Brave Software Inc., developer of the Brave web browser, has filed a GDPR compliant with the Irish Data Protection Commission (DPC) over alleged violations of the purpose limitation principle of the EU’s General Data Protection Regulation (GDPR).
In the compliant, Brave alleges that “Google’s internal data free-for-all” has privacy policies that are “hopelessly vague,” and are in violation of the GDPR. Brave wants Google to publish a list of the purposes for which personal data is processed and to also state a relevant legal basis for each data use purpose.
Dr Johnny Ryan, Brave’s chief policy and industry relations officer, states in the GDPR complaint that there is no functional separation of Google’s business. Data collected from one source for one specific purpose is then reused for other parts of the business and for other Google products, which Ryan claims infringes the purpose limitation principle of the GDPR.
Under GDPR, any company that collects the personal data of EU citizens must only do so for a specified, explicit, and legitimate purpose. Further uses of the data are not permitted if those uses are incompatible with the purpose for which the data has been collected.
The complaint includes details of a study conducted by Brave called Inside the Black Box, which provides details of Google’s different processing purposes for collecting personal data. Brave says there are hundreds of ill-defined processing purposes and the legal basis for those processing activities is unknown.
Brave has also forwarded the GDPR complaint to several European competition regulators, including the European Commission, the UK Competition & Markets Authority, and the Irish Competition and Consumer Protection Commission.
Google has dismissed the latest complaint and claims that it does not stand up to serious scrutiny. Google explained that its privacy policies clearly explain how users’ personal data is stored and the choices they have over the processing of their personal data.