The team behind the Brave internet browser have filed a complaint with authorities in Ireland and the UK regarding privacy violations perpetrated by Google and other "ad tech" companies under the EU's new European General Data Protection Regulation (GDPR).
The Brave team, represented by Chief Policy Officer Dr. Johnny Ryan, claims that Google and other advertising companies expose user data during a process called "bid request."
A bid request occurs when a user visits a site that runs a special category of ads --called "behavioral ads"-- from Google or another advertising firm.
Brave says the code for these ad slots gathers a large amount of user data and broadcasts it back to the advertising platform, exposing the site visitor's data to potential ad buyers who'd like to show an ad to that specific user --in a process known as real-time bidding (RTB).
"A data breach occurs because this broadcast, known as a 'bid request' in the online industry, fails to protect these intimate data against unauthorized access," Dr. Ryan said today. "Under the GDPR this is unlawful."
Data exposed via bid requests, according to the Brave team, includes what the user is reading or watching, location information, IP address, device details, and various types of tracking IDs.
Dr. Ryan claims that this data may contain indirect information about a user's sexuality, ethnicity, political opinions, or various other personal details. Furthermore, he also claims users don't have full control over who and what ad bidders see their data, even if anonymized.
The Brave team, supported by Open Rights Group and Michael Veale of University College London, says this exposure of a user's data via bid requests violates GDPR, Article 5, paragraph 1, point f.
Today's complaints should be followed by an official investigation by British, Irish, and EU officials, Dr. Ryan, and fellow filers argue.
"There is a massive and systematic data breach at the heart of the behavioral advertising industry," Dr. Ryan said today. "Despite the two year lead-in period before the GDPR, adtech companies have failed to comply."
"Our complaint should trigger a EU-wide investigation in to the ad tech industry's practices, using Article 62 of the GDPR," he continues. "The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data."
Contacted by ZDNet, Google said that current GDPR compliancy tools the company has rolled out give users control over their data and advertising settings.
"We build privacy and security into all our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation," a Google spokesperson told ZDNet. "We provide users with meaningful data transparency and controls across all the services that we provide in the EU, including for personalised advertising."
The two complaints --filed with the UK Information Commissioner and the Irish Data Protection Commissioner-- are supported by a 32-page technical report explaining how behavioral ads work and how user data is exposed during the bid request process. No ad tech company besides Google was mentioned by name in the two complaints.
If Google or other ad tech company is found guilty, they could face harsh fines ranging from €20 million ($23.25 million) to up to 4 percent of their global turnover.