Browser minnow Brave nips at Google with GDPR complaint

Claims 'don't stand up to serious scrutiny' retorts Google

Browser-flinger Brave's chief privacy and industrial relations officer, Dr Johnny Ryan, has has complained to the Data Protection Commission of Ireland, with copies to other European data protection commissions, to complain of claimed breaches of the EU's General Data Protection Regulation (GDPR) by Google.

A complaint on behalf of Ryan has been sent to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission.

Brave's product is a privacy-focused web browser, and Google also happens to dominate the browser market with around 61 per cent share in Europe, according to Statcounter – versus Brave which is somewhere in "Others" (0.91 per cent). It is unsurprising that Brave wants to focus public interest on its key point of differentiation.

Google's size does not relieve it from GDPR responsibilities, though, and Brave's claim is that the search giant is not transparent about the purposes for which it collects data. GDPR article 5.1 specifies that personal data shall be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."

When Ryan demanded to know what those purposes are, for his own personal data, "Google referred our client to a series of links on their website, including reference to their privacy policies," according to a statement [PDF] from Brave's lawyers.

Note that since the GDPR covers personal data, the complaint is from Ryan himself rather than Brave.

The privacy officer and his employer consider that Google's privacy policies are "hopelessly vague and unspecific", despite the GDPR requirement for specificity. Second, they claimed "it is not apparent from the policy which activity, product or interaction is covered by which purpose." They added that Google's "policies and procedures" were spread across several links and websites, making them hard for users to identify.

When it comes to location data, for example, Google has said: "Location can make your experiences across Google more relevant and helpful. Location information also helps with some core product functionality, like providing a website in the right language or helping to keep Google's services secure."

The complaint states that: "This is not sufficiently precise for a data subject to understand what will occur with their location data nor what data is strictly necessary to provide, for instance, the service of showing a person where they are on a map." It is also unclear, the complaint adds, "exactly how data collected from one Google product such as Maps will then be used by other products, such as advertising."

Ryan used other sources, including submissions to US antitrust committees, to analyse how Google uses personal data. This analysis is set out in a 59-page document called Inside the Black Box [PDF] that identifies "hundreds of purposes, compared to the six listed on the Google policy." The complaint claims that personal data "enters an internal free-for-all within Google."

Another claim Ryan/ Brave is that when users sign up to a Google account, "a data subject is not given sufficient information to understand what will happen to their data (or even what data will be collected)."

After some to-and-fro, Google sent Ryan an email stating: "We do not agree with your assertions regarding the alleged inadequacy of the Google privacy policy and Google privacy practices generally, and reserve our position accordingly."

Ryan is asking the data protection commissions to require Google to provide "a full and complete list of the purposes for which his data has been collected and processed." He also proposes that Google's processing activities are audited.

What harm arises if Google is, as claimed, breaching GDPR? Brave said it is focused on "completion concerns." Specifically, it claimed Google is able to "create a cascading monopoly by offensively leveraging data from one market into a succession of other markets," as well as erecting barriers to entry for potential competitors.

Ryan also told The Reg: “The harm is that if you do not know what is happening to your data, then there is no accountability, transparency, or control. If a company like Google can operate a data free-for-all, then data protection, and the GDPR, is an illusory fantasy.”

The browser-maker says that if the GDPR's purpose limitation principle were enforced, it would no longer be able to automatically opt users in to all of its products and data collection. Instead, people could withdraw consent for granular purposes, choosing which specific parts of Google's business they are willing to share data with.

With regard to Brave, Google told The Register that: "These repeated allegations from a commercial competitor don't stand up to serious scrutiny." The Google spokesperson added: "Twenty million users visit their Google Accounts each day to make choices about how Google processes their data. Our privacy policy and the explanations we provide users are clear about how data is stored and the choices users have."


Similar topics

Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading
  • Google offers $118m to settle gender discrimination lawsuit
    Don't even think about putting LaMDA on the compensation committee

    Google has promised to cough up $118 million to settle a years-long gender-discrimination class-action lawsuit that alleged the internet giant unfairly pays men more than women.

    The case, launched in 2017, was led by three women, Kelly Ellis, Holly Pease, and Kelli Wisuri, who filed a complaint alleging the search giant hires women in lower-paying positions compared to men despite them having the same qualifications. Female staff are also less likely to get promoted, it was claimed.

    Gender discrimination also exists within the same job tier, too, the complaint stated. Google was accused of paying women less than their male counterparts despite them doing the same work. The lawsuit was later upgraded to a class-action status when a fourth woman, Heidi Lamar, joined as a plaintiff. The class is said to cover more than 15,000 people.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading

Biting the hand that feeds IT © 1998–2022