The Irish internet privacy watchdog is investigating whether Google’s collection and use of personal data on its Ad Exchange platform violates EU laws, potentially putting Google on the hook for millions of euros in fines.
The Irish Data Protection Commission (DPC) has opened a probe into the search behemoth’s compliance with the sweeping data protection regulations passed into law across the EU almost exactly a year ago. The inquiry concerns Google’s massive Ad Exchange platform, which operates real-time online auctions in which highly-sensitive information about users gleaned from their browsing history is traded by companies which use it to create behavioral profiles for ad targeting.
At issue is how Google retains personal data, its practices regarding transparency and minimization of data collected, and how that data is processed. Ad Exchange auctions can involve hundreds of third parties haggling over users’ private data, attaching behavioral “tags” to their traffic without their knowledge – an operation which seems to run afoul of the General Data Protection Regulation (GDPR) requirement that companies obtain explicit consent before dealing in sensitive information.
The DPC could fine Google up to 4 percent of its global revenues or €20 million, whichever is higher, if the company is found to be in violation of the GDPR. It could also impose “corrective measures” on the California-based company. Because Google’s European headquarters are in Ireland, the DPC’s decision could serve as a blueprint for other European data regulators wishing to levy their own fines. French data regulator CNIL has had something of a head start, fining Google €50 million for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization” in January.
The Irish investigation is based on a complaint filed by digital rights organizations, including the no-track browser Brave, last fall. Google was singled out for particular scrutiny in that complaint owing to the invasive nature of its ad-targeting categories – markers like “AIDS & HIV,” “male impotence,” and “substance abuse” are subject to special protection under the GDPR. Another of Google’s ad-targeting categories, ironically, is “privacy issues.”