Potential €5.45bn Penalty for Google for ‘Bypassing’ GDPR

The Irish Internet browser Brave has presented new proof to the Data Protection Commission (DPC) in Ireland which, they claim, shows that Google has been try to bypass General Data Protection Regulation (GDPR) legislation in order to share the data of billions of browser users with advertising and marketing companies globally.

Johnny Ryan, chief policy and industry relations officer at anti-ad-tracking browser Brave, says that he has identified a tactic called ‘Push Pages’ being employed Google. Ryan published a blog post on the Brave blog which states: “each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.”

Using this tactic, advertisers can uniquely identify individuals instead of targeting grouped audiences of hundreds or thousands of people. Such is the accuracy of the tactic it is possible that, over time, advertisers could go as far as identifying individuals in the real-world.

Brave filed a complaint in Ireland and the UK earlier in 2019 in relation to privacy breaches by Google and other Internet advertising agencies. The first complaint, which is still being reviewed by the Irish DPC, purported that the range of the data breached during advertising bid requests included user viewing history, location information, IP address, device details, and a number of other types of tracking IDs.

Brave alleges that, despite Google claims it to the contrary, they (Google) have not prevented real-time bidding ad (RTB) system users from linking up with the profiles containing of the sensitive data of website visitors. Along with this, Brave claims, that Google has not brought an end to the practice of sharing pseudonymous identifiers but, instead, has actually allowed may other parties to match with Google identifiers. It stated, “the evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other”.

Brave sought the external assistance of expert Zach Edwards to investigate the GDPR violation. Edwards reviewed Ryan’s log of personal web browsing and he was able to confirm that Ryan’s personal data was shared via ‘Push Pages’, through which Google allows multiple companies to share profile identifiers about a person when they access a web page.

Ryan’s blog post said: “Google’s ‘DoubleClick/Authorized Buyers’ ad system is active on 8.4-plus million websites. It broadcasts personal data about visitors to these sites to 2,000-plus companies, hundreds of billions of times a day. The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection. All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This ‘google_push’ identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.”

A Google representative reacting to the story said: “We do not serve personalised ads or send bid requests to bidders without user consent. The Irish DPC, Google’s lead DPA and the UK ICO are already looking into real-time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”

Author: Security News