Google is a large and powerful company. Thanks to its diverse list of services and interactions with third-party websites, it collects a lot of data. Access to large volumes of information about users across the web gives Google considerable advantage in the market. Whether the advantage is fair and the data are treated by the book is an open question.<\/p>\n
<\/p>\n
On March 16th, the creators of a private blockchain-browser Brave filed<\/a> a formal complaint against Google for infringing the \u201cpurpose limitation\u201d principle of the GDPR. In the following days, Brave has filed a submission with the U.K. Competition & Markets Authority (CMA), arguing that failure to enforce the GDPR \u201cenables Google\u2019s monopoly.\u201d<\/p>\n In this piece, forklog.media sums up the findings and arguments shared by Dr. Johnny Ryan, Brave\u2019s Chief Policy & Industry Relations Officer.<\/p>\n Brave has filed a complaint<\/a> with the Irish Data Protection Commission.<\/p>\n In the blog post<\/a> explaining the complaint, the DPC is referred to as \u201cGoogle\u2019s lead GDPR regulator in Europe.\u201d According to Brave\u2019s timeline<\/a>, the Irish regulator has been closely involved in investigating Google\u2019s approach to data handling. Brave has also informed other European regulators: the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorit\u00e9 de la concurrence, and the Irish Competition and Consumer Protection Commission.<\/p>\n The authors of the complaint argue that Google is infringing the \u201cpurpose limitation\u201d principle set forth by Article 5(1)b<\/a> of the GDPR:<\/p>\n \u201c[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.\u201d<\/i><\/b><\/p><\/blockquote>\n Brave\u2019s Dr. Ryan stressed that Google allows the data to flow freely between the company\u2019s multiple products and businesses like YouTube and Gmail, which is not the right thing to do.<\/p>\n \u201cHaving everyone\u2019s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them,\u201c<\/i><\/b> Dr Ryan argued, <\/i>\u201cBut Brave\u2019s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google\u2019s internal data free-for-all infringes the GDPR.\u201d<\/i><\/b><\/p><\/blockquote>\n Brave presented the evidence to the regulators and the general public in a study called \u201cInside the Black Box<\/a>.\u201d According to the authors, the study is based entirely and directly on Google\u2019s own documents for business clients, technology partners, developers, lawmakers, and users.<\/p>\n The extensive paper highlights numerous cases of Google using vague language when describing the purposes of the collected data and the sharing policies. Among other things, the researchers point out that using language like \u201c…both on and off Google,\u201d \u201csuch as,\u201d and \u201clike\u201d isn\u2019t sufficiently clear and \u201cmay conflate or omit many distinct processing purposes.\u201d<\/p>\n Dr. Ryan also highlighted that in the given circumstances, Google is allowed to \u201ccreate a cascading monopoly by offensively leveraging data from one market into a succession of other markets.\u201d<\/p>\n As a follow-up move, on March 18th, Brave filed<\/a> a submission with the UK Competition & Markets Authority. The letter<\/a> aims to explain the consequences to expect if the GDPR isn\u2019t enforced in this particular case and suggests recommendations for the regulator.<\/p>\n Calling for functional separation of Google\u2019s services, the letter points out that the GDPR has the necessary tools to \u201cestablish a consumer-led remedy.\u201d Namely:<\/p>\n According to Brave, Google has \u201cseveral hundred processing purposes that are conflated in a vast, internal data free-for-all,\u201d which goes against Article 5(1)b requiring data to be collected for \u201cspecified, explicit and legitimate purposes.\u201d<\/p>\n Next, the researchers note that Google may have been incorrectly categorizing personal data \u201cto avoid the need to seek explicit consent.\u201d They argue that a lot of personal data combined and cross-used by Google is \u201cspecial category data.\u201d Defined in Article 9 of the GDPR, this category encompasses sensitive information including data on people\u2019s ethnicity, political or religious views, sexual orientation, and health.<\/p>\n \u201cEnforcing the correct categorisation of data as special category data would stop Google from continuing to unlawfully use personal data for any purpose without asking for proper consent,\u201d<\/i><\/b> the letter reads.<\/i><\/p><\/blockquote>\n As for the ease of withdrawal, Brave claims that the Article 7 of the GDPR, which provides that \u201cthe data subject shall have the right to withdraw his or her consent at any time\u201d and \u201cit shall be as easy to withdraw as to give consent,\u201d is not being enforced.<\/p>\n \u201cThe combination of purpose limitation, special category data, and ease of withdrawal is a consumer-led remedy,\u201d<\/i><\/b> the authors argue.<\/p><\/blockquote>\n Another significant point included in the letter has to do with the real-time bidding online advertising market. The authors note that the RTB market has two \u201cdimensions\u201d of data protection problems: internal and external. Internal problems are tied to cases like data free-for-all within Google. External problems have to do with data broadcasting among thousands of companies, which, researchers state, happens without security.<\/p>\n If the data are indeed exchanged without proper security, this would be an infringement of Article 5(1)f, which states:<\/p>\n \u201c[Personal data shall be:] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (\u2018integrity and confidentiality\u2019).\u201d<\/i><\/b><\/p><\/blockquote>\n The letter stresses that the damage from potential systemic data misuse in such an environment would be significant.<\/p>\n \u201cOnce RTB data is broadcast to thousands of companies it becomes impossible to know or control how it will be used. The systematic data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination.\u201d<\/i><\/b><\/p><\/blockquote>\n The authors note that it may lead to individual voters being targeted by political misinformation, price gauging for certain customers, and other forms of discrimination and unsavory behavior.<\/p>\n Concluding the letter, Brave suggested a set of recommendations for the Competition & Markets Authority to help \u201cestablish a better RTB market.\u201d<\/p>\n The authors mention that the CMA should \u201cprevail upon\u201d the Information Commissioner’s Office in taking action.<\/p>\n \u201cThe Information Commissioner has been reluctant to use her powers to enforce against the external data free-for-all in the RTB system,\u201d <\/i><\/b>the letter reads.<\/i><\/p><\/blockquote>\n Brave also noted that they are ready to assist the CMA and contribute further to this initiative.<\/p>\n Follow us on\u00a0<\/b>Twitter<\/b><\/a>\u00a0and\u00a0<\/b>Facebook<\/b><\/a>\u00a0and join our\u00a0<\/b>Telegram channel<\/b><\/a>\u00a0to know what\u2019s up with crypto and why it\u2019s important.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":" Google is a large and powerful company. Thanks to its diverse list of services and interactions with third-party websites, it collects a lot of data. Access to large volumes of information about users across the web gives Google considerable advantage in the market. Whether the advantage is fair and the data are treated by the […]<\/p>\n","protected":false},"author":6,"featured_media":8463,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"human_written","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[1107],"tags":[511,1105,738,573],"class_list":["post-8462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-occupy-the-internet","tag-brave","tag-gdpr","tag-google","tag-privacy"],"aioseo_notices":[],"amp_enabled":true,"views":"1256","promo_type":"1","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/8462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=8462"}],"version-history":[{"count":3,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/8462\/revisions"}],"predecessor-version":[{"id":8467,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/8462\/revisions\/8467"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/8463"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=8462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=8462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=8462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Google\u2019s Alleged GDPR Violation<\/h2>\n
Brave\u2019s Latest Move<\/h2>\n
\n
\n