Skip to main content

Google is facing its first GDPR probe from Irish privacy regulators

Google is facing its first GDPR probe from Irish privacy regulators

/

It’s the company’s first major standoff with European regulators

Share this story

Illustration by Alex Castro

Google is the subject of its first GDPR probe from Ireland’s Data Protection Commissioner (DCP), Reuters is reporting. It’s the first major standoff between the company and its lead privacy regulator in Europe, raising difficult questions about how the ad giant handles personal data across the internet.

The probe will investigate how Google treats personal data at each stage of its ad-tracking system. Those questions originate in part from a complaint filed by the browser company Brave in September, which alleged that Google’s ad auction system constituted a data breach under GDPR rules.

“Every time a person visits a website and is shown a ‘behavioural’ ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies,” chief policy officer Johnny Ryan explained in a post. “A data breach occurs because this broadcast, known as an ‘bid request’ in the online industry, fails to protect these intimate data against unauthorized access.”

Reached for comment, a Google representative defended the auction system and pledged to cooperate with the probe. “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding,” the representative said. “Authorized buyers using our systems are subject to stringent policies and standards.”

If found guilty, the potential penalties for Google would be enormous. The GDPR authorizes fines as high as four percent of global annual revenue, which would total $5.4 billion in Google’s case. Even more damaging, the company would have to fundamentally reshape its ad system in order to avoid future fines.

Ireland’s commissioner has been criticized as overly friendly to Facebook and Google, both of which are headquartered in the country and are squarely in its jurisdiction under GDPR rules. Roughly a year after the regulation took effect, this is the first action Ireland’s DCP has taken against either company. A number of groups have filed complaints against Google during that time, raising concerns about the company’s location-tracking and ad-targeting systems, among others.

Update 2:08 PM ET: Updated with statement from Google.