On March 16, Brave filed a second EU General Data Protection Regulation complaint against Google for what it described as “Google's internal data free-for-all.”

Under the GDPR Article 5(1)b, the purpose limitation principle, companies may only use personal data for the narrow, clearly defined purpose it was created for. In a business the size and scale of Google, this would, in effect, mean ring-fencing different parts of the organization.

Brave, a privacy-focused web browser, says Google’s internal data-sharing practices are unlawful and infringe on this principle. But more than that, Brave Chief Policy & Industry Relations Officer Johnny Ryan believes enforcement, in this case, could be a game-changer in disrupting the monopoly of big tech companies once and for all.

It’s a big ask for a single case and a single data protection authority: the Irish Data Protection Commission. A spokesman for the DPC told The Privacy Advisor it was too soon to comment on that specific complaint as they are still assessing the content. However, the authority already has a huge workload — 23 open cases against big tech at the moment. So why is this case so important?

After spending six months trying to find out what Google was doing with his data, Ryan filed a formal complaint with the Irish Data Protection Commission. “Google has personal data about everyone. It collects this from products like YouTube and Gmail, and many other Google products that operate behind the scenes across the internet,” he said.

“They kept referring me back to their privacy policy,” Ryan continued. “When I tried to assess the legal basis for processing, in most cases it was ‘unknown.’” 

He said new users, in particular, are automatically signed into everything by default. “It’s a giant black hole that just absorbs all data, and it uses the data it gets in one service to prop up another bit of its business,” he said. “But merely having everyone’s personal data does not mean Google is allowed to use that data across its entire business." 

He said Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in ways that infringe the purpose limitation principle. 

Ryan believes enforcement of his purpose limitation complaint would be tantamount to a functional separation, “giving everyone the power to decide what parts of Google they choose to reward with their data.”

The purpose limitation principle requires that organizations must scrupulously ring-fence data for specific purposes. These purposes must be made clear and be very specific.

Ryan's assertion is that if Google was no longer able to automatically opt users in to all its products and data collection across all services, it would give people the power to decide what specific parts of Google’s business they want to opt in to with their data and what specific things it can be used for.

Purpose limitation could leave it to the market or individuals in the market as to whether they functionally break up Google or not.

Ryan said he believes this complaint is fundamentally more important than the real-time-bidding complaint by quite some way. (The Irish DPC launched a statutory investigation for suspected infringement under Section 110 of the Irish Data Protection Act in May 2019, following Brave’s first complaint.) 

“I do think the Irish DPC will deliver. ... But we likely won’t hear anything for four to six months,” Ryan said.

He added he firmly believes that competition authorities should be working together with DPAs. Brave has also written to the European Commission, German Bundeskartellamt, U.K. Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission to make them aware of the purpose limitation complaint.

Google has contested the allegations. A spokesperson issued a statement saying, “These repeated allegations from a commercial competitor don’t stand up to serious scrutiny. Twenty million users visit their Google accounts each day to make choices about how Google processes their data. Our privacy policy and the explanations we provide users are clear about how data is stored and the choices users have. We know our users want that control and we invest heavily in delivering it.”

But investigating the complaint will still fall on the shoulders of the Irish DPC. And it’s a DPA with an already huge amount riding on it. Most of international big tech has chosen to make Ireland its headquarters for EU purposes. Why and whether sweetheart tax deals are the reason is an argument for another day.

According to its annual report for 2019, last year, it received 6,904 GDPR complaints. Over the course of the year, the DPC issued 29 decisions — 0.4% of all complaints, which at first look seems remarkably low. But on closer inspection, the discrepancy is not quite so stark. It is to be expected that a certain number of complaints will be closed without a “decision,” explained the DPA.

Of the 4,554 cases closed in 2019, around 37% were resolved without the need for further investigation. Around half of the 2,350 ongoing complaints may too be resolved without further investigation.

A DPC spokesman told The Privacy Advisor: “It’s not unexpected. We are only 20 months into a brand new, complex area. [The lack of fines] is not unique to Ireland. Across the EU there were only three fines issued. We are navigating our way through the new legal framework,” he said, adding the high-profile big tech cases are still to come. “We now have 72 statutory inquiries, 23 into international big tech.”

Photo by Wesley Tingey on Unsplash