The Data Protection Commissioner is investigating whether Google has breached the General Data Protection Regulation (GDPR) in the way it processes user data to provide personalised online advertising.
The investigation follows a number of complaints, including one from Dr Johnny Ryan of private web browser Brave, who has claimed that Google’s DoubleClick/Authorized Buyers system is responsible for the "most massive leakage of personal data recorded so far".
It has been claimed that DoubleClick/Authorized Buyers is installed on over 8.4 million websites, and broadcasts personal data about visitors to the sites to over 2,000 companies, hundreds of billions of times a day.
“The data can include people’s locations, inferred religious, sexual, political characteristics, what they are reading, watching, and listening to online, and unique codes that allow long term profiles about each person to be built up over time,” Brave said in a statement.
It further said there is no control over what happens to the data once broadcast.
“Surveillance capitalism is about to become obsolete,” said Dr Ryan.
“The Irish Data Protection Commission’s action signals that now, nearly one year after the GDPR was introduced, a change is coming that goes beyond just Google.
“We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR,” he said.
In a statement, the DPC said: "The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation.
"The GDPR principles of transparency and data minimisation, as well as Google's retention practices, will also be examined."
A Google spokesman said the company “will engage fully with the DPC's investigation and welcome the opportunity for further clarification of Europe's data protection rules for real-time bidding".
"Authorised buyers using our systems are subject to stringent policies and standards," the tech giant said.
The DPC has the power to fine companies up to 4% of their global annual turnover.
Ravi Naik, a partner at ITN Solicitors instructed by the complainants, said he was pleased the DPC was taking action. “For too long, the AdTech industry has operated without due regard for the protection of consumer data," he said.