Privacy start-up Brave, a thorn in the side of tech giants since GDPR came into force, has filed a formal complaint against Google over its internal data “free-for-all” which it is alleged allows the company to unlawfully share customer data across all of its divisions.
Two weeks ago Brave said it was considering its next move over the issue but has now lodged the complaint with Google’s lead GDPR regulator in Europe, the Irish Data Protection Commission, accusing the tech group of infringing Article 5(1)b of GDPR, which sets forth the “purpose limitation” principle.
This principle requires that all organisations internally ring-fence personal data and use it only for the narrow purpose it was collected for. Brave’s evidence claims to show that Google’s internal data free-for-all is unlawful.
For six months, Brave’s chief privacy officer Dr Johnny Ryan tried to find out what Google does with his data. Brave has now sought recourse from the Irish DPC to force Google to reveal what it does with everybody’s personal data.
New Brave evidence, “Inside the Black Box”, offers a glimpse of what Google does with everyone’s personal data: hundreds of ill-defined processing purposes, and unknown legal bases.
Enforcement of Brave’s GDPR “purpose limitation” complaint against Google would be tantamount to a functional separation, giving everyone the power to decide what parts of Google they chose to reward with their data.
Brave has also written to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition & Consumer Protection Commission, to make them aware of today’s purpose limitation complaint.
Ryan said: “Google has personal data about everyone. It collects this from products like YouTube and Gmail, and many other Google products that operate behind the scenes across the Internet.
“But merely having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them.
“[Our] new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google’s internal data free-for-all infringes the GDPR.”
Google nemesis denounces internal data ‘free-for-all’
Failure to enforce GDPR ‘fuelling Google’s dominance’
ICO hunts advisors for inside track on adtech industry
Now ICO leans on brands to combat adtech data abuse
ICO faces legal challenge over failure to tackle adtech
2019 Review of the Year: Why it’s crunch time for GDPR
Google hit for €50m as French issue first GDPR fine