Google has been accused of breaching one of the General Data Protection Regulation's (GDPR) principles surrounding consent that requires companies to provide a specific purpose for collecting and processing user personal data.
The GDPR's purpose limitation principle requires organisations to only collect and process personal data for a narrow purpose that must be explicitly expressed to consumers.
Labelling Google's privacy policies as "hopelessly vague and unspecific", Brave chief policy and industry relations officer Johnny Ryan said Google's reasons for collecting data and allegedly limiting detail about how the information is used -- such as "developing new services" -- resemble examples of bad practices that have been drawn out by the GDPR.
Ryan also alleges that while Google provides personalised ads for users based on their interests, it has limited information regarding the purposes of processing and why users are seeing a certain ad.
"It is not apparent from the policy which activity, product, or interaction is covered by which purpose. It is therefore difficult (if not impossible) to decipher if and when a particular purpose applies, for example, to data collected or processed in the context of YouTube, Authorised Buyers or Maps etc," Ryan said in the complaint.
The complaint also includes a study, called Inside the Black Box [PDF], which itemises Google's processing purposes for collecting personal data from integrations within websites, apps, and operating systems. The processing purposes range from accounting to advertising to transactions. [....]
The Chromium-based browser has also asked for Google to provide a list of the purposes for which Google processes personal data, as well as the relevant legal bases for each purpose.