Google is being blamed by the Brave development team browser that it violates one of the principles of the General Data Protection Regulation (GDPR) regarding the requirement for companies to state a specific purpose for the collection and processing of personal data.
In a complaint [PDF] filed with the Irish Data Protection Commission (DPC), o Brave browser based on Chromium argues that Google's privacy policy violates the purpose limitation principle of GDPR as "does not explicitly specify the purposes for which the data are collected and processed".
The principle of delimitation of the purpose of the GDPR requires all organizations that collect and process personal data to state precisely their purpose to consumers.
Google's privacy policy is "indescribably vague and unspecific," according to Brave's head of policy, Johnny Ryan, who said that Google's reasons for data collection are very general about how to use the information, such as for "developing new services.".
Ryan also claims that while Google provides customized ads to users based on their interests, it provides very limited information about how data is processed, and why users see a particular ad.
The complaint also includes a study called Inside the Black Box [PDF]. The survey separates Google's processing purposes for collecting personal data from websites, applications and operating systems. Data comes from many different sources, and is often used for different purposes, such as analytics, or advertising.
Referring to the study, Ryan claims that Google's intentions "are so vague that they have no meaning or limitation; the result is an absolute freedom that violates the principles of the GDPR."
"Brave's new data reveals that Google againuses our personal data between businesses and its products in surprising ways that violate the principle of purpose limitation. Google's internal data is free for all to see and violates the GDPR."
The Brave development team asked Google to provide a complete and sufficiently specific list of the purposes for which the company processes personal data, as well as the relevant legal bases for each purpose. Google has reportedly repeatedly refused to provide a substantive explanation for the data processing purposes to the Brave team.
The DPC is already investigating how Google processes and manages its users' data. With this investigation, the Irish regulator is seeking to determine whether or not the company has a legal basis for processing user location data and whether these procedures are sufficiently transparent to the GDPR.