Ireland investigates Google over GDPR

The statutory inquiry will probe whether Google’s online Ad Exchange violated the General Data Protection Regulation (GDPR) by illegally tapping into sensitive personal information about internet users, such as their race, health, and political leanings, and sharing it with advertisers, the Data Protection Commission said in a statement.

The investigation will look at how personal data is being processed, the level of transparency involved in transactions, how data is retained, and whether Google is doing enough to minimize the amount of information it uses.

“The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation,” said the regulator.

This is the Irish Data Protection Commission’s first statutory inquiry into Google since it became the company’s lead European regulator in January. It has launched more than a dozen investigations into other big tech companies but has not yet been able to shake off criticism that it has been a “silent watchdog” up until now.

The investigation, which comes nearly exactly one year after the GDPR came into effect, follows a formal complaint by Johnny Ryan, chief policy officer at Brave, a private Web browser that blocks ads and trackers. He has accused Google’s internet ad services business, DoubleClick/Authorized Buyers, of leaking users’ personal data to thousands of companies.

DoubleClick uses Web cookies to track browsing behavior online by IP addresses to deliver targeted ads. Each time users visit a Website that uses the DoubleClick/Authorised Buyers system, personal data—including what users view—is passed onto companies to solicit bids from potential advertisers seeking targeted audiences, according to Ryan.

Similar complaints have been lodged with data protection regulators in the United Kingdom, Poland, the Netherlands, Belgium, Spain, and Luxembourg.

Google is no stranger to privacy complaints—and fines—in the European Union.

In January, France’s data protection watchdog CNIL fined the company €50 million (U.S. $57 million) for failing to provide users with transparent and understandable information on its data use policies. It was the first time Google had been fined under the new GDPR rules and is the biggest GDPR-related fine for any company to date.

In March, the European Commission fined Google for breaching competition rules by blocking rival online search advertisers from getting a foothold in the market. The €1.49 billion (U.S. $1.67 billion) fine for anti-competitive practices was the third in three successive years for the internet giant and represented 1.29 percent of the company’s total revenues for last year.

In June 2017, the Commission fined Google €2.42 billion (U.S. $2.71 billion) for abusing its dominant position by promoting its own comparison shopping service in its search results (while demoting those of competitors), while in July 2018 it fined the company €4.34 billion (U.S. $4.86 billion) for using its Android mobile operating system and mobile apps and services to further cement the dominance of its own search engine.

The three penalties amount to €8.25 billion (U.S. $9.25 billion) in less than two years.

In an e-mailed statement, Google said: “We will engage fully with the Irish Data Protection Commission’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorized buyers using our systems are subject to stringent policies and standards.”