Google Ads and the GDPR
Ireland's Data Protection Commission announced an investigation this week into whether or not Google's processing of data during advertising transactions violates the General Data Protection Regulation, and whether or not Google complies with the provisions of the GDPR on data minimization and transparency.
This investigation arose from a complaint filed by an executive of a software company. It concerns an online behavioral advertising system, known as DoubleClick, Google's ad service. The complaint alleges that Google's system collects data from users that visit websites with its ads. The data controller loses control over how his or her data is used, when it is 'broadcast' on the site. The data processed includes special category data under the GDPR - that which reveals ethnic origin; political opinions; health data; religious beliefs; sexual orientation and other personal background information. The system does not require the controller's consent. Article 9 of the GDPR requires explicit consent for the processing of special category data.
The complaint alleges a violation of Article 5's requirement that the amount of data processed not be excessive for the purpose for which it is collected, and not be retained longer than necessary.
The complaint asserts that a data protection impact assessment is needed because processing poses a, 'a high risk to the rights and freedoms of natural persons'. See, ¶ 38.