Irish Regulator Opens Probe Into Google's GDPR Compliance

After fielding complaints, Ireland's Data Protection Commission, which enforces protections for Europe, will examine whether Google's Ad Exchange marketplace handled user data in violation of the sweeping EU data privacy regulation that went into effect last year

Another European regulator will scrutinize a lucrative Google business, this time in a probe of data management practices involving the internet giant's primary marketplace for buying and selling ads.

The Office of the Data Protection Commissioner, an Irish regulatory body that serves as the European Union's watchdog for upholding personal data protections, said Wednesday it will examine whether Google Ad Exchange tracked users or stored data in violation of the GDPR law that went into effect one year ago.

The brief statement from the office said the probe arises from the Commission's "ongoing examination of data protection compliance in the area of personalised online advertising and a number of submissions to the Data Protection Commission."

The only specific submission cited was made by Johnny Ryan, chief policy & industry relations officer at Brave, an open source web browser that blocks ads and tracking.

[Related: Google Showcases On-Device Artificial Intelligence Breakthroughs At I/O]

An inquiry has started "in respect of Google Ireland Limited's processing of personal data in the context of its online Ad Exchange," the statement said.

Over the last two years, Google has been fined billions by European regulators in three probes of its advertising, mobile, and comparison shopping businesses.

A Google spokesperson told CRN: "We will engage fully with the DPC's investigation and welcome the opportunity for further clarification of Europe's data protection rules for real-time bidding. Authorized buyers using our systems are subject to stringent policies and standards."

Ad Exchange is a real-time market that allows advertisers to bid for placement on premium websites.

The Irish regulatory team will look at whether Google complied with GDPR principles of transparency and data minimization, as well as proper retention practices, when processing user data across each stage of those transactions.

The General Data Protection Regulation was adopted by the EU in 2016, and enforcement began in May 2018. The purpose of the law is to give EU citizens greater control over how their personal data is used.

The latest probe comes two months after EU regulators fined Google $1.69 billion for what they decided were anti-competitive advertising practices in its AdSense business.

AdSense, which places targeted ads on third-party websites and search results, feeds into Ad Exchange. That service contractually restricted publishers from hosting ads of Google competitors, stifling competition, according to the European Union's antitrust regulator, the European Commission.

That practice violating anti-trust rules lasted more than a decade before Google eliminated the contested clauses in AdSense contracts in July of 2016 after the Commission formally objected.

Google has already taken actions to comply with two previous EU cases—one for Google Shopping and the other involving the Android phone business, Walker noted.

In June of 2017, the European Commission fined Google $2.7 billion for giving its own comparison-shopping service an "illegal" advantage. Google practices amounted to an "abuse of Google's dominant position in general internet search," the EC said.

At the time, it was the largest fine ever imposed by the EU.

But a year later, the European Commission blew past that record penalty when it fined Google $5.05 billion for search engine practices related to the Android mobile operating system.

That record fine was in response to Google "breaching EU antitrust rules" by imposing "illegal restrictions" on Android device makers and mobile network operators, allegedly aimed at bolstering Google's search engine.