Ireland’s Data Protection Commission (DPC) has opened an investigation into whether Google’s online advertising exchange illegally uses sensitive personal information about internet users, such as their race, health and political opinions.
The probe will shine a spotlight on the data that powers an automated bidding system used to place adverts widely across the internet.
The DPC said it was looking into the handling of personal data “at each stage of an advertising transaction”. The probe includes how data are being processed, the level of transparency involved and whether Google is doing enough to minimise the amount of information it uses.
The investigation follows a number of complaints, including from browser company Brave, claiming that Google targets advertising at internet users by applying categories that are banned under Europe’s General Data Protection Regulation (GDPR).
The rules, which came into force a year ago, sharply limit how companies can use information that touches on someone’s race, ethnicity, political opinions, religious beliefs, trade union membership or sexual orientation.
GDPR allows regulators to impose fines of up to 4 per cent of a company’s global turnover for the most serious breaches.
The investigation into Google’s ad exchange is her first into the company. Google has maintained that its adverts are targeted based on the type of content on a web page, rather than internet users’ personal circumstances.
A Google spokeswoman said:
We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding.
Authorised buyers using its systems were subject to stringent policies and standards,
Johnny Ryan, chief policy officer at Brave, had accused Google of a “massive and ongoing data breach” in which it leaked intimate user data to “thousands of companies every day”.
According to Brave, Google’s ad exchange broadcasts personal information about users to “tens or hundreds” of potential advertisers every time they visit a website, with no limits placed on how the data are used, making it the “most massive leakage of personal data recorded so far”.
“This system is broadcasting personal data without adequate data protection,” Mr Ryan said.
“You cannot know where your data will end up or what will be done with it, and by whom.”
Brave lodged its complaint against both Google and the IAB, an advertising industry trade group, claiming they had created technical standards that enabled advertisers to target their messages based on the illegal categories.
The Irish investigation is only targeting Google’s ad exchange. The regulator said it had launched its inquiry under section 110 of the country’s Data Protection Act, which gives it wide powers to investigate “in order to ascertain whether an infringement has occurred or is occurring”.