Complaint Submitted to Irish DPC over Alleged Google GDPR Workaround

Google is alleged to have been using a ‘GDPR workaround’ to avoid the restrictions on data sharing imposed by the General Data Protection Regulation, which came into force in Europe on May 25, 2018.

The GDPR workaround was allegedly used to bypass data sharing restrictions to allow Google to continue to send the personal data of EU citizens to advertising companies around the globe.

The search engine giant is now being investigated by the Data Protection Commission (DPC) in Ireland over the alleged violations, which could potentially result in a fine of up to €5.45 billion – $6.03 billion – if the allegations are proven to be true.

Evidence of the GDPR workaround was discovered by the start-up anti-tracking Internet browser Brave, which discovered a mechanism allegedly used by Google which it calls ‘Push Pages.’

Brave’s Chief Policy & industry Relations Officer, Dr Johnny Ryan, had previously submitted a complaint to the DPC over its DoubleClick/Authorized Buyers ad business along with ‘concrete proof’ that Ryan’s personal data had been broadcast by Google to advertisers in violation of GDPR.

The subsequent investigations by Brave and uncovered the GDPR workaround, which is claimed is in violation of GDPR and Google’s publicly disclosed GDPR data safeguards.

The DoubleClick/Authorized Buyers system is used on approximately 8.4 million active websites and sees information sent to more than 2,000 advertisers around the globe.

Google claims that the real-time bidding systems prevents data from being combined by those advertisers.  However, Brave has uncovered evidence that suggests Google has allowed multiple parties to match identifiers with the data which would allow the data subject to be identified. Google has claimed it no longer shares pseudonymous identifiers with advertisers.

Brave’s investigation suggests Google invites companies to share profile identifiers about a person when the web page is loaded. “Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about,” explained Ryan in a recent blog post. “This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.”

The “google_push” identifier allows advertisers to cross-reference profiles of a person, and then swap profile data with each other. The mechanism allows advertisers to identify individuals and serve targeted adverts, rather than target groups of hundreds or thousands of individuals in advertising campaigns. It would also be possible for an individual to be identified in the real world from the data gathered over a long period of time.

A spokesperson for Google said, “We do not serve personalized ads or send bid requests to bidders without user consent. The Irish DPC, Google’s lead DPA and the UK ICO are already looking into real-time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”

“Real-time bidding in its current form is toxic. The speed and scale of the broadcast is incapable of complying with the GDPR’s security principle” explained Ryan’s solicitor, Ravi Naik.

The evidence gathered by Ryan and Zach Edwards appears to show clandestine profile matching by Google. “Deceptive and uncontrolled profile matching is the antithesis of the fairness and transparency principles of data protection. Unfortunately, the lawlessness at the heart of AdTech has begat a culture of data exploitation above data protection. The DPC must act fast to put an end to such practices,” said Naik.