Brave accuses Google of infringing the 'purpose limitation' principle of GDPR

Brave describes Google's privacy policies as 'hopelessly vague and unspecific'

Privacy-focused web browser Brave has filed an official complaint accusing Google of infringing the "purpose limitation" principle of the EU ' s General Data Protection Regulation (GDPR).

Filed with the Irish Data Protection Commission (DPC), Brave's complaint alleges that Google's privacy policy "does not transparently and explicitly specify the purposes for which the data is collected and processed", which violates Article 5(1)b of the GDPR.

Brave said that the "purpose limitation principle" of GDPR requires organisations to internally ring-fence users ' personal data and use it only for the "specific purpose it was collected for".

"Brave ' s evidence shows that Google ' s internal data free-for-all is unlawful," Brave ' s chief policy and industry relations officer, Dr Johnny Ryan, said in an online post.

In addition to the Irish DPC, a complaint on behalf of Ryan was also sent to the European Commission, the UK Competition & Markets Authority, Germany's Bundeskartellamt, and the French Autorité de la concurrence.

Ryan described Google's privacy policies as "vague and unspecific", and added that the company ' s practice of restricting details about how it uses the collected information is an example of bad practice.

When Ryan approached Google to provide details of the purposes for which his own personal data is collected, he was referred to a series of links on Google ' s website, including reference to the company's privacy policies.

Brave argued that the "policies and procedures" of the search giant are spread across multiple websites and links, which makes them difficult for users to identify and understand.

Brave is now requesting European data protection regulators to force Google to provide a list of the purposes for which it processes users' personal data, as well as the legal bases for each purpose.

This is not the first time that Brave has accused Google of violating GDPR principles.

Last year, Brave claimed that Google had breaches GDPR by using secret webpages that fed users' personal data to advertisers.

Google denied the claims made by Brave at that time, saying it doesn't serve "personalised ads or send bid requests to bidders without user consent".

However, Brave ' s claims were backed-up by Zack Edwards of consultancy firm Victory Medium, who said that it had recruited hundreds of individuals to examine Google's behaviours over a month, and all those people verified that their identifying tracker was shared with multiple ad firms.

The report from Victory Medium came just a day after Google agreed to pay $170 million to settle a lawsuit, in which the company was accused of breaching children's privacy on YouTube.

Earlier in March 2019, the European Commission imposed a fine of €1.49 billion on Google over what it claimed were "abusive" online ad practices.

Brave ' s latest accusations against the search giant have come at the time when an academic study [PDF] carried out by a security researcher at the School of Computer Science and Statistics at Trinity College in Ireland found Microsoft ' s Edge browser to be the least private among all browsers.

According to Douglas Leith, the lead researcher of the study, Microsoft Edge sends privacy-invasive telemetry to Microsoft ' s back-end servers - including device identifiers and URLs typed into browsing pages.