Google is being blamed by the Brave development team browser that it violates one of the principles of the General Data Protection Regulation (GDPR) regarding the requirement for companies to state a specific purpose for the collection and processing of personal data.
In a complaint [PDF] filed with the Irish Data Protection Commission (Irish Data Protection Commission ή DPC), ο Brave browser based on Chromium argues that Google's privacy policy violates the purpose limitation principle of GDPR as "does not explicitly specify the purposes for which the data are collected and processed".
The principle of delimitation of the purpose of the GDPR requires all organizations that collect and process personal data to state precisely their purpose to consumers.
Google's privacy policy is "indescribably vague and non-specific," according to Brave's policy chief Johnny Ryan, who said that Google's reasons for collecting data are too general for the way information is used, such as for the "development of new services.".
Ryan also claims that while Google provides customized ads to users based on their interests, it provides very limited information about how data is processed, and why users see a particular ad.
The complaint also includes a study called Inside the Black Box [PDF]. The research separates the purposes exwork of Google to collect personal data from websites, applications and operating systems. Data comes from many different sources, and is often used for different purposes, such as analytics, or advertising.
Referring to the study, Ryan claims that Google's intentions "are so vague that they have no meaning or limitation; the result is an absolute freedom that violates the principles of the GDPR."
"Brave's new data reveals that Google reuses our personal data between businesses and its products in amazing ways that violate the principle of purpose limitation. "Google's internal data is free for everyone and violates the GDPR."
The Brave development team asked Google to provide a complete and sufficiently specific list of the purposes for which the company processes personal data, as well as the relevant legal fundamentals for any purpose. Google has reportedly repeatedly refused to provide any meaningful explanation of its data processing purposes to the Brave team.
The DPC is already investigating how Google processes and manages its users' data. With this investigation, the Irish regulator is seeking to determine whether or not the company has a legal basis for processing user location data and whether these procedures are sufficiently transparent to the GDPR.
