Ireland’s Data Protection Commissioner opened its first investigation into the Google Ireland on Wednesday over how it handles personal data used for advertising.
A statutory inquiry has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange.
The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR). The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.
The probe was the result of a number of submissions against Google, the Irish Data Protection Commissioner (DPC) said, including from privacy-focused web browser Brave, which complained last year that Google and other digital advertising firms were playing fast and loose with people’s data.
Brave argued that when a person visits a website, personal data that describes them and what they are doing online is broadcast to tens or hundreds of companies without their knowledge in order to auction and place targeted adverts.
“We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorized buyers using our systems are subject to stringent policies and standards,” Google said on Wednesday.
Ireland’s data regulator is the lead authority to watch over Google’s privacy compliance, after the Alphabet Inc. unit established its main European base in the country.
Many of the large technology firms have their European headquarters in Ireland, putting them under the watch of the Irish DPC. The latest investigation brings to 19 the number of open cases by the regulator targeting big U.S. tech companies. They include probes into Apple Inc., Twitter Inc., eight probes into Facebook Inc., plus one into Instagram and two into WhatsApp.
Under the EU’s General Data Protection Regulation (GDPR), regulators have the power to impose fines for violations of up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher.