Google has violated GDPR norms in handling user data, said a complaint filed by privacy-focused browser Brave with the Irish Data Protection Commission (DPC).
“Google has personal data about everyone. It collects this from products like YouTube and Gmail, and many other Google products that operate behind the scenes across the Internet”, wrote Johnny Ryan, Brave’s chief policy and industry relations officer.
“But merely having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them. But Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google’s internal data free-for-all infringes the GDPR”.
Has Google really violated data privacy policies here? The “intentionally opaque” way in which Google handles user data “certainly indicates” so, Attila Tomaschek, data privacy expert at ProPrivacy, told SC Media UK.
“GDPR dictates that businesses must provide consumers with transparent and explicit information related to the purposes for which their data is collected, and must limit the purposes for data collection to only what is legally necessary,” he explained.
“The Irish Data Protection Commission is currently investigating the case to determine whether or not Google is in violation of GDPR rules, but Google being intentionally opaque about the way the company handles user data would certainly indicate that the complaint lodged by Brave is valid and that Google is in breach of European data privacy regulations.”
The GDPR purpose limitation principle mandates organisations to internally ring-fence personal data and use it only for the narrow purpose it was collected for. Brave claims it has evidence to show that Google’s internal data “free-for-all” -- the method of using the data collected by subsidiary services, as listed in its study named Inside the Black Box - is unlawful.
Brave has written to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission about the “purpose limitation complaint” it filed. While the intention is clearly stated, Tomaschek does not dismiss the existence of business rivalry.
“Sure, there may very well be a competition element happening here, but since Chrome users really aren’t being informed about how their data is being handled and for what purposes, there definitely is an opportunity for misuse of that data by Google,” he said.
Holding company Alphapet Inc has 12 subsidiaries, of which Google is the largest. Services offered by Google, from the world’s largest streaming website YouTube to Android operating systems for cars, are omnipresent in everyday modern life. The way in which Google uses the data harvested by each service through “hundreds of ill-defined processing purposes, and unknown legal bases” violates the “purpose limitation” clause of GDPR, alleges Brave.
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,” goes the definition of purpose limitation principle in Article 5(1) b of the GDPR. The lack of such a “specified” and “explicit” purpose for each data casts doubt on Google’s data usage, Tomaschek told SC Media UK.
“Essentially, by being deliberately vague about the specific purposes for which user data is collected, Google is attempting to put itself in a position to use and reuse the massive amounts of user data it collects freely and across its wide-ranging business operations. Such an environment is obviously prime for data misuse,” he said.
The Irish DPC is already conducting an investigation into how Google processes and manages user data, such as GPS datasets. However, Tomaschek refused to term the entire business model of Google as illegal.
“Companies like Google make their money through advertising. While Google doesn’t sell users’ personal information to third parties, the company does make money by using browsing and search data to serve ads to users across the web,” he explained.
Users of Google’s services can customise their settings or opt-out of ad personalisation services altogether. However, its operations often allows third-party access to user data, he noted.
“Though Google doesn’t sell personal data to third parties, a Chrome extension that was -- quite ironically -- designed to provide users with information about the trustworthiness and security practices of sites the user visited, had to be removed because of its practice of selling user data to third parties without anonymising the data,” he added.