What is GDPR?GDPR, is coming. Here's what it means, how it'll impact individuals and businesses.
The GDPR's purpose limitation principle requires organisations to only collect and process personal data for a narrow purpose that must be explicitly expressed to consumers.Labelling Google's privacy policies as "hopelessly vague and unspecific", Brave chief policy and industry relations officer Johnny Ryan said Google's reasons for collecting data and allegedly limiting detail about how the information is used -- such as "developing new services" -- resemble examples of bad practices that have been drawn out by the GDPR.
Ryan also alleges that while Google provides personalised ads for users based on their interests, it has limited information regarding the purposes of processing and why users are seeing a certain ad. "It is not apparent from the policy which activity, product, or interaction is covered by which purpose. It is therefore difficult (if not impossible) to decipher if and when a particular purpose applies, for example, to data collected or processed in the context of YouTube, Authorised Buyers or Maps etc," Ryan said in the complaint.
The complaint also includes a study, called Inside the Black Box [PDF], which itemises Google's processing purposes for collecting personal data from integrations within websites, apps, and operating systems. The processing purposes range from accounting to advertising to transactions.
Referring to the study, Ryan claims that Google's purposes for collecting data are "so vaguely defined as to have no meaning or limit … the result is an internal data free-for-all that infringes the GDPR's purpose limitation principle."
"Merely having everyone's personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them," Ryan said.
As part of the complaint, Brave has also asked for Google to provide a complete and sufficiently specific list of the purposes for which Google processes personal data, as well as the relevant legal bases for each purpose. Google allegedly has repeatedly refused to provide a substantive explanation of its processing purposes to Brave, the Chromium-based browser said in the complaint.The DPC is already conducting an investigation into how Google processes and manages user data, such as GPS datasets. For that investigation, the Irish regulator is seeking to understand whether or not the tech giant has a legal basis for processing user location data, and whether or not these processes are transparent enough to satisfy GDPR.
In November 2019, BEUC sent another letter to the DPC, noting: “One year after these complaints were filed, it has yet not been decided whether Google infringed the GDPR.” As Monique Goyens, Director General of BEUC, said: Considering the scale of the problem, which affects millions of European consumers, this investigation should be a priority for the Irish data protection authority.
Related CoverageStudy says Grindr, OkCupid, and Tinder breach GDPRThe researchers behind the study have also filed a complaint asking for Norwegian regulators to start an investigation against the dating service.
Data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities and here are some trends coming to surface.UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme
ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.
Irish watchdog launches Google, Tinder GDPR data processing probe
The companies' roles as data controllers are being examined in depth.Companies still unprepared for GDPR rule changes and potential EU data breaches (TechRepublic)
A new survey finds many companies are still in the dark about GDPR compliance.