Brave, the startup behind the Brave browser and the Basic Attention Token, has filed regulatory complaints against Google and others over what it considers poor privacy protection for users in the online ads industry.
The complaints – filed with the Irish Data Protection Commissioner and the U.K. Information Commissioner on behalf of Brave’s chief policy officer Johnny Ryan, Jim Killock of the Open Rights Group, and Michael Veale of University College London – are aimed to trigger an article in the new European General Data Protection Regulation (GDPR) requiring an EU-wide investigation.
Ryan said in a statement:
“There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data.”
As well as Google, the complaints target “all ad tech companies that broadcast internet users personal data widely in what are called RTB bid requests,” he told CoinDesk. “We anticipate that the regulators will order the industry to stop broadcasting personal data in this manner.”
The complainants argue that when users search on Google their personal data and information on their behavior online is broadcast to multiple companies interested in targeting them with ads – and without users’ consent. In doing so, they say, Google violates the GDPR’s requirement for personal data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.”
The complaint indicates that the adtech industry can therefore process users’ information including such data as the content being viewed, location, type of device, unique tracking IDs, or a “cookie match,” and IP address. This data can help reveal many aspects of users, such as income, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning and other sensitive information, it states.
“Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website,” Brave says.
Once the users’ data has been broadcast, its dissemination is impossible to control, the complaint filed with the U.K. Information Commissioner says, adding:
“The sheer number of recipients of such data mean that those broadcasting it cannot protect against the unauthorised further processing of that data, nor properly notify data subjects of the recipients of the data. … data breaches are inherent in the design of the industry.”
The complaint is being legally assisted by Ravi Naik, a partner at ITN Solicitors, who previously helped draw up a complaint to the U.K. Information Commissioner against Cambridge Analytica.
“We have been instructed by clients in numerous jurisdictions to file complaints concerning the behavioural advertising industry. We are confident that any proper appraisal by the authorities of the concerns will lead to a fundamental shift in our relationship with the internet, for the better,” Naik said in the statement.
The GDPR stipulates that failures to protect personal data can cost violators up to 4 percent of a company’s global turnover, but the move against Google, if successful, could have broader implications and undermine the entire online advertising model that internet giants like itself, Facebook and others with huge user databases are now employing, Reuters suggests.
“People do not – and cannot – fully understand or know how and where their data is used. This seems highly unethical, and does not square with Europe’s data protection laws,” Killock said, also in the statement.
Brave has also announced that, from now on, Qwant, not Google, will be Brave’s default search engine in France and Germany.