Level 63
Content Creator
Malware Hunter
Google has been accused of breaching one of the General Data Protection Regulation's (GDPR) principles surrounding consent that requires companies to provide a specific purpose for collecting and processing user personal data.

In a complaint [PDF] filed to the Irish Data Protection Commission (DPC), Chromium-based browser Brave alleges that Google's privacy policy infringes the GDPR "purpose limitation" principle as it "does not transparently and explicitly specify the purposes for which the data is collected and processed".

The GDPR's purpose limitation principle requires organisations to only collect and process personal data for a narrow purpose that must be explicitly expressed to consumers.

Labelling Google's privacy policies as "hopelessly vague and unspecific", Brave chief policy and industry relations officer Johnny Ryan said Google's reasons for collecting data and allegedly limiting detail about how the information is used -- such as "developing new services" -- resemble examples of bad practices that have been drawn out by the GDPR.

Ryan also alleges that while Google provides personalised ads for users based on their interests, it has limited information regarding the purposes of processing and why users are seeing a certain ad.

"It is not apparent from the policy which activity, product, or interaction is covered by which purpose. It is therefore difficult (if not impossible) to decipher if and when a particular purpose applies, for example, to data collected or processed in the context of YouTube, Authorised Buyers or Maps etc," Ryan said in the complaint.

The complaint also includes a study, called Inside the Black Box [PDF], which itemises Google's processing purposes for collecting personal data from integrations within websites, apps, and operating systems. The processing purposes range from accounting to advertising to transactions. [....]


Level 13
This is great, let's see how this is handled and treated by EU-court. This also could have implications for Windows10 telemetry (not the basic but the full diagnostic data). I understand that for compability and driver issues Microsoft wants to know on what hardware Windows10 is running (basic), but for what “specified, explicit and legitimate purposes [GDPR article 55(1)(b)]" Microsoft wants to know what websites I visit and movies I watch (just to mention two examples) raises questions at the least (full diagnostic data in Windows10).