GDPR, one year in; Ireland takes a shot at Google

It’s been nearly a year since the EU’s General Data Protection Regulation went into effect. Since then, we’ve seen a few notable enforcement actions, including:

  • Germany – Social media network fined €20,000 after 800,000 email addresses and passwords stored in plain text were stolen;

  • Portugal – Hospital fined €400,000 for failure to limit access to patient records properly;

  • France – Google fined €50 million for failure to provide information about how data was being used;

  • Denmark – Transportation company Taxa 4x35 fined €160,000 for failing to delete records of 9 million taxi rides after data no longer needed - Removed customer names, but kept other data points;

  • Poland – Digital marketing company Bisnode fined €220,000 for failing to notify 6 million users it was aggregating publicly-available data.

Now comes news that Ireland is taking another shot at Google, this time for how the company handles personal data across the internet. The inquiry is based on a complaint brought by the browser company Brave, and alleges that Google’s very business model runs afoul of GDPR: “Every time a person visits a website and is shown a ‘behavioural’ ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies,” Brave’s chief policy officer Johnny Ryan explained in a post. “A data breach occurs because this broadcast, known as an ‘bid request’ in the online industry, fails to protect these intimate data against unauthorized access.”

It will be fascinating to see how this plays out. The California Consumer Privacy Act, which comes online on January 1, 2020, has an even more comprehensive definition of “personal information” than the GDPR: If the Irish Data Protection Commissioner prevails, Google will have to fundamentally reshape its ad system in order to avoid future fines. Watch this space.