Brave Browser Files GDPR Complaint Against Google

Brave has filed a formal complaint against Google with the lead GDPR enforcer in Europe. The complaint comes after Dr. Johnny Ryan, Brave's chief policy and industry relations officer, promised to take Google to court if it didn't stop abusing its power by sharing user data collected by dozens of its distinct services, and creating a "free for all" data warehouse. Cointelegraph reports: Now, the complaint is with the Irish Data Protection Commission. It accuses Google of violating Article 5(1)b of the GDPR. Dublin is Google's European headquarters and, as Dr. Ryan explained to Cointelegraph, the Commission "is responsible for regulating Google's data protection across the European Economic Area." Article 5(1)b of the GDPR requires that data be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes." According to Dr. Ryan: "Enforcement of Brave's GDPR 'purpose limitation' complaint against Google would be tantamount to a functional separation, giving everyone the power to decide what parts of Google they chose to reward with their data."

In addition to filing a formal complaint with the Irish Data Protection Commission, Brave has reportedly written to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, and French Autorite de la concurrence. If none of these regulatory bodies take action against Google, Brave has suggested that it may take the tech giant to court itself.

European Economic Area

[AHuxley]

The place innovate US brands go to enjoy the full power of EU nations laws and rules.

Re:European Economic Area

[Errol backfiring]

The place innovate (?) US brands go to enjoy the full power of EU tax evasion.

There, fixed that for you.

Re:European Economic Area

[andrewbaldwin]

One would assume a company the size of Google could afford lawyers to do due diligence.

In which case, they must have entered the European market fully cognisant of the fact that the local laws are not like the US and that, in general, politicians and judges cannot be bought like they can back home. Despite this, accessing a huge market must offer financial attractions and thus they should be able to argue a cost-benefit case.

It's quite simple - want to do business in country X ? then follow the laws of country X.

The US would certainly react if a company was importing Cuban cigars, North Korean products... and wouldn't accept special pleading/whining "but we're based overseas so we don't obey US laws".

Innovative brands (if re-packaging spreadsheets, word processors... in "the cloud" really is innovative; the search innovation ship sailed long ago) can freely choose whether or not to operate in other countries; they cannot choose whether to obey their laws.

As for "enjoy the full power..." -- they do indeed. They get the same police, fire brigade protections, infrastructure (roads etc) as other people - even when they fail to pay their fair share of taxes.

Re:

[lamber45]

Google registered its domain-name in 1997, incorporated in 1998 and went public [wikipedia.org] in 2004.

A proposal for the GDPR was released in 2012, and it was adopted [wikipedia.org] in 2016.

So when they "entered the European market", GDPR did not exist.

GDPR is nice for those it gives rights to, but a pain to implement even for the best actors. If an organization already has written, well-justified policies and a culture of minimizing retained personal information, that makes compliance somewhat easier, but still tedious and disruptive.

Well

[BladeMelbourne]

That's brave of them... to take on Google.

Re:Well

[AmiMoJo]

They have an ulterior motive. Brave is an advertising company, their revenue comes from ads and their cryptocurrency scam (which is also ad based).

So Google is a direct competitor for their revenue stream.

Re:Well

[Mr. Dollar Ton]

What do you mean by "ulterior motive"? If some players feel that a large, established competitor, which dominates the market is using that domination to its advantage unlawfully, then filing a complaint is a totally legit move.

In fact, in today's corporate-sponsored and corporate manipulated legislative environment, this may be the only reasonable way to get enforcement.

The loss for an individual from all these violations may well be set below the cost of mounting action by the violator, and corrective action may never happen without someone with an "ulterior" motive.

Where is the problem if the institutions restore some competitiveness in the market, regardless on whose request?

Re:

[AmiMoJo]

Oh sure, I'm not arguing that the complaint isn't legitimate. It is, and I hope they prevail.

I'm just pointing out that Brave are hardly the good guys here and are probably not doing it for our benefit.

Re:Well

[twocows]

Why do you believe BAT is a scam? I would like to see your reasoning on it, as I know next to nothing about the subject.

Re:

[AmiMoJo]

All crypto currencies are some kind of scam.

Advertisement profiling

[thegarbz]

is a "explicit and legitimate purpose" for a company that makes all its money from advertisement. Maybe Brave should stick to making a decent browser rather than filing frivolous complaints.

Re:

[AmiMoJo]

GDPR requires that explicit opt-in permission be obtained for each use. It's possible that Google's single "I agree" opt-in is not enough to authorize all the uses it puts the data to. Really the user should be able to select which ones they accept, and not accepting should not be a barrier to using the services if the things they refuse are not essential to providing those services.

Re:Advertisement profiling

[Richard_at_work]

No it doesn’t - consent is just one of 6 lawful basis for processing. If Google can justify processing under any of the other 5 basis, they are fine.

The issue of consent is one of the most misunderstood aspects of the GDPR.

Re:

[AmiMoJo]

That's true, although I'm not sure what other basis they would use. Clearly advertising is not essential to provide search results, profiling is not necessary to display ads on other sites.

What would the basis for their argument be, do you suppose?

Re:

[Richard_at_work]

I don’t know, I was just pointing out that your assertion that opt-in (ie consent) is explicitly required was wrong and there are more basis for lawful processing than that - your post was propagating the most common misconception with the GDPR, namely that consent is always required. It isn’t.

It’s entirely possible for Google to claim lawful processing on the basis of legitimate interest (it’s a legitimate interest of theirs to provide targeted advertising for the use of their othe

Re:

[AmiMoJo]

Fair enough. We shall see what they base their appeal on I guess.

Re:

[Mascot]

It may be misunderstood, but it _is_ the most visible basis for collecting personal data.

The other options tend to be fairly specific and/or contain phrasing to the effect of processing having to be necessary for the agreed upon purpose and that it cannot infringe on the right to privacy of the data subject. If someone creates a Google account to use e.g. Google Mail, that places restrictions on what Google can do, regardless of what they claim the right to in the EULA. "We earn more money if we sell all th

Re:

[Mononymous]

It's possible that Google's single "I agree" opt-in is not enough to authorize all the uses it puts the data to.

I've been using Google since about 2000. In all that time, it has never had an "I agree", just "Google Search" and "I'm Feeling Lucky".

Re:

[AmiMoJo]

What jurisdiction are you in? Do you use an ad blocker?

In Europe you get these every time you visit Google without the cookie they set when you agree or dismiss it, e.g. if you do an Incognito Mode search.

Re:

[Mononymous]

Sorry. I'm an American. Of course I noticed that the story's about GDPR. It just didn't occur to me that the site might look different over there.

Re:

[thegarbz]

I've been using Google since about 2000. In all that time, it has never had an "I agree", just "Google Search" and "I'm Feeling Lucky".

I call bullshit. Google own search website displays the opt in constantly because they seem to update their ToS every 6 months. Even now simply visiting Google.com in incognito mode will present you with their dataprivacy banner.

Re:

[thegarbz]

GDPR requires that explicit opt-in permission be obtained for each use. It's possible that Google's single "I agree" opt-in is not enough to authorize all the uses it puts the data to.

If that were the case the EU would have already had a field day over this.

Re:

[Opportunist]

Pedo? Really? Doesn't anyone believe in terrorism anymore that we have to pull out the second horseman of the infocalypse already?

Re:

[Opportunist]

I did not know that raping kids is a far-right issue. Is this a religious thing or an anti-socialist thing?

Re:

[Opportunist]

So ... leftists are all gay bashing, white supremacists? Because by your logic, their push for more rights for these groups would be classic deflection behaviour.

Do you make sense in your own little world?

Re:

[Merk42]

That's what happens when everyone wants something for free. It has to be paid for somehow.

This is of course academic

[Rosco P. Coltrane]

Firstly, everybody knows Google only exists because it slurps massive amounts of data from everybody and everything. It's never gonna stop doing it no matter what anybody would like them to do, it's its raison d'etre.

Secondly, assuming Google is ordered to comply with the GDPR and they declare that they now do, who will double-check? Just like Facebook or Amazon, they're so fucking big there's just no way an independent audit can say with 100% confidence that yes, now they act clean. So, as always, we'll have to take their word for it - and their word is not worth much.

Re:

[AmiMoJo]

The various agencies tasked with enforcing GDPR can check for compliance, including demanding documentation or even raiding their offices for it.

There is also the issue of putting that data to commercial use without revealing that you have it. Kind of difficult.

GDPR is trash

[noobiedoobiedo]

GDPR was a huge mistake by the idiot EU.

Re:

[ThomasD3]

I like the GDPR. While people in the US are used to be raped by their banks, cable companies, and internet providers, the situation is not the same in Europe. People are not products to profile and monetize and the GDPR is one step in the right direction. It has its faults, by making clear that monetizing people is not a de facto right in Europe is very important.

No contest

[marcle]

Well, Google is bigger than the EU so it won't change much. But it's a good thing that somebody is calling out that business model. It's like the proverbial frog in the pot of gradually warming water. We're so used to having our personal data profiled, packaged, and sold, that we think that's normal.