Ireland’s data protection watchdog has kicked off a GDPR investigation into Google following a complaint from ad-free web browser Brave.
Although GDPR is approaching its first birthday, there is yet to be an example of the towering fines which were promised for non-compliance. Perhaps everyone is playing merrily by the rules, or it might be that they are very good at covering their tracks. Brave will be hoping to chalk up a victory over Google with this investigation however.
“The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google,” said Johnny Ryan, Chief Policy Officer at Brave. “We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.”
The complaint itself is directed at Google’s DoubleClick/Authorized Buyers advertising system. While giving evidence to the Data Protection Commission, Ryan has suggested the way in which data is processed through the system violates Article 5(1)(a), (b) and (f) of GDPR, as well as Section 110 of the Irish Data Protection Act.
DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, allowing the search giant to track users as they scour the web. This information is then broadcast to more than 2,000 companies who bid on the traffic to deliver more targeted and personalised ads.
This information can potentially be incredibly personal. Google has various different categories which internet users are neatly filed into, including ‘eating disorders’, ‘left-wing politics’, ‘Judaism’ and ‘male impotence’. The companies bidding on this data will also have access to geo-location information and the type of device which the user is on.
Under Article 5 (1)(f) of the GDPR, companies are only permitted to process personal information if it is tightly controlled. Brave suggests Google has no control over the data once it is broadcast and is therefore violating GDPR.
With the Irish watchdog, Europe’s lead for GDPR, investigating the system in Ireland, similar complaints have been filed the UK, Poland, Spain, Belgium, Luxembourg and the Netherlands. Should Google be found non-compliant, it would be forced to ditch the DoubleClick/Authorized Buyers advertising system and could face a fine as much as 4% of annual turnover. Based on 2018 revenues, that figure would be $5.4 billion.
“For too long, the AdTech industry has operated without due regard for the protection of consumer data,” said Ravi Naik of ITN Solicitors, who will be representing Brave for the complaint. “We are pleased that the Data Protection Commissioner has taken action. The industry must change.”
GDPR is supposed to be a suitable deterrent for the internet economy, but without enforcement and demonstrable consequences little will change. If GDPR is to work as designed, a monstrous fine will have to be directed at someone sooner or later. Could this be the first domino to fall?