Browser-flinger Brave's chief privacy and industrial relations officer, Dr Johnny Ryan, has has complained to the Data Protection Commission of Ireland, with copies to other European data protection commissions, to complain of claimed breaches of the EU's General Data Protection Regulation (GDPR) by Google.
A complaint on behalf of Ryan has been sent to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission.
Brave's product is a privacy-focused web browser, and Google also happens to dominate the browser market with around 61 per cent share in Europe, according to Statcounter – versus Brave which is somewhere in "Others" (0.91 per cent). It is unsurprising that Brave wants to focus public interest on its key point of differentiation.
Google's size does not relieve it from GDPR responsibilities, though, and Brave's claim is that the search giant is not transparent about the purposes for which it collects data. GDPR article 5.1 specifies that personal data shall be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
When Ryan demanded to know what those purposes are, for his own personal data, "Google referred our client to a series of links on their website, including reference to their privacy policies," according to a statement [PDF] from Brave's lawyers.
Note that since the GDPR covers personal data, the complaint is from Ryan himself rather than Brave.
The privacy officer and his employer consider that Google's privacy policies are "hopelessly vague and unspecific", despite the GDPR requirement for specificity. Second, they claimed "it is not apparent from the policy which activity, product or interaction is covered by which purpose." They added that Google's "policies and procedures" were spread across several links and websites, making them hard for users to identify.
When it comes to location data, for example, Google has said: "Location can make your experiences across Google more relevant and helpful. Location information also helps with some core product functionality, like providing a website in the right language or helping to keep Google's services secure."
The complaint states that: "This is not sufficiently precise for a data subject to understand what will occur with their location data nor what data is strictly necessary to provide, for instance, the service of showing a person where they are on a map." It is also unclear, the complaint adds, "exactly how data collected from one Google product such as Maps will then be used by other products, such as advertising."
Ryan used other sources, including submissions to US antitrust committees, to analyse how Google uses personal data. This analysis is set out in a 59-page document called Inside the Black Box [PDF] that identifies "hundreds of purposes, compared to the six listed on the Google policy." The complaint claims that personal data "enters an internal free-for-all within Google."
Another claim Ryan/ Brave is that when users sign up to a Google account, "a data subject is not given sufficient information to understand what will happen to their data (or even what data will be collected)."
Ryan is asking the data protection commissions to require Google to provide "a full and complete list of the purposes for which his data has been collected and processed." He also proposes that Google's processing activities are audited.
What harm arises if Google is, as claimed, breaching GDPR? Brave said it is focused on "completion concerns." Specifically, it claimed Google is able to "create a cascading monopoly by offensively leveraging data from one market into a succession of other markets," as well as erecting barriers to entry for potential competitors.
Ryan also told The Reg: “The harm is that if you do not know what is happening to your data, then there is no accountability, transparency, or control. If a company like Google can operate a data free-for-all, then data protection, and the GDPR, is an illusory fantasy.”
The browser-maker says that if the GDPR's purpose limitation principle were enforced, it would no longer be able to automatically opt users in to all of its products and data collection. Instead, people could withdraw consent for granular purposes, choosing which specific parts of Google's business they are willing to share data with.