Η Google blamed by Brave's development team browser that it violates one of the principles of the General Data Protection Regulation (GDPR) related to requiring companies to state a specific purpose for the collection and processing of personal data.
In a complaint [PDF] filed with the Irish Data Protection Commission (DPC), Chromium-based Brave browser claims that Google's privacy policy violates its "purpose limitation" principle GDPR as "does not explicitly specify the purposes for which the data are collected and processed".
The principle of delimitation of the purpose of the GDPR requires all organizations that collect and process personal data to state precisely their purpose to consumers.
Google's privacy policy is "indescribably vague and unspecific," according to Brave's head of policy, Johnny Ryan, who said that Google's reasons for data collection are very general about how to use the information, such as for "developing new services.".
Ryan also claims that while Google provides customized ads to users based on their interests, it provides very limited information about how data is processed, and why users see a particular ad.
The complaint also includes a study, called Inside the Black Box [PDF]. The research separates Google's processing purposes for collecting personal data from websites, applications, and operating systems. The data comes from many different sources, and is often used for different purposes, such as analytics, or advertising.
Referring to the study, Ryan claims that Google's intentions "are so vague that they have no meaning or limitation; the result is an absolute freedom that violates the principles of the GDPR."
"Brave's new data reveals that Google reuses our personal data between businesses and its products in amazing ways that violate the principle of purpose limitation. "Google's internal data is free for everyone and violates the GDPR."
The Brave development team asked Google to provide a complete and sufficiently specific list of the purposes for which the company processes personal data, as well as the relevant legal bases for each purpose. Google has reportedly repeatedly refused to provide a substantive explanation for the data processing purposes to the Brave team.
The DPC is already investigating how Google processes and manages its users' data. With this investigation, the Irish regulator is seeking to determine whether or not the company has a legal basis for processing user location data and whether these procedures are sufficiently transparent to the GDPR.
