Real-Time Bidding (RTB) systems are the subject of a spate of privacy complaints filed to the European Union, which implicate Google and other major companies for leaking personal data “hundreds of billions of times”.

The complaints have all been filed under Europe’s General Data Protection Regulation (GDPR), which was implemented almost exactly a year ago.

Eticas CEO Gemma Galdon Cavell, who filed one of the complaints in Spain, indicated that more still needs to be done when it comes to data protection and ad tech.

“We hope that this complaint sends a strong message to Google and those using Ad Tech solutions in their websites and products”, said Cavell.

“Data protection is a legal requirement must be translated into practices and technical specifications”.

Similar complaints have been issued to a total of seven EU companies concerning leaky ad techs.

The complaints accuse Google and the Ad Tech industry of sending distinctive information about a specific person’s device – including a person’s inferred religious, sexual and political characteristics and exact GPS location – to tens of thousands of companies in the form of “bid requests” through their RTB systems.

Google’s online advertising arm ‘Authorized Buyers’ (previously known as DoubleClick) is actively gathering data from 8.4 million websites.

What happens after this data has been collected is the subject of concern in the GDPR complaints.

Advocacy group ‘Fix AdTech’ points out that although Google has authorised over 2,000 companies to process this data, it stills relies on these companies to self-report if something goes wrong.

And while it is no secret that such techniques have been in place for years now, the complainants are arguing that this model is now in violation of the sweeping recently introduced GDPR laws.

In particular, Article 5 (1)(f) of the regulation requires personal data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss”.

The GDPR is known for its harsh punishments for businesses found to be in violation of any requirements.

The fines for the top tier of non-compliance is up to €20 million, or 4% annual global turnover – whichever is higher.

It is not yet clear how the EU and its local bodies will process the complaints.