Google Faces Irish Advertising Probe For GDPR Compliance

The Irish Data Protection Commission (DPC) has begun an investigation into Google’s advertising service and whether it is obeying Europe’s strict privacy rules.

The investigation comes almost a year since the General Data Protection Regulation (GDPR) rules came into affect in Europe, and they strictly govern how companies must treat people’s data. Companies for example can be fined up to 4 percent of global annual turnover if the offence is serious enough.

The GDPR rules have already bitten Google quite hard already. In January Google was slapped with a 50 million euro (£44m) fine.

GDPR probe

That fine, issued by the France’s data protection office (CNIL), found the US search engine guilty “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”

But now the Irish DPC is also investigating whether Google’s use of personal data to target online advertising is compliant with European privacy rules.

The probe concerns Google’s Ad Exchange system, which is used by companies to target people with adverts across the internet.

“Arising from the Data Protection Commission’s ongoing examination of data protection compliance in the area of personalised online advertising and a number of submissions to the Data Protection Commission, including those made by Dr. Johnny Ryan of Brave, a statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange,” the DPC announced.

“The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR),” it added. “The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined.”

“We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding,” Google told the BBC. “Authorised buyers using our systems are subject to stringent policies and standards.”

DPC investigations typically take 8 months before a draft decision is made, although it depends on the complexity of the probe.

Facebook, Marriott and British Airways are among the organisations that have been hit by major data breaches since the GDPR came into effect.

Last November seven European consumer groups filed GDPR complaints against Google’s location tracking service.

Quiz: Are you a Google expert?