Google is facing an Irish privacy probe over its advertising practices and whether it followed the EU’s General Data Protection Regulation, nearly a year after the comprehensive privacy law took effect.
The investigation will examine whether Google followed the GDPR in Google Ireland’s “processing of personal data in the context of its online Ad Exchange,” Graham Doyle, spokesman for the Irish Data Protection Commission, said.
The Google probe was spurred by complaints sent to the Irish privacy office from Johnny Ryan of Brave Inc. alleging that Google’s DoubleClick advertising platform leaks intimate data about consumers visiting websites, the regulator said in a statement.
Under the GDPR, companies can fined up to four percent of their annual revenue for privacy violations. That could mean billions in fines for large tech companies found to have run afoul of the law.
Ireland is in the middle of privacy investigations into Facebook, Twitter Inc., Apple Inc., among other big tech companies. The regulator is likely to wrap up some of those probes by the end of the summer.
A Google representative said the search giant will work with the Irish regulator.
“We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding,” the representative said. “Authorised buyers using our systems are subject to stringent policies and standards.”
The advertising technology industry is under pressure from EU and U.S. regulators for broadly collecting consumer data without clear consent. Ireland’s privacy office has seen similar issues in the industry.
In the statutory inquiry, which is a formal EU privacy investigation, the regulator will examine if Google processed data “carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR), including the lawful basis for processing, the principles of transparency and data minimisation, as well as Google’s retention practices,” Doyle said.
The probe is Ireland’s first into Google since the adoption of the GDPR. However, Google was hit with a 50 million euro ($55.8 million) fine by the French privacy office for not being transparent in its data sharing activities. Google has since moved its European headquarters from France to Ireland, and is under the purview of Ireland’s privacy office.
Ireland’s action “signals that now—nearly one year after the GDPR was introduced—a change is coming that goes beyond just Google,” Ryan said. Advertising reforms are needed “to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR,” he said.
The Irish privacy office is increasing enforcement and other staff to handle GDPR complaints and ongoing investigations. Although the office has 140 staffers, Irish privacy chief Helen Dixon has said they will need more staff to handle more data protection issues.