Google is the subject of its first GDPR probe from Ireland’s Data Protection Commissioner (DCP), Reuters is reporting. It’s the first major standoff between the company and its lead privacy regulator in Europe, raising difficult questions about how the ad giant handles personal data across the internet.
The probe will investigate how Google treats personal data at each stage of its ad-tracking system. Those questions originate in part from a complaint filed by the browser company Brave in September, which alleged that Google’s ad auction system constituted a data breach under GDPR rules.
“Every time a person visits a website and is shown a ‘behavioural’ ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies,” chief policy officer Johnny Ryan explained in a post. “A data breach occurs because this broadcast, known as an ‘bid request’ in the online industry, fails to protect these intimate data against unauthorized access.”
If found guilty, the potential penalties would be enormous. The GDPR authorizes fines as high as four percent of global annual revenue, which would total $5.4 billion in Google’s case. Even more damaging, the company would have to fundamentally reshape its ad system in order to avoid future fines. Google did not immediately respond to a request for comment.
Ireland’s commissioner has been criticized as overly friendly to Facebook and Google, both of which are headquartered in the country and are squarely in its jurisdiction under GDPR rules. Roughly a year after the regulation took effect, this is the first action Ireland’s DCP has taken against either company. A number of groups have filed complaints against Google during that time, raising concerns about the company’s location-tracking and ad-targeting systems, among others.