Google is being blamed by the Brave development team browser that it violates one of the principles of the General Data Protection Regulation (GDPR) regarding the requirement for companies to state a specific purpose for the collection and processing of personal data.
The principle of delimitation of the purpose of the GDPR requires all organizations that collect and process personal data to state precisely their purpose to consumers.
Ryan also claims that while Google provides customized ads to users based on their interests, it provides very limited information about how data is processed, and why users see a particular ad.
The complaint also includes a study called Inside the Black Box [PDF]. The research separates Google's processing purposes for collecting personal data from websites, applications, and operating systems. The data comes from many different sources, and is often used for different purposes, such as analytics, or advertising.
Referring to the study, Ryan claims that Google's intentions "are so vague that they have no meaning or limitation; the result is an absolute freedom that violates the principles of the GDPR."
"Brave's new data reveals that Google reuses our personal data between businesses and its products in amazing ways that violate the principle of purpose limitation. "Google's internal data is free for everyone and violates the GDPR."
The Brave development team asked Google to provide a complete and sufficiently specific list of the purposes for which the company processes personal data, as well as the relevant legal bases for each purpose. Google has reportedly repeatedly refused to provide a substantive explanation for the data processing purposes to the Brave team.
The DPC is already investigating how Google processes and manages its users' data. With this investigation, the Irish regulator is seeking to determine whether or not the company has a legal basis for processing user location data and whether these procedures are sufficiently transparent to the GDPR.