wordpress blog stats
Connect with us

Hi, what are you looking for?

Irish privacy regulator launches first probe into Google under GDPR

Ireland’s Data Protection Commission said it would investigate how Google treats personal data at each stage of its ad-tracking system, and whether its activities are in breach of the General Data Protection Regulation (GDPR). This is the first investigation of Google under the GDPR, which came into force on May 25 last year. It is the result of complaints by several companies – including Brave Software Inc (see below) – about the way Google handles personal information for advertising. Under the GDPR, regulators can fine companies up to 4% of their global revenue or 20 million euros, whichever is higher.

Ireland’s DPC, which is the main regulator for data privacy in the EU, said in a statement, “A statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange. The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the GDPR. The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.”

A Google spokesperson told MediaNama in a statement, “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorised buyers using our systems are subject to stringent policies and standards.”

Brave’s complaint against Google’s data sharing practices

Brave Software owns the privacy-focussed Brave browser, which blocks ads and website trackers, and lets users opt in to watch ads instead of tracking them online. In September, when Brave lodged its complaint, its chief policy officer Johnny Ryan wrote in a blog that when a person visits a website and is shown a “behavioural” ad, Google and other ad tech firms broadcast intimate personal data to tens or hundreds of companies to solicit bids from potential advertisers seeking the attention of the specific individual visiting the website. “A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorised access. Under the GDPR this is unlawful,” Ryan wrote. He cited Article 5, paragraph 1, point f of the GDPR, which requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” He said, “If you can not protect data in this way, then the GDPR says you can not process the data.”

What information do bid requests contain?

Advertisement. Scroll to continue reading.

Ryan wrote in his post that bid requests can include the following personal data:

  • What you are reading or watching
  • Your location
  • Description of your device
  • Unique tracking IDs or a “cookie match”. This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you.
  • Your IP address (depending on the version of the “real time bidding” system)
  • Data broker segment ID, if available. This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc (depending on the version of bidding system).

Google is unlikely to be the only large technology firm to face action under the GDPR. The European headquarters of many such firms are in Ireland, and the DPC said earlier this month that of 17 of its 51 large-scale ongoing investigations related to large tech companies, including Twitter, LinkedIn, Apple and FacebookReuters reported.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ