JOHNNY RYAN FOUND himself in the hot seat in Washington, sitting before a US Senate judiciary committee.
The hearing, chaired by Republican senator Lindsey Graham, was taking the pulse of the digital advertising landscape.
Ryan, alongside other industry pros, was testifying on issues around privacy and antitrust in the online advertising industry, giving his two cents on several matters that may inform future federal policy in the US.
He is the chief policy officer at Brave, a tech company designing a new type of web browser that has a privacy focus and anti-tracking bent.
It’s trying to build a new system of browsing the web and engaging with online ads, which includes greater control for the user over ads they see and what tracking tech is used.
The browser is also facilitating direct payments between readers and publishers using crypto tokens and in 2017 the company raised $35 million through an initial coin offering.
Ryan, in his previous role at Irish media software company PageFair, knew all too well the push and pull among online publishers, advertisers and privacy advocates.
Central to PageFair’s mission was providing an alternative to privacy-abusing online ads – other than ad-blocking – that would help publishers retrieve lost revenues.
While a valiant effort, the company struggled and was ultimately acquired late last year by Canadian company Blockthrough.
“At PageFair we had brought to the market a kind of catalytic converter to clean up dirty adtech and the problem was that no one felt they needed to buy it,” Ryan says.
“We were too early at PageFair with what we were doing.”
But with Brave emerging not long before that, it seemed like a logical place for people with these skill sets to wind up.
“There’s an awful lot of people with adtech backgrounds that suffer adtech remorse and Brave is a logical home for these people.”
Still based in Ireland, Ryan has become a vocal critic of adtech practices and data protection issues.
Sitting before senators, he was now making his case for the US to follow Europe and implement a GDPR-like federal law.
On the surface, it’s an ambitious task that digital privacy rights groups have been calling for for a long time but bubbling beneath that surface is a groundswell of changing attitudes.
Last year’s Cambridge Analytica scandal can be pinpointed as a key moment where politicians and consumers alike realised the true effects that data manipulation and data breaches can have.
In the shadow of Brexit and Trump, the tangible impact of personal data now felt very real.
And in an almost poetic turn of events, the scandal broke with just weeks to go before the EU’s General Data Protection Regulation (GDPR) came into effect on the now-fabled date of 25 May 2018.
All eyes were now on a dense piece of European Union data protection regulation.
In general, Ryan says he’s a fan of GDPR, which places a greater onus on companies to guard data, lest they pay hefty fines, and it should be the model that all such regulation is built upon in the future.
“On both sides of the political divide, which is unfortunately acute, they are united in their frustration with what is happening on the web and mobile apps,” he says.
Ryan proposed to US senators that there are two key elements to any future legislation that will tackle privacy concerns as well as concerns “the big guys are getting too big”.
The first is purpose limitation – the restriction on companies to only collect and use data for one specific use and to seek further consent for additional uses.
Secondly is the right to opt out or withdraw consent clearly and easily.
“GDPR says consent should be as easy to back out of as it was to give in the first place,” he says.
This will, he says, create more freedom in the market.
“Big companies will find themselves entirely at the mercy of their users who can decide, by defining what data can be used for, when to softly break up companies and unbreak them up,” Ryan explains.
“Government doesn’t necessarily need to be the one breaking up Amazon or Google; users can do that if you have a GDPR-like law that is enforced,” he says.
“Big companies want to conflate multiple purposes and put up notices saying, ‘Hey we would like to improve your experience’, which could mean anything.”
It could still be years before a US federal law like GDPR – whether strict or lax – comes into force given all the political jostling that will take place.
In the meantime, individual states like California and New York are passing their own laws to take on the issue – with varying results.
“(California) put the fear of God into a lot of tech companies who then went to Washington and said we need a federal law that pre-empts state law,” Ryan says.
If every state has its own unique data privacy law on the books, it creates a patchwork of laws that becomes unwieldy.
“Figuring out how to avoid legal hazard becomes very difficult. What (tech companies) want is a common system across all states,” Ryan says.
“Ideally for a lot of these companies, they would like low standards that are common but if they have to accept high standards that are common, at least they are common. It’s the same logic as the GDPR.
“That increases the pressure on the industry lobby to get a federal law on the books.”
Whether it’s a strong one is another question entirely, he adds.
One year on
Late last month GDPR turned one year old with the law placing Ireland in the international spotlight.
Ireland’s data protection commissioner Helen Dixon has found herself as arguably the world’s most influential data protection authority.
With Facebook and Google among many others basing their European headquarters in Ireland, they fall under the jurisdiction of Dixon to field many of the complaints filed against these companies under GDPR.
Dixon has over 50 investigations under way. The latest being into Google’s Ad Exchange, a marketplace for buying and selling ads, which was actually launched on the back of a complaint by Ryan.
However Dixon has yet to level any GDPR-era fines.
This has led to criticisms of Dixon for not acting fast enough but in Ryan’s view, regulators around the EU haven’t been acting quick enough.
There have been some fines around Europe over the last 12 months with the largest by far being a €50 million levy slapped on Google by France. That takes up the lion’s share of the around €56 million in penalties in year one.
The doomsday prophecy of fines tallying tens and hundreds of millions of euro hasn’t quite come to pass. At least not yet.
For Ryan, some regulators across Europe haven’t been quick enough to act to enforce the rules as they have adopted a slower wait-and-see approach on how the wide-ranging laws should be interpreted.
Many regulators, he says, have been wrongly waiting for another piece of EU legislation, the ePrivacy regulation, to come into effect and firm up things further.
ePrivacy would govern electronic communications and features like tracking cookies on websites but it has been in legislative gridlock for years and was even originally slated to enter law the same day as GDPR. That of course did not go according to plan.
As a result of this, regulators can’t hang around, Ryan says, and need to be quicker in reacting.
His recent Google complaint was filed in Ireland last September and is just being acted on now. A duplicate complaint was filed with the UK’s Information Commissioner’s Office at the same time and it has yet to act – though this week it published a report that acknowledged the problems in online advertising.
“I think it’s an absolute catastrophe that the GDPR has yet to be properly enforced. Today it is a thing on paper,” Ryan says.
“Its enforcement has yet to begin. We’ve had a few small fines but we’re at the very first stages and that’s a pity.”