Updated: August 19, 2022
Google has been accused of breaching one of the General Data Protection Regulation’s (GDPR) principles surrounding consent that requires companies to provide a specific purpose for collecting and processing user personal data.
The GDPR’s purpose limitation principle requires organisations to only collect and process personal data for a narrow purpose that must be explicitly expressed to consumers.
Labelling Google’s privacy policies as “hopelessly vague and unspecific”, Brave chief policy and industry relations officer Johnny Ryan said Google’s reasons for collecting data and allegedly limiting detail about how the information is used — such as “developing new services” — resemble examples of bad practices that have been drawn out by the GDPR.
Ryan also alleges that while Google provides personalised ads for users based on their interests, it has limited information regarding the purposes of processing and why users are seeing a certain ad.
“It is not apparent from the policy which activity, product, or interaction is covered by which purpose. It is therefore difficult (if not impossible) to decipher if and when a particular purpose applies, for example, to data collected or processed in the context of YouTube, Authorised Buyers or Maps etc,” Ryan said in the complaint.
The complaint also includes a study, called Inside the Black Box [PDF], which itemises Google’s processing purposes for collecting personal data from integrations within websites, apps, and operating systems. The processing purposes range from accounting to advertising to transactions.
Referring to the study, Ryan claims that Google’s purposes for collecting data are “so vaguely defined as to have no meaning or limit … the result is an internal data free-for-all that infringes the GDPR’s purpose limitation principle.”
“Merely having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them,” Ryan said.
“But Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google’s internal data free-for-all infringes the GDPR.”
As part of the complaint, Brave has also asked for Google to provide a complete and sufficiently specific list of the purposes for which Google processes personal data, as well as the relevant legal bases for each purpose. Google allegedly has repeatedly refused to provide a substantive explanation of its processing purposes to Brave, the Chromium-based browser said in the complaint.
The DPC is already conducting an investigation into how Google processes and manages user data, such as GPS datasets. For that investigation, the Irish regulator is seeking to understand whether or not the tech giant has a legal basis for processing user location data, and whether or not these processes are transparent enough to satisfy GDPR.
The researchers behind the study have also filed a complaint asking for Norwegian regulators to start an investigation against the dating service.
Data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities and here are some trends coming to surface.
ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.
The companies’ roles as data controllers are being examined in depth.
A new survey finds many companies are still in the dark about GDPR compliance.