Google's main regulator in the European Union, Ireland's Data Protection Commissioner, opened its first investigation into the US Internet giant on Wednesday over how it handles personal data for the purpose of advertising.
The probe was the result of a number of submissions against the company, the Irish Data Protection Commissioner (DPC) said, including from privacy-focused web browser Brave, which complained last year that Google and other digital advertising firms were playing fast and loose with people's data.
Brave argued that when a person visits a website, intimate personal data that describes them and what they are doing online is broadcast to tens or hundreds of companies without their knowledge in order to auction and place targeted adverts.
"A statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited's processing of personal data in the context of its online Ad Exchange," the Irish DPC said in a statement.
It said the enquiry would establish whether processing of personal data carried out at each stage of an advertising transaction was in compliance with the landmark European GDPR privacy law introduced a year ago.
That would include considering the lawful basis for processing, the principles of transparency and data minimisation, as well as Google's retention practices, it added.
Many of the large technology firms have their European headquarters in Ireland, putting them under the watch of the Irish DPC.
The regulator said earlier this month that it had 51 large-scale investigations under way, 17 of which related to large technology firms including Twitter, LinkedIn, Apple and a number into Facebook and its WhatsApp and Instagram subsidiaries.
Under the EU's General Data Protection Regulation (GDPR), regulators have the power to impose fines for violations of up to 4% of a company's global revenue or 20 million euros ($22 million), whichever is higher.
GDPR seeks to ensure that individuals have greater control over the data that companies hold about them, prompting the complaints from Brave, set up by Silicon Valley engineering guru and Mozilla co-founder Brendan Eich, and others last September.
Google said at the time that it had already implemented strong privacy protections in consultation with European regulators and is committed to complying with the GDPR.
"We will engage fully with the DPC's investigation and welcome the opportunity for further clarification of Europe's data protection rules for real-time bidding. Authorised buyers using our systems are subject to stringent policies and standards," a spokesperson for Google said on Wednesday.
The probe could become a test case into the foundations of the data-driven model the online ad industry depends on.
"The Irish Data Protection Commission's action signals that now - nearly one year after the GDPR was introduced - a change is coming that goes beyond just Google," Brave's chief policy officer Johnny Ryan said in a statement on Wednesday.
© Thomson Reuters 2019