Google is sharing users' personal data between its services without acquiring specific consent to do so, thus flagrantly breaching fundamental principles of European data protection law, one of its smaller rivals has claimed.
In a new complaint submitted to the Irish data regulator, which oversees Google's European business, Johnny Ryan, chief policy officer of the niche web browser Brave, accused the US tech company of operating an "internal data-free-for-all".
The complaint alleges that Google is taking users' consent for certain uses of their personal data – for instance location tracking or YouTube history – and applying it to a range of other services that are completely invisible to them, a practice that is illegal under the General Data Protection Regulation.
The notice appears to seek the user’s consent to process their location data, according to the complaint, but also indicates that such data may be used for various unknown purposes that could have nothing to do with location. It also suggests “extensive or minor data sharing with an unknowable number of Google’s business partners”, the complaint claims.
The submission to the regulator also includes a document titled “Inside the Black Box”, which itemises evidence of Google’s “hundreds of publicly available processing purposes”, according to Mr Ryan, which range from advertising to analytics.
Mr Ryan gathered the details from at least 100 different public documents issued by Google itself, including individual user disclosures, guidelines for developers, customers and partners, and evidence submitted to lawmakers in the US Congress.
“We believe it is the first time that such an examination of Google processing purposes has been undertaken in this way. The results show that Google has no legal basis for many of the things it does with users’ data. They also show that Google infringes the GDPR on multiple fronts,” Mr Ryan said.
“The consequences of that are, how can I exercise my right to object or to erasure? I do not know what data is going in to develop new services, and I cannot object to my data being used when I have no idea what they are building,” he said.
The Irish regulator already has at least two open investigations into Google’s data collection practices, specifically looking at location data and advertisement targeting. GDPR allows regulators to impose fines of up to 4 per cent of a company’s global turnover for the most serious breaches.
"A lack of transparency and clarity around what individuals are told is an issue that Google has had previously. [French regulator] CNIL has enforced against Google in this area previously, so there will be heightened sensitivity amongst regulators," said Richard Cumbley, a senior partner and data privacy expert at law firm Linklaters who is not involved with the case.
“The potential consequences are significant . . . I can easily see a situation where the hidden processing is something that Google is directly liable to compensate individuals for, on top of a [GDPR] fine.”
According to Mr Naik and Mr Ryan, Google’s treatment of data is also an antitrust violation, and the complaint has been marked to European antitrust authorities including the European Commission’s Margrethe Vestager, and British, German, French and Irish competition regulators.