Google accused of using secret web pages to leak users' personal data to advertising firms

The evidence in support of the claim was submitted to Ireland's Data Protection Commission by Brave's Johnny Ryan

Google has been accused of breaching the EU General Data Protection Regulation (GDPR) by using secret webpages to feed users' personal data to advertisers.

That's according to Johnny Ryan, the chief policy officer of web browser maker Brave, who submitted the claim as to Ireland's Data Protection Commission on Wednesday.

The Irish data regulator is currently investigating whether Google uses sensitive personal data, such as details related to health, race, and political inclinations, to target advertising.

"The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of GDPR.

Google creates a page that the user never sees, it's blank, has no content, but allows third parties to snoop on the user and the user is none the wiser

"The GDPR principles of transparency and data minimisation, as well as Google's retention practices, will also be examined," the Irish Data Protection Commission said in May after announcing the investigation. That had followed a formal complaint from Brave.

Chromium-based Brave is a minor, privacy-focused competitor to Google.

According to Ryan, he recently tried to monitor how Google was trading his data on its advertising exchange, the business formerly known as DoubleClick. Ryan said he observed that Google had assigned him an identifying tracker that contained his location and web-browsing information, as well as other data.

According to Ryan, the search giant sends all that information to advertising firms via secret web pages with "no content". These web pages enable third-party companies to match their profiles with Google's profiles for targeting purposes.

Ryan said that during an hour's browsing on six different pages, he found the tracker being sent to a minimum of eight ad tech companies.

"This practice is hidden in two ways: the most basic way is that Google creates a page that the user never sees, it's blank, has no content, but allows third parties to snoop on the user and the user is none the wiser," Ryan told the FT.

He said that the practice undermines Google's own ad buying rules and that Google used the technique as a "workaround" of the EU's GDPR that requires consent and transparency.

However, Google denied the claims made by Ryan, saying it doesn't serve "personalised ads or send bid requests to bidders without user consent".

Nevertheless, Ryan's claims were backed-up by Zack Edwards of consultancy firm Victory Medium, who recruited hundreds of individuals to examine Google's behaviours over a month. All those people verified that their identifying tracker was shared with multiple ad firms.

And the report comes just a day after Google agreed to pay $170 million to settle a lawsuit, in which the company was accused of breaching children's privacy on YouTube.

Google has faced intensifying scrutiny in various countries in recent months over competition issues in the industry and its handling of users' data.

In the US, the company faces a new antitrust investigation led by more than 30 state attorneys general.

Earlier in March, the European Commission imposed a fine of €1.49 billion on Google over what it claimed were "abusive" online ad practices. In its ruling, the Commission said that the search giant had misused its dominance to restrict competitors from placing their search ads on third-party websites.

Last month, 23 job listing websites filed a complaint with European antitrust regulators, accusing Google of using its market dominance to favour its job search unit.