Google Facing Possible €5.45bn Penalty for GDPR ‘Workaround’

Start-up Internet browser Brave has submitted new evidence to the Data Protection Commission (DPC) in Ireland which indicates that Google has been using a workaround to try and bypass General Data Protection Regulation (GDPR) rules and share the private personal data of billions of people with advertising companies based around the world.

Brave claims to have discovered a mechanism referred to as ‘Push Pages’ being used by Google. Johnny Ryan, chief policy and industry relations officer at anti-ad-tracking browser Brave, published a blog post on the Brave blog which says that “each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.”

What this essentially means is that advertisers can uniquely identify individuals, rather than target grouped audiences of hundreds or thousands of people, for their advertising campaigns. It is even possible that, having gathered enough data over time, advertisers could go as far as identifying the individual that they are targeting in the real-world.

This new complaint comes not long after Brave filed a complaint in Ireland and the UK in relation to privacy breaches by Google and other Internet advertising companies. The initial complaint, which is still being investigated by the relevant data protection authorities, claimed that the variety of the data breached along during advertising bid requests included what the user is viewing online, location information, IP address, device details, and a number of different types of tracking IDs.

Brave claims that, despite Google claims it to the contrary, they (Google) are not stopping its real-time bidding ad (RTB) system users from combining the profiles of the sensitive data of website visitors. In addition to this, Brave claims, that Google has not brought an end to the practice of sharing pseudonymous identifiers but, instead. has actually allowed may additionals parties to to match with Google identifiers. It says:  “the evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other”.

Brave was able to come to these conclusion with the assistance of third part expert Zach Edwards . Edwards reviewed a log Johnny Ryan, chief policy and industry relations officer at anti-ad-tracking browser for Brave, web browsing. In doing so he was able to confirm that Ryan’s personal data was shared and the used of ‘Push Pages’, through which Google invites multiple companies to share profile identifiers about a person when they view a web page.

Ryan wrote on the Brave corporate blog: “Google’s ‘DoubleClick/Authorized Buyers’ ad system is active on 8.4-plus million websites. It broadcasts personal data about visitors to these sites to 2,000-plus companies, hundreds of billions of times a day. The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”

In relation to the ‘Push Pages’ Ryan wrote: “All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This ‘google_push’ identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.”

Violations of GDPR carry the risk of large fines, either 4% of annual turnover or €20m (whichever is higher). Google’s annual revenue last year was $136.22bn (£111.09bn), with 4% equating to $5.45bn.

A Google representative said: “We do not serve personalised ads or send bid requests to bidders without user consent. The Irish DPC, Google’s lead DPA and the UK ICO are already looking into real-time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”

In January, Google was fined €50m (£44.9m) by France’s data regulator for improperly obtaining user consent over personalised advertising. This is just once a number of GDPR invesgations and complaints that the Internet giant has been dealing with in recent times. Others include:

How Google ‘Push Pages’ Work

A Google domain served the Google Push Pages. All the pages are served from the same domain, and all have the same name, “cookie_push.html”. Every Push Page is different from others due to the use of a code that includes around 2,000 characters.

Google places these characters at the end of the code to uniquely identify the person that Google is sharing date about. Once this data is correctly aligned with other cookies supplied by Google, businesses can pseudonymously identify the person. Previously they would not have been able to do this.

An invite can be sent by Google invite which grant companies access a Push Page, This will meant that they receive the same identifier for the person being profiled. This “google_push” identifier permits them to cross-reference their profiles of the person, and they can then swap profile data with each other. A person visiting a web site will not be able to view the ‘Push Pages’.

Brave have made a sample of a Push Page available here. 

Ravi Naik, a data rights solicitor who is acting for Dr Ryan and Brave said: “Real-time bidding in its current form is toxic. The speed and scale of the broadcast is incapable of complying with the GDPR’s security principle. Now our client finds seemingly clandestine profile matching by Google. Deceptive and uncontrolled profile matching is the antithesis of the fairness and transparency principles of data protection. Unfortunately, the lawlessness at the heart of AdTech has begat a culture of data exploitation above data protection. The DPC must act fast to put an end to such practices.”