The Irish data protection commission has opened an investigation into Google over suspected infringements of European Union privacy rules.
The statutory inquiry will probe whether Google’s online Ad Exchange violated general data protection regulations (GDPR) covering the sharing of personal data of internet users, the watchdog said in a statement on Wednesday.
“A statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Ltd’s processing of personal data in the context of its online Ad Exchange.”
The inquiry would examine whether processing of personal data carried out at each stage of an advertising transaction complied with mandatory safeguards, it said. “The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.”
The announcement came almost exactly a year after the EU adopted the sweeping rules to bolster regulators and give consumers more power to demand companies reveal or delete the personal data they hold.
The investigation followed a formal complaint by Johnny Ryan, chief policy officer at Brave, the private web browser which blocks ads and trackers. He accused Google’s internet ad services business, DoubleClick/Authorized Buyers, of leaking users’ intimate data to thousands of companies.
It is the Irish commission’s first statutory inquiry into Google since becoming the company’s lead European regulator in January. It has launched more than a dozen investigations into other big tech companies.
The agency has in recent years reportedly faced scrutiny from fellow European regulators over its capacity to police big technology corporations with European headquarters in Dublin – and warm ties with the Irish government.
Google bought DoubleClick, an advertising serving and tracking company, for $3.1bn (£2.4bn) in 2007. DoubleClick uses web cookies to track browsing behaviour online by IP addresses to deliver targeted ads.
Every time users visit a website that uses the DoubleClick/Authorised Buyers system, intimate personal data – including what they view – is broadcast to companies to solicit bids from potential advertisers seeking targeted audiences, according to Ryan.
“Surveillance capitalism is about to become obsolete,” he said. “The Irish data protection commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google. We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.”
Ryan submitted his complaint to the Irish regulator in September 2018. Jim Killock, executive director of the Open Rights Group, and Michael Veale of University College London, submitted duplicate complaints to the UK information commissioner. Similar complaints were also filed in Poland, the Netherlands, Belgium, Spain and Luxembourg.
Google has been contacted for a response.
The company is facing separate probes in other European countries. In January the French data protection watchdog CNIL fined Google a record €50m (£44m) for failing to provide users with transparent and understandable information on its data use policies.