan B.

Ryan believes real-time bidding has created the "biggest data breach of all time." But he says the way companies like Google and Facebook mine data internally across a range of products is just as troubling. Not only does it keep users in the dark about how their data is processed, he argues, but it also entrenches incumbents, who have built a data moat around themselves.

He's not alone in making this case. Last year, France's data protection regulator fined Google $57 million for failing to give users enough information about how their data is being processed before giving their consent. A month later, Germany's antitrust authority ruled that Facebook would have to get consent from users before combining their data with third party sources or using that data across its family of apps. A court later reversed that ruling.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

Google does seek people's consent to personalize their services across products, but Naik says this kind of broad disclosure is exactly what the European Commission hoped to avoid under GDPR. Indeed, in guidelines released in 2017, the EU's Data Protection Working Party specifically listed the phrase "we may use your personal data to offer personalized services" as a "poor practice example."

Ryan views all of this as a clear violation of GDPR's purpose limitation requirements. He believes people should be able to give up their location data to access a map without having that data used in another context later on. If people could pick and choose the data they share, Ryan says, "The next time there's a delete Facebook moment, people won't have to delete Facebook. They'll lobotomize it."

For Ryan — and for Brave — that would be just fine.