European data regulators are being urged to clamp down on companies sharing customer data between their subsidiary businesses in what has been branded an unlawful internal “free-for-all” that enables firms to exploit personal information without consent.
The move is the latest twist in a long-term campaign by browser start-up and Google nemesis Brave to bring the big tech groups to book.
With both the UK Information Commissioner’s Office and the Irish Data Protection Commission seemingly dragging their heals on action against adtech’s use of real-time bidding, Brave’s chief privacy officer Johnny Ryan is reverting to Plan B.
In an interview with US tech magazine Protocol, Ryan said: “Right now, big tech companies are taking data from one bit of their business, and they have an internal free-for-all that allows them to use that data to prop up another bit of their business.”
With Facebook owning WhatsApp, Messenger, Instagram and Google owning YouTube, Gmail, Ad Exchange and Android, the potential for data sharing is huge.
However, Ryan insists that this is illegal under GDPR, which demands that data must be processed in a “transparent manner” for “specified, explicit and legitimate purposes”.
Although Ryan has so far refused to reveal which company he plans to complain about – and to whom – last month, Brave rifled off a 15-page, 4,300-word submission to the UK Competition & Markets Authority which also blasted Google’s internal uses of data.
The submission argued that Google’s monopoly is based on its internal data free-for-all. Enforcement of GDPR would neutralise Google’s unfair data advantage and give consumers power tantamount to “functional separation” of Google’s businesses, Brave insists. At the same time, the company asserted that it is also necessary to enforce against the external data free-for-all between the thousands of companies in the RTB market.
Last year, the Irish DPC demanded an “urgent briefing” from Facebook over its plans to merge WhatsApp, Instagram and Facebook Messenger, insisting it would be “very closely scrutinising” the proposal. As yet this plan has not been rolled out.
Google has already been fined a record GDPR penalty of €50m (£44m) by France’s data protection regulator, CNIL, for failing to provide enough information to users about its data consent policies.
And back in 2016, the Information Commissioner’s Office put the kibosh on Facebook plans to merge WhatsApp with its wider business, ruling it would be in breach of data protection law.
Failure to enforce GDPR ‘fuelling Google’s dominance’
ICO hunts advisors for inside track on adtech industry
Now ICO leans on brands to combat adtech data abuse
ICO faces legal challenge over failure to tackle adtech
2019 Review of the Year: Why it’s crunch time for GDPR
Google hit for €50m as French issue first GDPR fine
Watchdog collars Facebook over messenger merger plan
Facebook waves white flag over WhatsApp data plan
New privacy enforcer leads attack on WhatsApp plan