Ireland launches investigation into Google's Ad Exchange data collection and trading practices

[Delicieuxz]

Ireland launches privacy probe into Google for personal data hoarding & trading

 

Quote

The Irish Data Protection Commission (DPC) has opened a probe into the search behemoth's compliance with the sweeping data protection regulations passed into law across the EU almost exactly a year ago. The inquiry concerns Google's massive Ad Exchange platform, which operates real-time online auctions in which highly-sensitive information about users gleaned from their browsing history is traded by companies which use it to create behavioral profiles for ad targeting.

 

...

 

Ad Exchange auctions can involve hundreds of third parties haggling over users' private data, attaching behavioral "tags" to their traffic without their knowledge – an operation which seems to run afoul of the General Data Protection Regulation (GDPR) requirement that companies obtain explicit consent before dealing in sensitive information.

 

...

 

Because Google's European headquarters are in Ireland, the DPC's decision could serve as a blueprint for other European data regulators wishing to levy their own fines.

 

...

 

The Irish investigation is based on a complaint filed by digital rights organizations, including the no-track browser Brave, last fall. Google was singled out for particular scrutiny in that complaint owing to the invasive nature of its ad-targeting categories – markers like "AIDS & HIV," "male impotence," and "substance abuse" are subject to special protection under the GDPR. Another of Google's ad-targeting categories, ironically, is "privacy issues."

 

France recently fined Google €50 / $57 million for GDPR violations, and now Ireland is conducting its own investigation. I see these are good starts to increasing public and governmental awareness of data-harvesting practises, but the not the end goal, which I see as tight legislation that prevents most of the data-harvesting that goes on today and which increases privacy.

 

California has its own GDPR-type legislation that comes into effect January 1st 2020.

 

 

Related threads:

 

 

 

 

 

[FezBoy]

Good job Ireland!

[Fnige]

Is there a possibility to have a fine for at least 1bn

 

though... Lets hope this stops google doing this

[Delicieuxz]

4 minutes ago, SlimyPython said:

Is there a possibility to have a fine for at least 1bn

 

though... Lets hope this stops google doing this

GDPR rules allow for fines of up to 4% of a company's global annual revenue.

 

In 2018, Google's global revenue was $136.22 billion USD. So, GDPR allows for a fine of up to $5.448 billion USD.

[Fnige]

9 minutes ago, Delicieuxz said:

GDPR rules allow for fines of up to 4% of a company's global annual revenue

Has it actually been used before?

 

also has it had really much of an effect on the company as a whole?

[Delicieuxz]

Just now, SlimyPython said:

Has it actually been used before?

 

also has it had really much of an effect on the company as a whole?

No. GDPR came into effect 1 year ago, and the only large fine so far has been the €50 million one against Google.

[Fnige]

6 minutes ago, Delicieuxz said:

No. GDPR came into effect 1 year ago, and the only large fine so far has been the €50 million one against Google.

and they made that back in like a week

[Arika]

29 minutes ago, Delicieuxz said:

GDPR rules allow for fines of up to 4% of a company's global annual revenue.

for each infraction? or thats the upper limit for the entire year?

[ARikozuM]

 

[Delicieuxz]

28 minutes ago, SlimyPython said:

and they made that back in like a week

Probably half a week, lol.

 

23 minutes ago, Arika S said:

for each infraction? or thats the upper limit for the entire year?

I think based on a case-by-case basis, but not limited to a time-frame.

https://www.itgovernance.co.uk/dpa-and-gdpr-penalties

Quote

What is the maximum administrative fine under the GDPR?

There are two tiers of administrative fines that can be levied as penalties for GDPR non-compliance:

1. Up to €10 million, or 2% annual global turnover – whichever is higher; or
2. Up to €20 million, or 4% annual global turnover – whichever is higher.

Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.

The fines are based on the specific articles of the Regulation that the organisation has breached.

Data controllers and processors face administrative fines of

• the higher of €10 million or 2% of annual global turnover for infringements of articles:
  • 8 (conditions for children’s consent),
  • 11 (processing that doesn’t require identification),
  • 25-39 (general obligations of processors and controllers),
  • 42 (certification), and
  • 43 (certification bodies)
• the higher of €20 million or 4% of annual global turnover for infringements of articles:
  • 5 (data processing principles),
  • 6 (lawful bases for processing),
  • 7 (conditions for consent),
  • 9 (processing of special categories of data),
  • 12-22 (data subjects’ rights), and
  • 44-49 (data transfers to third countries).

 

[Arika]

1 minute ago, Delicieuxz said:

Probably half a week, lol.

 

I think based on a case-by-case basis, but not limited to a time-frame.

https://www.itgovernance.co.uk/dpa-and-gdpr-penalties

i ask because if Google was to say "yeah...no" and just not change anything and it only cost them 4% a year they would still see that as a win "it only costs us 4% of our turnover to continue to abuse the planet's privacy"

[mr moose]

Not to worry, I have it on good authority that you can either simply choose not to use websites that data mine you using googles services or accept that you specifically give google authority to do this by using the internet.