Brave Browser Creators Call Google Out For GDRP Violation
Google is a large and powerful company. Thanks to its diverse list of services and interactions with third-party websites, it collects a lot of data. Access to large volumes of information about users across the web gives Google considerable advantage in the market. Whether the advantage is fair and the data are treated by the book is an open question.
On March 16th, the creators of a private blockchain-browser Brave filed a formal complaint against Google for infringing the “purpose limitation” principle of the GDPR. In the following days, Brave has filed a submission with the U.K. Competition & Markets Authority (CMA), arguing that failure to enforce the GDPR “enables Google’s monopoly.”
In this piece, forklog.media sums up the findings and arguments shared by Dr. Johnny Ryan, Brave’s Chief Policy & Industry Relations Officer.
Google’s Alleged GDPR Violation
Brave has filed a complaint with the Irish Data Protection Commission.
In the blog post explaining the complaint, the DPC is referred to as “Google’s lead GDPR regulator in Europe.” According to Brave’s timeline, the Irish regulator has been closely involved in investigating Google’s approach to data handling. Brave has also informed other European regulators: the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission.
The authors of the complaint argue that Google is infringing the “purpose limitation” principle set forth by Article 5(1)b of the GDPR:
“[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
Brave’s Dr. Ryan stressed that Google allows the data to flow freely between the company’s multiple products and businesses like YouTube and Gmail, which is not the right thing to do.
“Having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them,“ Dr Ryan argued, “But Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google’s internal data free-for-all infringes the GDPR.”
Brave presented the evidence to the regulators and the general public in a study called “Inside the Black Box.” According to the authors, the study is based entirely and directly on Google’s own documents for business clients, technology partners, developers, lawmakers, and users.
The extensive paper highlights numerous cases of Google using vague language when describing the purposes of the collected data and the sharing policies. Among other things, the researchers point out that using language like “…both on and off Google,” “such as,” and “like” isn’t sufficiently clear and “may conflate or omit many distinct processing purposes.”
Dr. Ryan also highlighted that in the given circumstances, Google is allowed to “create a cascading monopoly by offensively leveraging data from one market into a succession of other markets.”
Brave’s Latest Move
As a follow-up move, on March 18th, Brave filed a submission with the UK Competition & Markets Authority. The letter aims to explain the consequences to expect if the GDPR isn’t enforced in this particular case and suggests recommendations for the regulator.
Calling for functional separation of Google’s services, the letter points out that the GDPR has the necessary tools to “establish a consumer-led remedy.” Namely:
- Article 5(1)b regarding “purpose limitation,”
- Article 9 regarding “special category data,”
- Article 7 regarding “ease of withdrawal.”
According to Brave, Google has “several hundred processing purposes that are conflated in a vast, internal data free-for-all,” which goes against Article 5(1)b requiring data to be collected for “specified, explicit and legitimate purposes.”
Next, the researchers note that Google may have been incorrectly categorizing personal data “to avoid the need to seek explicit consent.” They argue that a lot of personal data combined and cross-used by Google is “special category data.” Defined in Article 9 of the GDPR, this category encompasses sensitive information including data on people’s ethnicity, political or religious views, sexual orientation, and health.
“Enforcing the correct categorisation of data as special category data would stop Google from continuing to unlawfully use personal data for any purpose without asking for proper consent,” the letter reads.
As for the ease of withdrawal, Brave claims that the Article 7 of the GDPR, which provides that “the data subject shall have the right to withdraw his or her consent at any time” and “it shall be as easy to withdraw as to give consent,” is not being enforced.
“The combination of purpose limitation, special category data, and ease of withdrawal is a consumer-led remedy,” the authors argue.
Another significant point included in the letter has to do with the real-time bidding online advertising market. The authors note that the RTB market has two “dimensions” of data protection problems: internal and external. Internal problems are tied to cases like data free-for-all within Google. External problems have to do with data broadcasting among thousands of companies, which, researchers state, happens without security.
If the data are indeed exchanged without proper security, this would be an infringement of Article 5(1)f, which states:
“[Personal data shall be:] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The letter stresses that the damage from potential systemic data misuse in such an environment would be significant.
“Once RTB data is broadcast to thousands of companies it becomes impossible to know or control how it will be used. The systematic data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination.”
The authors note that it may lead to individual voters being targeted by political misinformation, price gauging for certain customers, and other forms of discrimination and unsavory behavior.
Concluding the letter, Brave suggested a set of recommendations for the Competition & Markets Authority to help “establish a better RTB market.”
- Enforce purpose limitation and allow users to “directly impose functional separation of platform’s data.” This addresses the platforms’ internal data free-for-alls.
- Put the purpose limitation measures on the agenda of the European data protection regulators and “use the EDPS Clearing House meeting in Spring 2020 to organize collaboration with their respective national data protection authorities.”
- Propose the measures on the agenda of the European Commission DG Competition and the California Department of Justice.
- Enforce rules against external data free-for-all in the RTB system.
- Cooperate with the Irish and Belgian data protection authorities “ so that it can maximize the effectiveness of its enforcement against internal and external data free-for-alls in the digital advertising market.”
The authors mention that the CMA should “prevail upon” the Information Commissioner’s Office in taking action.
“The Information Commissioner has been reluctant to use her powers to enforce against the external data free-for-all in the RTB system,” the letter reads.
Brave also noted that they are ready to assist the CMA and contribute further to this initiative.
Subscribe to our Newsletter<
- Data Brokers: How Law Enforcement Rely on Inaccurate Data to Supplement Investigations
- Messenger App Steals User Data and Hacks Their Devices, ESET Research
- Hacker Group Targeting Fintech Companies and Personal Data Has Been Under Radar For Years, NOD32 Developer Finds
- Former Yahoo! Engineer Who Hacked 6,000 Email Accounts Looking for Sexually Explicit Media Avoids Jail
- Secure Identity Expert Explains How Cryptography Gives Us Power Over Personal Data
- Telegram User Data From Earlier Leaks Found on Dark Web, Contact Import Feature Is to Blame
- Hackers Use Popular Web Analytics Tool to Steal Online Shoppers’ Payment Information
- How to Defend Yourself Against Scammers, Corporations, and Government: Hacker’s Perspective