Irish Data Protection Commission Inquiry into Google

Irish Data Protection Commission Inquiry into Google

On the anniversary of the creation of GDPR, the Irish Data Protection Commission opened a statutory inquiry into Google Ireland Limited’s processing of personal data through the mechanism of personalised online advertising.

The Commission seeks to establish whether such personal data is being processed in accordance with GDPR. As part of the Commission’s inquiry, the GDPR principles of transparency, data minimisation and data retention will also be closely examined.

Dr Johnny Ryan, the Chief Policy and Industry Relations Officer for the privacy-oriented web browser ‘Brave’, made a formal complaint to the regulator. This submission forms an integral part of the on-going investigation into the practices surrounding online advertising technology.

In Dr Ryan’s submission he states that there has and continues to be a “massive and ongoing data breach” concerning Google’s ad services business. Dr Ryan also submits that Google “leaks intimate data” about people’s activity on millions of websites to thousands of companies every day and that this practice is worth billions of euros to Google.

In January 2019, Google received the biggest GDPR fine to date when it was fined €50 million by France’s data protection authority regarding personalised advertising. The French regulator said that Google failed to provide enough information to the data subjects about its consent policies and did not give them enough control over how their information was used.

Google has announced that it will be co-operating fully with this inquiry and welcomes every opportunity to further clarify the GDPR’s rules regarding personalised online advertising. Google maintains that the advertisement buyers using their systems are subject to stringent policies and standards.

Last year Google Ireland announced a €5.9 billion rise in global annual turnover equating to €32.2 billion. This sharp rise has been attributed to a spike in advertising revenue making this inquiry all the more prevalent. As has been heavily advertised, the GDPR affords data protection authorities the powers to fine companies up to 4% of the offending company’s global turnover of the previous year or €20 million, whichever is greater. This 4% fine, which the Commission has at its disposal, could therefore amount to over €1.2 billion. With Google Ireland paying out a €1.6 billion dividend that year, its shareholders will certainly be watching this inquiry with a very keen eye as their dividends have the potential to become considerably less lucrative.

Whilst the 4% global turnover is the maximum penalty reserved for significant breaches only, it is not unimaginable that the Commission may  attempt to make an example of Google and display their severed heads on the city walls as a warning against future breaches.

If you would like more information on this article please do not hesitate to contact Ben Henderson on 01494 478677 or at