It appears that once again Google has been in breach of the General Data Protection Regulation (GDPR). Accusations have been leveled against Google on the grounds of a lack of transparency, inadequate information and a lack of valid consent regarding ads personalisation. In this particular instance, accusations surround the consent required to process data. This is one of the most basic principles of the GDPR. It requires companies to provide a specific purpose for collecting and processing user personal data.
According to the GDPR’s purpose limitation principle, organisations must only collect and process personal data for a streamlined, stated and well-defined purpose. The use of the data outside this principle requires a new consent for the new purpose to be obtained. The narrow purpose must be explicitly expressed to the data subject.
In the complaint, Brave’s chief policy and industry relations officer Johnny Ryan has stated that Google’s privacy policies are “Hopelessly vague and unspecific”. He also claims that Google collects more information than it needs to and categorises its purpose as a need for “Developing new services”. This goes against GDPR stipulations.
The complaint also outlines that while Google provides personalised ads for users based on their interests, it ostensibly fails to show why a user may be seeing a certain ad. All this amounts to a lack of transparency and scarcity in information readily available to users.
“It is not apparent from the policy which activity, product, or interaction is covered by which purpose. It is therefore difficult (not impossible) to decipher if and when a particular purpose applies, for example, to data collected or processed in the context of YouTube, Authorised Buyers or Maps etc,” says Ryan.
Further to this, the complaint includes a detailed study entitled Inside the Black Box, which categorises Google’s processing purposes for collecting personal data from a third party and integrated websites, apps, and operating systems. This is significant in terms of the comprehensive and corresponding uses as purpose blurs. In the study, the processing purposes range from accounting to advertising to transactions, yet the consent is obtained vaguely and perhaps, inadequately.
Within the study, it says, “So vaguely defined as to have no meaning or limit. The result is an internal data free-for-all that infringes the GDPR’s purpose limitation principle.”
“Merely having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them”. The study is explicit in its calls for more transparency.
What Brave’s new evidence reveals is that Google could be reusing personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. We all ought to be worried if Google’s internal data infringes the GDPR as this is a global concern.
Google has allegedly refused to provide a comprehensive explanation of its processing purposes to Brave despite repeated requests.
In light of this and based on all the allegations against Google, the DPC is already conducting an investigation into how Google processes and manages user data, such as GPS datasets. The Irish regulator will conclude whether the data giant has a legal basis for processing user location data and if these processes are transparent enough to satisfy GDPR thresholds.
By understanding Google’s possible violation, business owners worldwide can better navigate their own GDPR compliance efforts.