Ireland’s Data Protection Commission said it would investigate how Google treats personal data at each stage of its ad-tracking system, and whether its activities are in breach of the General Data Protection Regulation (GDPR). This is the first investigation of Google under the GDPR, which came into force on May 25 last year. It is the result of complaints by several companies – including Brave Software Inc (see below) – about the way Google handles personal information for advertising. Under the GDPR, regulators can fine companies up to 4% of their global revenue or 20 million euros, whichever is higher.

Ireland’s DPC, which is the main regulator for data privacy in the EU, said in a statement, “A statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange. The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the GDPR. The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.”

A Google spokesperson told MediaNama in a statement, “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorised buyers using our systems are subject to stringent policies and standards.”

Brave’s complaint against Google’s data sharing practices

Brave Software owns the privacy-focussed Brave browser, which blocks ads and website trackers, and lets users opt in to watch ads instead of tracking them online. In September, when Brave lodged its complaint, its chief policy officer Johnny Ryan wrote in a blog that when a person visits a website and is shown a “behavioural” ad, Google and other ad tech firms broadcast intimate personal data to tens or hundreds of companies to solicit bids from potential advertisers seeking the attention of the specific individual visiting the website. “A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorised access. Under the GDPR this is unlawful,” Ryan wrote. He cited Article 5, paragraph 1, point f of the GDPR, which requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” He said, “If you can not protect data in this way, then the GDPR says you can not process the data.”

What information do bid requests contain?

Ryan wrote in his post that bid requests can include the following personal data:

  • What you are reading or watching
  • Your location
  • Description of your device
  • Unique tracking IDs or a “cookie match”. This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you.
  • Your IP address (depending on the version of the “real time bidding” system)
  • Data broker segment ID, if available. This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc (depending on the version of bidding system).

Google is unlikely to be the only large technology firm to face action under the GDPR. The European headquarters of many such firms are in Ireland, and the DPC said earlier this month that of 17 of its 51 large-scale ongoing investigations related to large tech companies, including Twitter, LinkedIn, Apple and FacebookReuters reported.