Updated Ireland's Data Protection Commission has launched a formal investigation into adtech giant Google over alleged breaches of the EU's General Data Protection Regulation (GDPR), potentially costing the company £1.12bn.
"A statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited's processing of personal data in the context of its online Ad Exchange" said the commission in a statement.
The investigation was triggered by a complaint from Dr Johnny Ryan, chief policy officer at Brave Software, makers of the privacy-focused browser.* It centres on Google Doubleclick, which Ryan said is running on 8.4 million websites around the world – and, he alleged, leaks personal data subject to the GDPR every single day.
Doubtless the Irish investigation will be welcomed by supporters of the EU regulations as a pleasant 1st birthday present for the new bloc-wide law. GDPR allows for fines based on turnover, rather than profit, to be imposed, and in this case could lead to Google being stung for a maximum of £1.12bn (€1.28bn), based on its full-year results of €32bn last year.
Ryan told The Register: "I think the fact that the Irish Data Protection Commission has now acted puts the position of the UK Information Commissioner in focus. I and my co-complainants, Michael Veale of University College London, and Jim Killock of Open Rights Group, are eager to hear from the ICO about its investigation into real-time bidding."
The ICO had not responded to The Register's request for comment on the Irish investigation at the time of writing, bearing in mind identical UK complaints are its job to consider.
Ryan's complaint alleges that personal data leaks from Doubleclick, Google's advert booking and display product, by design through its "bid request" system when it decides which ad to display on a page running the software.
The data being broadcast, Ryan said, includes what URL you're browsing at the time; unique device identifiers, including user-agent strings; screen size and ratio; language settings; and what mobile network you're on. It also checks out your unique Google ID; cookies, a long-running obsession of the EU's; your interests, inferred from what you're browsing; and your location, including latitude, longitude and postcode.
Google has yet to reply to The Register's request for comment.
Ryan has put a selection of his evidence online here. He also testified to the US Senate about online advertising yesterday, and that can be watched on Google-owned website YouTube here. Don't forget to clear your history before clicking. ®
* There is some irony in Brave being built on Chromium, the browser engine built and maintained by – who else? – Google. Ryan told us that Brave had "certainly not" seen any pushback from Googlers involved in the Chromium project.
Updated to add
An ICO spokesperson told The Register: "The data protection implications of adtech are of interest to the ICO. We are currently concentrating on the ecosystem of programmatic advertising and real-time bidding (RTB). This aligns with our Technology Strategy, where both online tracking and artificial intelligence are highlighted as priority areas.
"We have been engaging with representatives of the adtech industry and recently hosted an event to discuss the data protection implications of current and future industry practices."