Johnny Ryan Exits Brave With Plans To Push Hard For GDPR Enforcement

Johnny Ryan testifies before Congress in May 2019.

Johnny Ryan, a professional thorn in the side of big tech and ad tech, left browser company Brave this week to go nuclear on data rights.

He’s now a senior fellow at Open Markets Institute, a think tank focused on antitrust issues, and a senior fellow at the Irish Council for Civil Liberties, a Dublin-based human rights organization which has a long history of campaigning for data rights.

Ryan spent two years as chief policy and industry relations officer at Brave, during which time he helped file complaints in 16 different European countries calling out real-time bidding as a violation of the GDPR.

But, so far, there’s been no enforcement action of “any substance whatsoever,” Ryan said. But in his new roles, he’ll push more aggressively.

“My objective is to obtain total and complete enforcement of data protection law in this industry,” he said. “Our colleagues in ad tech firms, and even some enforcers, seem to think they can hide behind small gestures until this goes away – but this is not going away.”

AdExchanger caught up with Ryan for a few hot takes.

On leaving Brave: “Before Brave, I spent some months trying to get NGOs to act, to no avail. Then I joined Brave and realized that we needed to take action ourselves. We spent two years trying to get enforcement, but the enforcers did not act. It’s clear to me that it’s time to move to the next level, and that’s preparing for litigation.”

On litigating to prompt GDPR enforcement: “If you are an enforcer whose job is to enforce the GDPR, but you prove either unwilling or unable to do so, that inevitably makes you a target for litigation.

“The courts can be slow, but at least you get a decision rather than a slow dribble of inaction. The ICO in the UK has been particularly poor. The Irish Data Protection Commission has yet to produce anything. As a group, the data protection authorities have disappointed.”

On whether he loves it that ad tech companies sorta hate him: “I’m not sure that ad tech companies do. I’ve been on their side of the table, and I remember how it feels to be wedded to the status quo and have somebody who you may think is a privacy zealot throwing stones at your glass house. I’ve worked for a publisher under fire [The Irish Times], and at an ad tech company [PageFair], so I get it. It is hard for ad tech companies not to feel under siege.

“But these changes are bigger than any individual. They’re real and, as I have told colleagues in the industry year after year, it’s time to properly engage with them.”

On his proudest moments: “Nothing has been achieved yet: Internet users remain subject to exactly the same hazards as two years ago.

“But perhaps there were a few proud moments. One was contributing to a counter-lobbying effort with Ashkan Soltani and others against an amendment from California state Sen. Henry Stern, which would have diluted the CCPA and created an exception for ad tech. We prevailed. The amendment didn’t pass. That felt good.

“Another moment was when I had a drink with Ashkan, Alastair Mactaggart [the man behind the CCPA] and his wife Celine in San Francisco the night they submitted the CPRA [California Privacy Rights and Enforcement Act] for the November ballot. CPRA includes the first legal definition for proposed cross-context behavioral advertising that doesn’t disadvantage publishers for using their first-party data, but does disadvantage all of the people stealing publishers’ lunch. I contributed a little to the text of that law, and I think it will materially improve everybody’s privacy and publishers’ sustainability.

“The third one is seeing the data from NPO, the national broadcaster of the Netherlands. I had talked with them for years about removing third party ad tech. They finally did it in January 2020, and saw a massive revenue increase. This revenue increase happened not only on their big sites, but on sites with much smaller market share too.”

On why contextual just might be the cookie killer we need: “NPO, with their sales house, Ster, increased ad revenue by 37% in August year over year – and the month has only just begun. In July, revenue increased by 25% compared to July last year. What changed? They dumped ad tech and innovated to maximize context. This also suggests that perhaps sales houses and allowing many publishers of different sizes to use a single sales house, is the answer, yet again.

At the W3C right now, Criteo, Google and others are proposing newfangled ways of doing the same old things without cookies. But before you even think about trying to resurrect third-party tracking, one has to consider the example of NPO and others. Publisher trade bodies should be urgently examining this question – and should force this onto the agenda of the IAB and other tracking industry trade bodies.”