Formal GDPR complaint against Google’s internal data free-for-all

Brave has filed a formal GDPR complaint against Google for infringing the GDPR “purpose limitation” principle. Enforcement would be tantamount to a functional separation of Google’s business. 

This morning, Brave filed a formal GDPR complaint against Google for infringing Article 5(1)b of the GDPR, which sets forth the “purpose limitation” principle.

Quick facts

  • The GDPR purpose limitation principle requires that organizations internally ring-fence personal data and use it only for the narrow purpose it was collected for. Brave’s evidence shows that Google’s internal data free-for-all is unlawful. Tweet this
  • For six months, Dr Johnny Ryan of Brave tried to learn what Google does with his data. Brave has now sought recourse from the regulator (DPC) to force Google to reveal what it does with everybody’s personal data. Tweet this
  • New Brave evidence, ‘Inside the Black Box’, offers a glimpse of what Google does with everyone’s personal data: hundreds of ill-defined processing purposes, and unknown legal bases. Tweet this
  • Enforcement of Brave’s GDPR “purpose limitation” complaint against Google would be tantamount to a functional separation, giving everyone the power to decide what parts of Google they chose to reward with their data Tweet this 
  • Google’s internal data free-for-all enabled it to create a cascading monopoly. But it is now acutely vulnerable to GDPR Article 5(1)b enforcement. Brave has written to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission, to make them aware of today’s purpose limitation complaint. Tweet this 

Dr Johnny Ryan, Brave’s Chief Policy & Industry Relations Officer, filed the complaint with Google’s lead GDPR regulator in Europe, the Irish Data Protection Commission.

Google has personal data about everyone. It collects this from products like YouTube and Gmail, and many other Google products that operate behind the scenes across the Internet”, said Dr Ryan.

“But merely having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them. But Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google’s internal data free-for-all infringes the GDPR”.

The purpose limitation principle is set forth in Article 5(1)b of the GDPR:

“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”.[1]

The purpose limitation principle requires that organizations must scrupulously ring fence data for specific purposes. These purposes must be made clear, and be very specific.


Google’s internal data free-for-all

For six months Dr Ryan asked Google one simple question: “What do you do with my data?” Despite several rounds of correspondence, and having the right to this information under Article 15 of the GDPR, Google refused to properly engage with the question.

Google is a black box. Today, Brave is releasing a study that offers a glimpse inside. ‘Inside the Black Box’ examines a diverse set of documents written for Google’s business clients, technology partners, developers, lawmakers, and users. It reveals that Google collects personal data from integrations with websites, apps, and operating systems, for hundreds ill-defined processing purposes.

Google’s purposes are so vaguely defined as to have no meaning or limit. The result is an internal data free-for-all that infringes the GDPR’s purpose limitation principle.

Ravi Naik, a partner at AWO, is the solicitor working on the case.

The Google monolith is a hub where data goes to be consumed and fed into a vortex of different services and offerings. Data protection cannot properly be effective until that structure is opened up”, said Mr Naik. “The GDPR provides the key – by requiring Google to specify their processing activities. At present, Google’s attempts to specify what they do with personal data are hopelessly vague. This action by Brave aims to put an end to that and bring some governance to this data free-for-all, once and for all.

Google’s cascading monopolies

Google’s internal data free-for-all is a data protection crisis. It also raises serious competition concerns.

Consumers trade with Google on unfair trading conditions: their data is collected and processed in an unlimited way, with no proper opportunity for the consumer to consent or withdraw or even to know what is happening.

Google’s “privacy policy tying”[2] also allows it to cross-use the mass of data that it acquires from websites, apps and operating systems between diverse markets. This allows it to:

  1. create a cascading monopoly by offensively leveraging data from one market into a succession of other markets; [3] and
  2. protect that cascading monopoly by erecting cross-market barriers to entry, and foreclosing nascent competitors.

What enforcement would mean

Enforcement of the GDPR “purpose limitation principle” against Google will have the following consequences:

  1. Google would no longer be able to automatically opt users in to all of its products and data collection;
  2. it would not be able to bundle multiple requests for consent together to conflate different processing purposes;
  3. it would lose the vast, unlawful data advantage it has gained from combining and cross-using the personal data of users; and
  4. people who use a Google product will have the power to functionally break up Google by withdrawing their consent for granular purposes – this would be a consumer-led functional separation of Google.

This would give people the power to decide what specific parts of Google’s business they want to reward with their data, and what specific things it can be used for. Google would have to compete “on the merits” in every market that it competes in.

Brave has written to European competition regulators to draw their attention to the complaint and highlight the purpose limitation remedy, including the European Commission, the Bundeskartellamt, the UK Competition & Markets Authority, the Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission.

Documents

Notes

[1] Article 5(1)b, the GDPR.
[2] Daniele Condorelli and Jorge Padilla, “Harnessing Platform Envelopment Through Privacy Policy Tying”, 14 December 2019 (URL: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3504025).
[3] See Johnny Ryan’s testimony to US Senate Judiciary Committee, 21 May 2019 (URL: https://www.judiciary.senate.gov/imo/media/doc/Ryan%20Testimony.pdf).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s