High-Impact GDPR Breach Probe Launched Into Google's Ad Practices


Regulators from the Irish Data Protection Commission (DPC) are now officially checking into whether or not Google's Ad Exchange practices stack up to meet the strict conditions for security required by the EU's GDPR rules, TechCrunch reports. The formal inquiry stems from complaints filed against the company last year, centered around its real-time bidding system and particularly to its DoubleClick/Authorized Buyers ad system.

More directly, the DPC is inquiring as to whether Google's system conforms to transparency, data minimization, security, and retention guidelines set by EU regulation — citing section 110 of Ireland's Data Protection Act 2018. Other ongoing inquiries into the real-time bidding system have been filed across the EU in the UK, Poland, Spain, Belgium, Luxembourg, and the Netherlands. Google Ireland acts the data controller for EU users, so the investigation into the search giant will be carried out by the Irish DPC.

Not a first for Google


The EU's GDPR rules, put into place in early 2018, are not complicated but that hasn't served to help keep Google and other tech giants from repeatedly coming into conflict with the regulations. In fact, investigations have effectively been ongoing since the very first day of enforcement across several major entities.

At the heart of the matter, most of the investigations have been the result of complaints filed regarding how each company handles user privacy. In some cases, that has been tied to how tech giants store the personal information of users and how much control users are given over their own data. In others, the point of contention has been whether or not users have explicitly consented to collections, to begin with.

In one case, Google ultimately was forced to pay as much as $57 million in fines based on a combination of the violations listed above.


Google's take

Google has reportedly responded to inquiries about the now official investigation, stating that it will be "engaging" with the DPC investigation and suggesting that authorized buyers using its real-time bidding systems and other ad systems are already subject to "stringent" requirements. As such, the company indicates that it views the inquiry as a learning opportunity and a chance to gain "further clarification" of the relatively new regulations.

That doesn't necessarily mean that Google won't contest the findings of the investigation if those result in additional fines or changes to its underlying practices. Historically, the company has resisted those types of changes and repercussions — which can total up to four-percent of its annual revenues, potentially equating to billions of dollars in fines.


The latest investigation differs in that it holds a basis in the same regulations but applies more directly to how Google's ad practices either do or do not protect personal user data across the EU. Complaints against the company and others allege that the practice of utilizing real-time bidding systems as part of the process is inherently insecure from the user protections perspective.

Google's business model relies heavily on practices associated with advertising. Ads make up the largest segment of income for the company — and that's not by a small margin. So this investigation and any changes required following its completion are likely to have a much bigger impact on Google, and on its products and services, than previous objections.