Ireland’s data protection regulator has opened an investigation into whether Google’s online advertising exchange illegally taps into sensitive personal information about internet users, such as their race, health and political leanings.
The probe, announced on Wednesday, will shine a spotlight on the data that powers an automated bidding system used to place adverts widely across the internet.
The Irish Data Protection Commission, the lead regulator that oversees Google’s compliance with Europe’s recently created privacy regime, said it was looking into the handling of personal data “at each stage of an advertising transaction”.
The probe includes how data are being processed, the level of transparency involved and whether Google is doing enough to minimise the amount of information it uses.
The investigation follows a number of complaints, including from browser company Brave, claiming that Google targets advertising at internet users by applying categories that are banned under Europe’s General Data Protection Regulation. The rules, which came into force a year ago, sharply limit how companies can use information that touches on someone’s race, ethnicity, political opinions, religious beliefs, trade union membership or sexual orientation.
GDPR allows regulators to impose fines of up to 4 per cent of a company’s global turnover for the most serious breaches. Since it came into force, Ireland’s data protection commissioner, Helen Dixon, has opened inquiries into Facebook and its WhatsApp and Instagram units, three inquiries into Twitter, two at Apple and one at LinkedIn. The investigation into Google’s ad exchange is her first into the company.
Google has maintained that its adverts are targeted based on the type of content on a web page, rather than internet users’ personal circumstances.
A Google spokeswoman said: “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding.” Authorised buyers using its systems were subject to stringent policies and standards, she added.
Johnny Ryan, chief policy officer at Brave, had accused Google of a “massive and ongoing data breach” in which it leaked intimate user data to “thousands of companies every day”. According to Brave, Google’s ad exchange broadcasts personal information about users to “tens or hundreds” of potential advertisers every time they visit a website, with no limits placed on how the data are used, making it the “most massive leakage of personal data recorded so far”.
“This system is broadcasting personal data without adequate data protection,” Mr Ryan told the Financial Times on Wednesday. “You cannot know where your data will end up or what will be done with it, and by whom.”
Brave lodged its complaint against both Google and the IAB, an advertising industry trade group, claiming they had created technical standards that enabled advertisers to target their messages based on the illegal categories.
The Irish investigation is only targeting Google’s ad exchange. The regulator said it had launched its inquiry under section 110 of the country’s Data Protection Act, which gives it wide powers to investigate “in order to ascertain whether an infringement has occurred or is occurring”.