Dr Johnny Ryan, Brave’s Chief Policy & Industry Relations Officer, filed the complaint with Google’s lead GDPR regulator in Europe, the Irish Data Protection Commission.

“Google has personal data about everyone. It collects this from products like YouTube and Gmail, and many other Google products that operate behind the scenes across the Internet”, said Dr Ryan.

“But merely having everyone’s personal data does not mean Google is allowed to use that data across its entire business, for whatever purposes it wants. Rather, it has to seek a legal basis for each specific purpose, and be transparent about them. But Brave’s new evidence reveals that Google reuses our personal data between its businesses and products in bewildering ways that infringe the purpose limitation principle. Google’s internal data free-for-all infringes the GDPR”.

The purpose limitation principle is set forth in Article 5(1)b of the GDPR:

“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”.[1]

The purpose limitation principle requires that organizations must scrupulously ring fence data for specific purposes. These purposes must be made clear, and be very specific.



Google’s internal data free-for-all

For six months Dr Ryan asked Google one simple question: “What do you do with my data?” Despite several rounds of correspondence, and having the right to this information under Article 15 of the GDPR, Google refused to properly engage with the question.

Google is a black box. Today, Brave is releasing a study that offers a glimpse inside. ‘Inside the Black Box’ examines a diverse set of documents written for Google’s business clients, technology partners, developers, lawmakers, and users. It reveals that Google collects personal data from integrations with websites, apps, and operating systems, for hundreds ill-defined processing purposes.

Google’s purposes are so vaguely defined as to have no meaning or limit. The result is an internal data free-for-all that infringes the GDPR’s purpose limitation principle.