Big quote: "The purpose of the submission is to seek action by the ICO that will protect individuals from wide-scale and systemic breaches of the data protection regime by Google and others in the industry. It is supported by the accompanying statement of Dr Johnny Ryan ('the Ryan Report')."

Other than a man using provisions set forth by Europe’s new General Data Protection Regulation only to find he has spent over $10,000 in two years on FIFA microtransactions, the GDPR has not been stirring up a lot of dust. That might be about to change with a filing alleging that Google and other adtech firms are violating the rules set forth in the new regulation.

On Wednesday, Brave filed a complaint with UK and Irish regulators over potential GDPR violations. The company, which develops the privacy-focused Brave browser, alleges that Google and others are auctioning user data and that the information not only contains sensitive details such as sexuality, ethnicity, and political opinions, but also that it is not secured correctly.

“There is a massive and systematic data breach at the heart of the behavioral advertising industry,” Brave’s chief policy officer Johnny Ryan told Reuters. “Despite the two-year lead-in period before the GDPR, adtech companies have failed to comply.”

“[This] is likely to have far-reaching and dramatic consequences, which may change our fundamental relationship with the Internet.”

The filing claims that this information is sometimes distributed to hundreds of companies without the user’s knowledge and then ad space is auctioned off based on that data. It’s called “real-time bidding” and is facilitated through two channels — OpenRTB, which is used by most companies in the behavioral advertising industry, and Authorized Buyers, which is run by Google.

The complaint specifically cites violations of the GDPR’s requirements for personal information to be processed such that it is secure against accidental loss and unlawful processing.

“[Google and others are guilty of] wide-scale and systematic breaches of the data protection regime,” said the filing.

If the newly formed European Data Protection Board, which is responsible for enforcing GDPR violations, finds in favor of the plaintiffs, it could mean a massive fine for Google. Under the regulation, a company can be fined up to 4 percent of its global turnover.

Google claims that it has already employed several strong privacy protection measures in cooperation with European regulators. It says it is “committed to complying with the GDPR.”

At the very least, the complaint is going to serve as a test case for the Data Protection Board. However, depending on what the board finds, it could have implications that according to plaintiff attorney Ravi Naik, “is likely to have far-reaching and dramatic consequences, which may change our fundamental relationship with the Internet.”

Johnny Ryan's report on the issue on Brave's website provides an in-depth look and the issues prompting the filing.