Data Protection Commission opens first investigation into Google

Regulator to examine suspected infringement in personalised online adverts

The Data Protection Commission became Google’s lead data protection regulator under GDPR in late January this year. Photograph: Getty

The Data Protection Commission became Google’s lead data protection regulator under GDPR in late January this year. Photograph: Getty

 

The State’s data watchdog has opened its first investigation into Google to examine a suspected infringement of EU privacy rules covering the sharing of personal data of internet users.

The Data Protection Commission has begun a statutory inquiry – the regulator’s 19th investigation into a big tech company – into the internet search giant in the area of personalised online advertising.

At the centre of the investigation is the Silicon Valley company’s processing of personal data through its online Ad Exchange, where companies bid to advertise to internet users based on their web browsing history.

“The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation, ” said the commission. This includes “the lawful basis for processing, the principles of transparency and data minimisation as well as Google’s retention practices,” the regulator added.

The commission said the investigation arose from its ongoing examination of data protection compliance in personalised online advertising and from a number of submissions concerning ad technology.

The regulator said this includes a submission from Dr Johnny Ryan, the chief policy and industry relations officer at Brave, a private web browser who made a formal complaint to the regulator.

Dr Ryan has claimed that there is a “massive and ongoing data breach” in Google’s internet ad services business and the company “leaks intimate data” about people’s activity on millions of websites to thousands of companies every day in Europe’s online advertising industry that is worth billions of euro to Google. He has said that data about what an internet user is reading, watching or listening to could be broadcast to companies when Google places an online ad.

A spokesman for Google said the company would “engage fully” with the investigation and “welcome[s] the opportunity for further clarification of Europe’s data protection rules for real-time bidding”.

“Authorised buyers using our systems are subject to stringent policies and standards,” he said.

Real-time bidding is the buying and selling of online advert views through real-time auctions that take place through online advert exchanges in the time it takes a webpage to load.

EU-wide rules

The investigation is being carried out under section 110 of the 2018 Irish Data Protection Act that permits the commission to conduct an inquiry into a “suspected infringement” of the GDPR.

The sweeping EU-wide rules, which came into force last year, give people greater control over their personal information and forces companies to take responsibility for how they use it. The law gives data regulators powers to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law.

In Google’s case, the Irish commission is the company’s EU regulator under the GDPR’s one-stop-shop mechanism as the company’s EU headquarters is located in Dublin.

The Irish watchdog became Google’s lead data protection regulator under GDPR in late January. The latest statutory inquiry comes days before the first anniversary of the new regulation coming into effect.

Helen Dixon, the head of the commission, has said that it will make a decision over the summer on whether internet giants should face fines under the EU law arising from the big-tech investigations.

Google was hit with the biggest GDPR fine so far by a European regulator when it was fined €50 million by France’s data protection authority, CNIL, in January over failures around personalised advertising. The French regulator said that Google failed to provide enough information to users about its data consent policies and did not give them enough control over how the information was used.

The fine related to the “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation,” the regulator said.

In March, the EU Commission fined Google €1.49 billion for abusing its dominant role in online advertising, the third time Brussels has imposed a fine on the Californian company with penalty for anti-competitive practices.