Web browser Brave has filed a formal GDPR complaint against Google alleging that the tech giant’s practices infringed the purpose limitation principle of the General Data Protection Regulation (GDPR). In an official statement, released on 16 March, Brave said that the complaint’s enforcement would be “tantamount to a functional separation of Google’s business.”
Central to its GDPR complaint, Brave says that “Google’s internal data free-for-all” includes “hopelessly vague” privacy policies which stand in breach of the GDPR and has requested that Google publish a list of the purposes for which the tech giant processes personal data, alongside a relevant legal basis for each purpose.
Brave GDPR complaint taking shape
Brave chief policy and industry relations officer Dr Johnny Ryan, who penned the complaint, also makes the accusation that—while Google does indeed provide targeted advertising to its users based on their interests—the company nevertheless provides access to only limited information concerning the processing of that information, and the reasons for why users are seeing a specific ad.
“It is not apparent from the policy which activity, product, or interaction is covered by which purpose,” Ryan writes in Brave’s GDPR complaint. “It is therefore difficult (if not impossible) to decipher if and when a particular purpose applies, for example, to data collected or processed in the context of YouTube, Authorised Buyers or Maps etc.”
“Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle,” Ryan adds. “Google’s internal data free-for-all infringes the GDPR.”
The purpose limitation principle—upon which Brave bases its GDPR complaint—states that personal data shall be collected “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
Brave claims that they have forwarded their GDPR complaint to European competition regulators in order to draw their attention to the tech giant’s misstep. The regulators include the European Commission (EU), the Bundeskartellamt (Germany), the UK Competition & Markets Authority (UK), the Autorité de la concurrence (France), and the Irish Competition and Consumer Protection Commission (Ireland).
Google a ‘black box’, Brave claims
Additionally included in Brave’s written complaint is a study it conducted called Inside the Black Box, which Brave claims details Google’s processing purposes for collecting personal data from integrations within websites, apps and operating systems. The processing purposes range from accounting to advertising to transactions.
According to Brave, the study provides a “glimpse of what Google does with everyone’s personal data: hundreds of ill-defined processing purposes, and unknown legal bases.”
Google dismissive of allegations
Google has issued a retort against the GDPR complaint, claiming that the allegations “don’t stand up to serious scrutiny.”
The Irish Data Protection Commission (DPC) is already in the midst of an investigation into Google’s processing and management of user data.
Google explained to The Register that Brave’s “repeated allegations” are inadequate, adding that “twenty million users visit their Google Accounts each day to make choices about how Google processes their data. Our privacy policy and the explanations we provide users are clear about how data is stored and the choices users have.”
Questions of competition
As a Chromium-based blockchain-powered decentralized browser operator, Brave is seen as a direct competitor to Google in the web browser market. Moreover, the company advertises itself as a “private and secure” alternative to the big names which, other than Google Chrome, include Safari (owned by Apple), Internet Explorer and Edge (both owned by Microsoft) and Firefox (owned by Mozilla).
A recent privacy study conducted by Douglas J. Leith of the Trinity College London reveals that Brave does indeed protect user privacy significantly better than does Google Chrome or any other major browser. According to the researchers, Brave did not make “any use” of “identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers.”
In spite of this, however, Brave claims that its recent GDPR complaint against Google is not an action it is taking to score publicity or a competitive advantage.
“The question is not relevant,” Dr Ryan told Cointelegraph in an interview. “Brave does not—as far as I am aware—have direct frustrations with Google. Brave is growing nicely by being a particularly fast, excellent, and private browser.”
“It doesn’t need regulators’ to help it grow.”
Correction April 4, 2020: Removed incorrect statement that if none of the regulatory bodies decide to take up action against Google, Brave may take the tech giant to court.