Google siphoning personal data to advertisers, new evidence suggests

A Google logo is displayed at the Google offices in Berlin, Germany, 24 June 2019. [EPA-EFE/HAYOUNG JEON]

Google is using a “surreptitious mechanism” to leak personal data to advertisers, according to new evidence presented to the Irish Data Protection Commission as part of an ongoing investigation.

The evidence, sourced by Brave, a competing web browser to Google’s Chrome, “gives the Irish DPC concrete proof that Google’s ad system did broadcast personal data” belonging to Johnny Ryan, the chief policy officer at Brave.

Google is accused of using hidden web pages that scrape personal data, which is then traded on Google’s advertising exchange business ‘Authorized Buyers’ previously known as DoubleClick.

“Google’s DoubleClick/Authorized Buyers ad system is active on 8.4+ million websites. It broadcasts personal data about visitors to these sites to 2,000+ companies, hundreds of billions of times a day,” said Dr Johnny Ryan of Brave.

“The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”

Brave is a free and open-source web browser which blocks ads and website trackers, and claims to be up to eight times faster than Chrome and Firefox, its main competitors.

In September 2018, Google announced that it would no longer share identifiers that could help companies using its real-time bidding ad (RTB) system to build-up profiles of their visitors. The decision was announced in the wake of the implementation of the EU’s landmark General Data Protection Regulation (GDPR).

However, according to Brave, the new evidence proves that “Google allowed multiple parties to match their identifiers for the data subject with each other.”

“Real-time bidding in its current form is toxic. The speed and scale of the broadcast is incapable of complying with the GDPR’s security principle,” said Ravi Naik, a data rights solicitor acting on behalf of Dr Ryan and Brave.

“The lawlessness at the heart of AdTech has begun a culture of data exploitation above data protection. The DPC must act fast to put an end to such practices.”

As a result of the investigation carried out by the competent authority, the Irish Data Protection Commission, Google may be forced to stop processing all personal data for its DoubleClick/Authorized Buyers ad business, and may be fined up to 4% of global turnover.

Google has so far not responded to EURACTIV’s request for comment.

As the news of the new evidence broke on Wednesday (4 September), members of the European Parliament sought to find clarity that this was an issue the European Commission was tacking seriously.

Carmen Avram, a Romanian lawmaker from the Socialists and Democrats (S&D) group, has issued a series of questions to the Commission, asking the executive to confirm whether it was aware that Google is using the sensitive data of its users. If so, she asked, would the Commission consider Google’s actions as a breach of the GDPR.

[Edited by Frédéric Simon]

Subscribe to our newsletters