As reported by Reuters, due to numerous complaints, Google is facing what many consider to be a landmark investigation for GDPR violations. The investigation in question relates to how Google handles data when advertising, and it is being carried out by the Irish Data Protection Commissioner.
The Data Protection Commissioner released this statement on the investigation:
Arising from the Data Protection Commission’s ongoing examination of data protection compliance in the area of personalised online advertising and a number of submissions to the Data Protection Commission, including those made by Dr. Johnny Ryan of Brave, a statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange.
The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR). The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.
The reference to Dr. Johnny Ryan, who works as chief policy officer on the Brave privacy browser, is key as his assertions are a major part of the Data Protection Commission getting involved in this case. Dr. Ryan submitted evidence that showed, according to Brave’s report on the matter, major issues with Google’s “DoubleClick/Authorized Buyers.” The DoubleClick/Authorized Buyers are installed on over 8 million websites, and according to Dr. Ryan’s research, Google has been using them to broadcast private data about users to roughly 2000 different companies “hundreds of billions of times a day.”
If these allegations are found to be true, Google is in direct breach of the GDPR Article 5, namely the portions (1)(a), (1)(b), and (1)(f). These state that personal data must be “tightly controlled” and also that users must have clear information of how their data will be used. Google, if found to be in violation of GDPR Article 5, may be fined up to 4 percent of its global revenue — which could amount to more than $5 billion.