Campaigners claim that Google keeps non-GDPR compliant files on internet users’ ethnicity, health, ethnicity and sexual orientation

Privacy campaigners have provided what they say is new evidence to back-up their claims that internet giant Google is not complying with the EU’s General Data Protection Regulation (GDPR).

Google, however, has denied the new claims.

The evidence backs up complaints originally filed to three data protection authorities across the EU in September, suggesting that Google and other online advertising auction companies “unlawfully profile internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation”.

The complaints have been filed with data protection registrars in the UK, Ireland and Poland.

“Every time you visit a website that uses ad auctions, personal data about you is broadcast in ‘bid requests’ to tens or hundreds of companies. Part of this process categorizes what you watch or read or listen to.

“The categories can be benign, such as ‘Tesla motors’, ‘bowling’, or ‘gadgets’. But, as the new evidence filed today shows, they can also be extraordinarily sensitive,” claimed the privacy campaigners.

One category highlighted by the campaigners includes “IAB7-28 Incest/Abuse Support”, enabling advertisers to target victims of abuse, according to one of the ad auction industry’s own Interactive Advertising Bureau’s classifications.

“Google runs its own category list, which includes equally sensitive insights such as as ‘eating disorders’, ‘left-wing politics’, or ‘scientology’,” the campaigners add .

They claim that the tracking IDs that are attached to internet users, which can be added to advertising lists according to what is seen and clicked-on online, is a breach of people’s privacy.

“Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data. IAB and Google have to redesign their systems to fix this failure,” said Katarzyna Szymielewicz, president of the Polish privacy group, the Panoptykon Foundation.

Just loading a web page can trigger multiple automated auctions, the results of which dictate what adverts are seen online, bespoke to different internet users.

“Ad auction companies can fix this by simply excluding personal data, including their tracking IDs, from bid requests. If the industry makes some minor changes then ad auctions can safely operate outside the scope of the GDPR.

“This would protect privacy,” added Johnny Ryan, chief policy and industrial relations officer at Brave Software, the company behind the Brave privacy browser, which has supported the GDPR complaints.

However, in a statement to Computing Google rejected the claims made by the campaigners.

“We have strict policies that prohibit advertisers on our platforms from targeting individuals on the basis of sensitive categories such as race, sexual orientation, health conditions, pregnancy status and so on,” a Google spokesman told Computing.

They continued: “If we found ads on any of our platforms that were violating our policies and attempting to use sensitive interest categories to target ads to users, we would take immediate action.”

The evidence released this week comes after Google was fined €50 million by CNIL , the French data protection authority, following a GDPR complaint filed just after the Regulation came into force on 25 May 2018. The company has vowed to appeal .

Edited 5pm, 28 January to include comment from Google