Posted on 03-18-2020.
Google is a large and powerful company. Thanks to its diverse list of services and interactions with third-party websites, it collects a lot of data. Access to large volumes of information about users across the web gives Google considerable advantage in the market. Whether the advantage is fair and the data are treated by the book is an open question. On March 16th, the creators of a private blockchain-browser Brave filed a formal complaint against Google for infringing the “purpose limitation” principle of the GDPR. In the following days, Brave has filed a submission with the U.K. Competition & Markets Authority (CMA), arguing that failure to enforce the GDPR “enables Google’s monopoly.” In this piece, forklog.media sums up the findings and arguments shared by Dr. Johnny Ryan, Brave’s Chief Policy & Industry Relations Officer.
“[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”Brave’s Dr. Ryan stressed that Google allows the data to flow freely between the company’s multiple products and businesses like YouTube and Gmail, which is not the right thing to do.
“Having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them,“ Dr Ryan argued, “But Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google’s internal data free-for-all infringes the GDPR.”Brave presented the evidence to the regulators and the general public in a study called “Inside the Black Box.” According to the authors, the study is based entirely and directly on Google’s own documents for business clients, technology partners, developers, lawmakers, and users. The extensive paper highlights numerous cases of Google using vague language when describing the purposes of the collected data and the sharing policies. Among other things, the researchers point out that using language like “...both on and off Google,” “such as,” and “like” isn’t sufficiently clear and “may conflate or omit many distinct processing purposes.” Dr. Ryan also highlighted that in the given circumstances, Google is allowed to “create a cascading monopoly by offensively leveraging data from one market into a succession of other markets.”
“Enforcing the correct categorisation of data as special category data would stop Google from continuing to unlawfully use personal data for any purpose without asking for proper consent,” the letter reads.As for the ease of withdrawal, Brave claims that the Article 7 of the GDPR, which provides that “the data subject shall have the right to withdraw his or her consent at any time” and “it shall be as easy to withdraw as to give consent,” is not being enforced.
“The combination of purpose limitation, special category data, and ease of withdrawal is a consumer-led remedy,” the authors argue.Another significant point included in the letter has to do with the real-time bidding online advertising market. The authors note that the RTB market has two “dimensions” of data protection problems: internal and external. Internal problems are tied to cases like data free-for-all within Google. External problems have to do with data broadcasting among thousands of companies, which, researchers state, happens without security. If the data are indeed exchanged without proper security, this would be an infringement of Article 5(1)f, which states:
“[Personal data shall be:] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”The letter stresses that the damage from potential systemic data misuse in such an environment would be significant.
“Once RTB data is broadcast to thousands of companies it becomes impossible to know or control how it will be used. The systematic data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination.”The authors note that it may lead to individual voters being targeted by political misinformation, price gauging for certain customers, and other forms of discrimination and unsavory behavior. Concluding the letter, Brave suggested a set of recommendations for the Competition & Markets Authority to help “establish a better RTB market.”
“The Information Commissioner has been reluctant to use her powers to enforce against the external data free-for-all in the RTB system,” the letter reads.Brave also noted that they are ready to assist the CMA and contribute further to this initiative. Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.