Debbie Reynolds “The Data Diva” talks to Johnny Ryan, Senior Fellow at Irish Council for Civil Liberties, and Open Markets Institute. We discuss his early learning experiences in online publishing and the internet, holding organizations accountable for compliance with GDPR, explaining how ads on the internet work to policy makers and the role of enforcers, the need for litigation, and the impact of lax Data Privacy and enforcement, his IAB Europe case related to Real-time bidding (RTB) ad systems, current enforcement challenges with the GDPR, Irish Data Protection Commission and other regulatory authorities, the impact of the IAB Europe case around the world, Real-Time Bidding and immediate harm to individuals, need for discussion of actual Data Protection practices, the next steps in the IAB Europe case, positive benefits of the removal of personal data from RTB bid requests, potentially good news for legitimate advertisers and publishers, and his hope for Data Privacy in the future.
Debbie Reynolds “The Data Diva” talks to Johnny Ryan, Senior Fellow at Irish Council for Civil Liberties, and Open Markets Institute. We discuss his early learning experiences in online publishing and the internet, holding organizations accountable for compliance with GDPR, explaining how ads on the internet work to policy makers and the role of enforcers, the need for litigation, and the impact of lax Data Privacy and enforcement, his IAB Europe case related to Real-time bidding (RTB) ad systems, current enforcement challenges with the GDPR, Irish Data Protection Commission and other regulatory authorities, the impact of the IAB Europe case around the world, Real-Time Bidding and immediate harm to individuals, need for discussion of actual Data Protection practices, the next steps in the IAB Europe case, positive benefits of the removal of personal data from RTB bid requests, potentially good news for legitimate advertisers and publishers, and his hope for Data Privacy in the future.
49:56
SUMMARY KEYWORDS
real-time bidding, data, people, happening, enforcer, iab, complaint, consent, Europe, advertisers, called, work, debbie, website, industry, data protection law, Irish, problem, enforcement, companies Google, Facebook, IAB Europe, Data Brokers
SPEAKERS
Johnny Ryan, Debbie Reynolds
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva." This is "The Data Diva Talks" Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show, Dr. Johnny Ryan; he's a Senior Fellow at the Irish Council for Civil Liberties and Open Markets Institute. Welcome.
Johnny Ryan 00:40
Hey, Debbie, good to be with you.
Debbie Reynolds 00:43
Well, this is going to be a fun podcast; it's very timely. We've been connected on LinkedIn for a number of years; I got to know you when you were at Brave Software. And I kind of saw your transition over to the Irish Council of Civil Liberties, and you're always busy, you're always on the world stage, I always see you being quoted in news articles and, you know, doing things like testifying in front of Congress, and you meet counsels around AdTech if these are going on about that, but I would love to know, your background and sort of your interests in privacy, to me it's fascinating.
Johnny Ryan 01:29
Well, a few years ago, over a decade ago now, I wrote a book about the history of the Internet; it was the second book I wrote. And it took me on a tour all the way back through the '90s, '80s, '70s, '60s, '50s, and earlier, and I came away with this utopian notion, which has since been beaten out of me by reality. And at that time, I was working in a policy think tank, where I worked for quite a few years on European policy issues. And after that, I went to work on a Ph.D. And then I went to work for a publisher. Now when I was at the publisher, my job was Chief Innovation Officer. So I had to report to the editor and to the managing director both about ways to take our organization, which was a century and a half old. And to make it look like there were shiny new things happening because that's what advertisers wanted. So in that role, I made the mistakes that every not very well-informed person makes, where I advocated to install things that probably threw our visitors to the wolves. Not as bad as real-time bidding, but for example, social share widgets, which, it turns out, were owned by data brokers. So that was interesting. I was there for a few years, and I made plenty of mistakes. And then, I went to work for an online advertising technology company after a little brief sojourn back in academia. And in the online advertising technology company, we were right in the middle of the so-called programmatic, which merely means automated; it's just a bad way of saying automated. And in the programmatic online advertising world, Real-time bidding was a big part of what we were doing, almost the entirety. And remember, at that time, Debbie, there was a lot of talk about the forthcoming General Data Protection Regulation. And there was one afternoon where I put back on my policy hat, which I hadn't put on in many a year. And I sat down to read this regulation, which was, at that point, finalized but not yet, in effect. And I remember reading it, and I read through it again and again. And I realized that not only was everything that we were doing, and we were not the worst offenders, not only was everything that we were doing unlawful, which of course it was for everyone since 1995. But actually, there will be sanctions applied as well. And from that point on, I set about convincing my colleagues that we needed to take our AdTech business and really change it. And what we ended up doing was we built a system to strip out personal data from the broadcast. That leaves every app and every website that uses real-time bidding from the broadcast of personal data; we had, essentially, you could think of it as a catalytic converter to remove the pollution. And to make the advertising not just safe because there was no data breach, which is inherent to nearly all online advertising. But actually, there would be no requirement to try to get a lawful basis for almost anything we were doing. Because it would be above the requirement, it would use nonpersonal data. So we set about doing this and had lengthy conversations with some of our very biggest clients; they were all very interested. But in the end, the industry settled for a fudge, not even a fudge; it settled for a kind of a legal veneer. And at the time, I was a member of the relevant trade bodies. The IAB represented our interests as advertising technology firms. And instead of having a Plan A and a Plan B, Plan A being brazen it out and come up with a kind of a fiction that might make enforcers, you know, not attack online advertising for a while. But have a Plan B, which is don't use personal data anymore for this stuff. Instead of that, they just went with Plan A. And what we were doing didn't find a market because people wanted to continue doing what they were doing. And at the same time, we were stopping doing what we were doing because the GDPR was about to apply. So that company had been doing fine, but it was no longer viable. And at that point, I went to work for Brave, and the Brave agenda was very, very clear; it was the same actually, in a way. And it was to find ways to bring privacy to people. But also to see if there's a way to have a business model that isn't completely at odds with that. So I spent a few years at Brave, essentially pushing exactly the same agenda. But although I was given all of the space, I could have wanted at Brave to do what I was doing. Brave did not want to get into litigation for very understandable reasons, and the time came to litigate because relying on the enforcers produced no results at all. And so my agenda now, in this NGO, the Irish Council for Civil Liberties, is litigation, pressure on enforcers to enforce, pressure on governments to see that enforces enforced, and pressure on the European Commission to see that governments apply pressure for enforcement. Essentially, what I'm trying to do is to see that the GDPR is applied. And before I finish my monologue, to see that it's applied in two domains, on the one hand, you have a data free for all between 1000's of firms in real-time bidding. And that is, in a sense, an external data free for all between companies. But on the other hand, you have data free for all inside the walled gardens, Google, Facebook, Amazon, etc., where they are using data from one part of their business to prop up other parts but doing so completely at odds with data protection law. So I want to see the GDPR be realized, actually to have an effect. And I wanted to remove the external data free for all and the internal data free for all. Now, I've several objectives for that or motives. One is that the external data free for all is very dangerous. I think. Our next few in all of our jurisdictions, the next few elections are going to have lots of stories associated with them. And then involve people being nudged and micro-targeted using data leaked out of real-time bidding. For example, we have seen it and submitted evidence about it before, but I think it's going to get worse if we don't fix this problem. And I think people are going to be at risk when they're applying for jobs for insurance, many, many, many aspects of their lives. But the internal data free for all inside big tech creates not just a data protection problem but a market problem too. And we will not see a whole, a sensible, viable, fair, effective market where you can have interesting alternatives emerge until that problem is solved. And a final motive is that I have worked for a publisher. I have done a little bit of a small bit of reporting. I do not want to see what I regard as cancer eating the heart of legitimate media. I don't want to see that continue.
Debbie Reynolds 10:24
Wow, that's, that's amazing. Thank you for telling my story. You know, I think it's really interesting when you said you had written a book about the Internet, you know, I've watched the Internet grow into what it is today. So I've seen a lot of the cracks, I've seen a lot of the gaps that have happened. And I think one thing that you do very well, that I feel is very needed, and a lot of people don't do, is that a lot of people don't understand how the Internet works, right. So they see this kind of outside or near, and they don't understand what's happening underneath. So I think they do a really good job explaining what's happening underneath. And I think it's very important to have people like you in positions where you can inform, you know, policymakers or governments about this because people just don't understand. What are your thoughts about that?
Johnny Ryan 11:19
Thank you, Debbie. Well, my thoughts are, anytime I hear a compliment, I'll bank it away and take it. But beyond that, I realized that I didn't really know how the Internet protocols operate, where they came from, how machines talk to machines; I'm not an engineer. And I had the privilege of being able to take while working in related areas of being able to take a year, year and a half, thereabouts. To go back. These things, these technologies were at their most simple, which is at the beginning, normally, and to look at the documentation that defines how they work now was, the documentation is very simple. Indeed, there's a set of documents called Request for Comments. And the first one is very, very brief. And it says a Request for Comments can be a thought or an idea. It doesn't have footnotes; it's really, really simple. And that's because the people who were exchanging these little notes about what the Internet might end up being, very, very lowly in the very lowly graduate students, some of them very young. The first one was allegedly written on the floor of a bathroom. And from an, actually, it's true, I interviewed the person who wrote it, he was staying overnight with friends, he didn't want to disturb them. So you have this which is very easy to understand, written among people who weren't too high on their status. People who assumed at any time some big deal professor was going to come in and say, they'll sit shall be. So they have this humble, inclusive tone. And they're trying to set out in very simple terms how machines talk to each other. So you can go back. And some of those documents contain an awful lot of the reasoning of how things work; you can go back and piece things together and get the basics. And my background is history. So as a historian, when you're an archival historian, you always go to the documentation, and you see what you can find from the documentation. And in general, where possible, you ignore the discussion of the documentation until you have grasped the documentation. So there's, there is actually plenty of very, very easy to understand material that isn't really widely exploited to explain to people how things work. However, Debbie, all of this is, it should be redundant because what the GDPR did was it created a class of enforcer, a type of enforcer, and it gifted them with enormous powers. And it said the citizen does not need to put on a tinfoil hat; you are there to proactively investigate and enforce. And at the same time, of course, you should heed their complaints and take care of them too. So we should have a situation where enforcers who have been given incredible powers of investigation are conducting raids on tech firms, regular raids and are robustly and adversarially where necessary, disciplining companies and defining the rules of the road. Now that sounds completely at odds with the reality that we understand. If you've been in the Data Protection Act world for a week, you'll notice that when actually there is enforcement, it's surprisingly big news. It's a surprise to everyone that anything actually happens. And that means that, unfortunately, we, as individuals outside of that system, do need to learn how things work. And we do need to go to court. That wasn't the plan.
Debbie Reynolds 15:26
I would love to talk with you about your IAB Europe case. So this conversation is very timely. You've had a huge victory in this case; I would love for you to lay the groundwork for how this case came about and what's been happening with it up to this date.
Johnny Ryan 15:48
This has been a pretty long road. Back in September 2018, I filed a complaint in Dublin that was based on having worked in the RTB industry. Now, that complaint extensively quoted the industry's own documents, which say we broadcast in the sense of throwing it out to all and sundry, we broadcast highly, highly sensitive personal data. That's essentially what the evidence was. Now, I filed a complaint in September 2018. And colleagues of mine at an NGO in the UK Open Rights Group filed a duplicate of that complaint the same day at the ICO. And then, if I recall, January or it was January, the next year, and the first other duplicates from Panopticon in Poland was filed. And ultimately, we've now had, one way or another, different groups coordinating. We've had duplicates and evolutions of that complaint filed. And each, I think now each European member state. Ultimately, it's an incredibly simple complaint; it says real-time bidding broadcasts a thing that is personal data. And the law says thou shalt not broadcast personal data. Now, that's a really simple proposition. It's obviously irreconcilable that you would have a wide broadcast of a thing that is intended to be kept completely confidential. So, you know, it's remarkable that it has taken us so long to get what you're describing as a big win. How it ended up in Belgium is that the complaint targeted Google, which has its own system, and the IAB, which has another system. The real-time bidding industry has 1000s of participants who do different things, but actually, there are only two rule setters. Google has its own system. And the tracking industry trade body called the IAB has a system as well. Confusingly, Google also uses the IAB system too. Now IAB Europe is headquartered in Belgium. And because of the way that the one-stop-shop system operates under the GDPR, the place where an entity has its headquarters in Europe is where the enforcement investigation will occur. In theory, it's more likely that nothing will actually happen to the complaint whatsoever. In any case, and in the case of IAB Europe, something did happen. The Belgians received some enforcers forwarded the IAB part of the complaint, not all. Interesting that several actually failed to do so. That's not what is supposed to happen. When that was forwarded to the Belgians, we decided to focus that complaint on the component of real-time bidding that IAB Europe is particularly responsible for. And that component is called the Transparency and Consent Framework. Now I remember when this Consent Framework, as it was initially called, was conceived by a small little cabal of ad tech firms correction. So there were a whole lot of real-time bidding companies. You wouldn't put anything past them. They came up with this nonsense, but also the Daily Mail group, which in a very bizarre move, got into that group as well. So we had this so-called ad working group, the GDPR working group, I think it was called, and they came up with a system that they purported would make the data breach problem go away. And the system was this when personal data about what Debbie Reynolds is doing on the Internet in her most intimate moments and where she is in the real world, so we can see not just where she is now, but where she has a moment to go a day ago, a week ago, a month ago. This system, with you sharing those data with a large number of companies, was now going to be apparently made safe by all those companies saying they weren't going to misuse her data. So in a trust approach, everyone is on an honor system. Now, the law doesn't say have an honor system, especially not in the data industry. Where that's a particularly poor idea. The law says you must keep personal data confidential; you must secure their integrity. So the complaint was narrowed. Just that consent system. And the consent system itself stores a record about what people have been asked to consent to and what they have decided to do in that situation. Now, that entire consent request thing is entirely ridiculous. And it is the equivalent of me inviting you for a picnic on top of a skyscraper. To go through your, I don't know, your teenage diary, Debbie. And using yeah, well, okay, let's talk about my teenage diary. And we go up to the skyscraper roof, and I have my picnic ready for you there. And we're about to talk about your diary. And then I rip out all the pages and throw them over the side of the skyscraper. And my business partners, of course, photocopy each page. Just because you said okay, to us reading your diary together as we climbed the staircase doesn't mean you were okay with me broadcasting it to all and sundry. So, this idea of consent, making the data breach go away, purely because, you know, something like 1000 companies, over 1000 companies now have attested that they will honor some self-regulatory rules of the industry. It has no resemblance to what the law requires. It's not even remotely related. So it's, again, it was an evolution from the real-time bidding complaint, which relied on this security issue. But it was narrowed just to the consent matter.
Debbie Reynolds 22:45
Yeah, this is amazing. So I've been watching this case; I've actually done two videos about it. It was funny because I had to do the reason why I did two videos, one I had to explain how the whole TCP string works and then explain the complaint and what was happening. So a lot of people were really shocked. They didn't really understand that. But the thing that impressed me about this is that it was surgical. So I feel like, of all the litigation that I'm seeing around the world on these issues, this one really pierced the veil of what is happening sort of in the background. So not just what's happening in the foreground, but really narrowing in on-again, real-time bidding and what happens once a person says that they consent or not. And I think the issue that I've always had is that so much of what we do as consumers can be untethered from what actually happens in the background. So regardless of what we say, it's kind of like theater in a way, you know, to make us feel like we're doing something and making choices, but then other choices are being made about us in the background.
Johnny Ryan 24:09
Yeah, I think theater is probably the right phrase. Yeah, it's a compliance theater, a thin veneer of, you know, supposedly legality to cover very straightforward illegality. What is amazing is how long it was allowed to continue. Let's just think about what has happened for the last few years. And it's a bigger story than what we've been describing. There was a time when Europe mattered. Debbie, there was a time when Europe mattered, Ireland didn't at that time, so I can't claim to be that type of European. But there was a time when you've upset the agenda for most of the globe. Now, I'm not claiming that was a good thing or that we hark back to it. But that's the way it once was. In the last 10 to 15 years, Europe has earned for itself. That position, the chance for that kind of influence in one domain and one domain alone. And that is regulation and only some regulation. And this is the old idea of the Greeks, educating the Romans, right that the Europeans that the regulation for the Americans, Chinese to follow the, you know, the old imperial power, mentoring, the upcoming powers. So this is a beautiful dream of decaying empires; it's not necessarily the truth. In any case. 2016, after Snowden, after those revelations, despite enormous lobbying to dilute the law, European co-legislators finalized the GDPR. And it makes not just European ideals law, but it backs them up in a very, very solid, robust way. And from 2016 on, the message is two things. One, we now have robust standards and sanctions in place, and our digital market is so big, it's still so big on the world scale, that it would be very foolish to not obey our laws because you won't be allowed into our market. In fact, you might want your domestic law to look like ours. Now, when I was in the industry, the big question was, are the Europeans serious about this? If they are, we better do something? The general view. But almost immediately, we have this consent theater. It started with people being re-opted into mailing lists. You recall all of that totally stupid nonsense. And we didn't hear an enforcer say boo. And that was the first little hiccup in the GDPR. Second, we saw no enforcement against other obvious things. And for four years, now, four years nearly, we have had daily consent spam. And we haven't seen an enforcer do a thing about it until now. Now, these enforcers get out of bed every morning. And as they brush their teeth, they are confronted with clearly unlawful consent spam, and it's obviously spurious. And despite the nuisance for end users, just think about the cost of time wasted. They did nothing about it. And that had a consequence in the United States, too. There was a time not too long ago where part of my job was to lobby in Washington, among other roles. And I remember both hues of legislator they had this consensus view of Europe, you Europeans, and your red tape; you will not let the individual be master, you will not let the person be free. And you have to even red tape me when I visit Madrid or Berlin. As soon as I open my phone, your red tape attacks me. Your whole GDPR approach is nonsense. That's the view they had. Because we allowed the industry to undermine the principles of the GDPR of data protection law. And now we have a situation where I'm happy to say it looks like maybe some parts of the apparatus mean business most don't. The GDPR is still not real. But we're seeing a little glimmer of hope in some areas, and the TCF decision is one of them. But at the same time, the IAB is actively trying to now transpose the TCF consent spam over to the US. And you now have, if you're in California, consent spam in the form of the CCPA framework, and they're sprinkling it in any other jurisdiction where it could be helpful to allow completely illegal business as usual to continue under a thin veneer of supposed legality. So there are a few things happening here. Europe business, but it didn't. Right? That's a problem. One of the last new jewels in her crown is losing credibility. And if we allow the GDPR to lose credibility, there really is not much point in Europe. When we look back on this decade, we will, of course, think of COVID. But in Europe, we might think it was our last chance to be Europe. It's possible, and the failure to make the GDPR real may be a part of that. And I place blame for that in a few different areas. Yes, of course, it is clear that we have a profound problem with the Irish Data Protection Commission. That is, I think, no longer a controversial thing to say. And I am still waiting for any action on my original RTB complaint against Google, any action. In fact, just a day before Christmas, the 24th of December, after more than three and a half years, the DPC finally produced an internal document specifying what it intends to investigate. In my real-time bidding complaint, that's quite remarkable. But it's not just the DPC, and the European project has built into it an understanding that different member states will very often not do what everyone has agreed to do. And when that happens, the European Commission's job is to monitor and know that it's happening and then to take the member state to court. And unfortunately, we have a European Commission that is too interested in the next generation of digital law and has completely neglected the GDPR. And we've been escalating this matter. It's now a complaint at the European Ombudsman that's on the desk of Ursula von der Leyen, who is the president of the European Commission. So we're putting the pressure on to see that enforcement happens against Google. But it should be a shock to any European that it is still taking after three and a half years more time to see the beginnings of any action on that front.
Debbie Reynolds 32:06
In my view, a lot of the confusion for people or the reason why kind of real-time bidding has been able to flourish the way that it has. Obviously, it's very lucrative, right. But some of it has been people made the argument that you know, because I was my sort of the direct person that the data was given to they think that they aren't a data controller.
Johnny Ryan 32:33
And we all think what we all think, but it's not our job; it's a judge's job to decide what is and what is not. The Wirtschaftsakademie Schleswig-Holstein Academy case is maybe the interesting one. Because here you had a business school that said we don't touch the data, we simply give Facebook an understanding of the kind of people we're trying to engage with and show ads to, and then we received back from Facebook, whatever reporting it gives us. And the ULD, Merritt Hanson was the Enforcer, and the ULD as the regional enforcer in, in the relevant lander in Germany, Schleswig Holstein, he will he said, look, you haven't taken any care to check that the company you're spending money with to show your ads, Facebook, in this case, is behaving correctly. And I mean, it wasn't that surprising that Facebook might not have been behaving correctly at that point. And you know, this went on a tour of all of the German courts; it cascaded through a succession of Appeals. And what the European Court of Justice ultimately said is, as an advertiser, when you commission advertising, using technical systems that you don't control, but that exposes other people's data to being processed for you to have your ads shown to them. And when you receive reporting back on those ad campaigns, you are a controller. And we know from the text of the GDPR itself that each controller can be liable for the full damage that could come out of someone seeking a judicial remedy against you. So this has been known and stated by the highest court in Europe for several years now. It is it would be alarming to me if there were any significant advertiser that did not properly understand this. There is a problem, though, and the problem is that enforcement, I don't mean through the courts, I mean by supervisory authorities, enforcement has been so lacking that it's easy to forget the law exists. Where is it? Unless someone litigated against you, you do not have to fear your local enforcer, the ULD. In the case of Wirtschaftsakademie, Schleswig-Holstein Academy was very unusual. And in the absence of more examples like that, it is no surprise that the industry continued to believe that the illegal business as usual, somehow it either wasn't on the hook for it, or it wasn't illegal. Or we could make people click boxes that say, okay, let me suggest there's another villain in this piece. And the villain is circumstance. We've had a generation of data protection lawyers who built their careers at a time when data protection law carried no penalties, no sanctions, and it didn't matter. You simply said beautiful things in your privacy policy, spoke a few platitudes on stage, and ticked the boxes, which was a different thing from what was actually happening to the data. And you see this, this approach, I think, on the part of a generation, slightly older generation, in many cases of data protection lawyer, than they'll probably come onto your program in a few weeks and say, I think we can continue everything, we just need to write the following stuff down and bits of paper. It is hard for such a person who built their career at a time when the law existed only on paper, I think, to imagine enforcement, but enforcement is coming and won't come. In many cases from enforcers, it'll come through litigation. But there's litigation happening behind the scenes that we're not yet publicizing. And our peers aren't yet publicizing. And that assumption that data protection lawyers exist just to buck takeovers of the status quo, and you see it on Twitter from some august personalities, that is going to look a little bit old fashioned. Think of the financial sector after the collapse, and these things start to look a little bit less relevant. When reality reasserts itself.
Debbie Reynolds 37:30
I agree with you on that. I'm a data person, like you. And so I really want the things that are happening really speak about what's actually happening, as opposed to what we think is happening. So I always tell people, you know, instead of let's not try to be aspirational and be more operational, let's talk about what actually truly happens in the background. So I want to know what's next with this IAB Europe case? I know that you know, they have been given a deadline to make some changes, I guess or come back with a new proposal in some regard. What was the deal?
Johnny Ryan 38:12
Let me modify that. They have been given a deadline to attempt to make some changes, and not just any changes. First, the order was immediately enforceable from the second of February. So it's not that they've been given a deadline to continue till what they're doing isn't okay should stop. Now. I don't know, and maybe it's legal to use the TCF to get someone to consent to you knowing what their favorite color is and telling no one else. But you certainly cannot legally today use it for real-time bidding, which is what it was made for. So that's the situation at present. They have until the beginning of April, April Fool's, I believe, to come back with a remedy. Now, a fundamental problem in real-time bidding is called real-time bidding. And the only way to make real-time bidding compatible with something called the law is to remove personal data. Now, that's actually a very sensible thing I think to do. If you did it, you probably wouldn't need a TCF because you're not dealing with personal data. But when you asked me what my background was earlier, you'll remember I told you a story about how we built a system to do this half a decade ago, and it worked very well, thank you very much. There are several companies now that are doing the same thing. In Norway, there is a supply-side platform; an SSP called Kobler; I think they are starting to license their technology. So there is something for SSPs to explore. And there is a small firm called OptOut Advertising that spun out of a sales house called Stir and Stir represents a broadcaster in the Netherlands that took a nonpersonal data approach and had it appears very, very positive revenue results. So I think we're at a moment where we're going to see real-time bidding maybe continue in a form that doesn't involve personal data. Now, that's a whole conversation in and of itself. And feel free to challenge that position because it might be an interesting discussion for anyone in our tech who is listening. And this is not a new idea. Plenty of work has been ongoing over the last 10 years on that proposition. So that there's plenty of thinking to tap into. There's another possibility, which is that some companies will persist and use personal data in real-time bidding and use that maybe use the TCF for that. I mean, this is lawsuit beat; we already have litigation on the way, well, actually ongoing in Hamburg against IAB TCF. And I'm very reluctant to go after publishers, because of my background and in part, but that reluctance will quickly fade if this problem is not resolved immediately. So I think we're going to see or are seeing a change. And I've heard advertisers, in particular, thinking that way. Now, what I don't want to see is that because we have had unbalanced enforcement, where the external data breach is starting to feel some heat, but the internal data breach is continuing unabated, that we would see significant advertising spending move to the walled gardens, I would not like to see that. And I think it would also be quite foolish. It is likely that when you remove personal data from real-time bidding, you get a few surprising some perhaps benefits. One of the means I suspect bot fraud is going to fall off a cliff. A problem in tracking people across websites, using bid requests to do so, and retargeting them later, is that if I am a fraudulent website and I am hiring a platform to bring advertising dollars to me, I ask a bot to make itself sticky on some premium publishers website. So then it looks like an auto intender, someone who wants to buy an expensive car. And then I bring that bot back to me. And it brings back the big automotive ad dollars with it. So I suspect that when you remove personal data from the bid request, we know that it'll stop that. Right. And I suspect we're going to see that that saves advertisers and the estimates are all over the place. But I think we'd be talking billions. We're. Also, I think, going to see good news for premium publishers, or at least legitimate and premium publishers. Right now, if Johnny sets up a crank website in his garden shed saying kill all pale Irish white people registered in Ireland. For some reason, I want to kill people who are like me, and clearly, no advertiser wants their stuff on that website for very good reason. But let's imagine that my stuff manages to attract some sort of an audience, even if it's an audience only of bots. I'm still bringing the money onto my website, which advertisers are paying for. And if I'm taking people from the Irish Times, you can now target the Irish Times auto intender on my website. Amazingly, what's happening is this cross-device tracking that allows you to link the high net worth individual who's reading the Irish Times right now and wants to buy a car and would like to see a car read by being able to follow that person with that car add to my crank website. You give me a business model. My current website has a right, perhaps, depending on how I go about it, and I guess it has a right maybe to expression that if it's not illegal material, although the way I've presented this hypothetical, it is illegal. Anyway, let's imagine not exhorting people to kill people; just be rude to Irish people on the street is my conspiracy website. It doesn't deserve to have a business model, that website. But today, it would have a business model if I can arbitrage The Irish Times his audience. And I could contrive ways to do that. Even if that audience were only bots, I could make that happen now. So it's a very long-winded, poorly structured answer, Debbie. But what I'm suggesting is, I have always thought that when we end the data leakage, we don't just do a service to future generations and the sustainability of our societies and legitimate media. But we also help advertisers and publishers to the people who will lose are the AdTech players in the middle, who have been selling data under the table, it appears a profit, and who have been taking a chunk of the discounts that they have been claiming they produce for advertisers when they put ads on junk websites that otherwise would only have been on legitimate websites. They will be hailing about this until the cows come home. And they run the IAB. So I don't expect the IAB to be rational about this. Unless you judge the reason is serving the interests of the ad tech companies that ultimately, I think, are going to have to be dragged into reform.
Debbie Reynolds 46:41
Change is coming; Winter's coming. This is going to change it is becoming summer.
Johnny Ryan 46:49
The White Walkers are going to be led home in chains and thrown into the fire.
Debbie Reynolds 46:58
Excellent. Oh, my goodness, oh, my goodness. So if it were the world according to you, Johnny, and we did everything you say, what will be sort of your wish for kind of data protection or privacy in the future.
Johnny Ryan 47:12
There is a beautiful sentence in, I think, recital four of the GDPR. And it begins, the processing of personal data should serve all mankind. That's what I want. If we think data matters, and some people do, they call it ridiculously oil, and so on. If we think data matters, and if we really understand the danger of information when misused, it is very important for us to start treating it correctly. And if you want to see what it looks like when data are misused, take a look at the graveyards of the Huguenots. You'll probably be familiar with the story of how the Huguenots were all slaughtered one night in Paris in their beds in the 1850s, 1860s; I cannot remember which. And how was this logistical feat of murder accomplished? Apparently, through the use of the Paris tax roll. We have plenty of examples through modern history of where data misuse has been very, very, very dangerous indeed. And I think they're all around us now. I want European data protection law to be made real. And I want parties who assume that the only viable business model is to have a data free for all inside or outside. I want to put the fear of God into them. Pick your God, in this case, any god. I want to put the fear of any God into that and have the next generation of their competitors, the nascent companies that are coming up now, start properly innovating and thinking about alternatives because business, as usual, has been a problem.
Debbie Reynolds 49:09
That's a great answer. Yeah, I agree that is going to change; it has to change. And as you pointed out, there are benefits there. You know, we're seeing a lot more pushback even in the US, but consumers are not okay once they figure out what's happening with their data. So I think, you know, this is going to have a huge ripple effect around the world in the next generation of AdTech, I think.
Johnny Ryan 49:35
Let us hope.
Debbie Reynolds 49:38
Well, thank you so much for this. It's been amazing. Yeah, it's great. Great afternoon. Hopefully, we'll find other things on which to possibly collaborate. Thank you so much.
Johnny Ryan 49:50
Thanks, Debbie. Bye-bye.