The Irish Data Protection Commission (DPC) has started an inquiry into the way that Google provides advertising services across the European Union.
The watchdog is investigating whether the use of personal data to target online advertising is compliant with European privacy rules.
The search giant’s Ad Exchange system is used by companies to target people with adverts across the internet.
The Irish DPC could fine Google up to 4% of its global annual turnover.
“The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR),” Irish DPC spokesman Graham Doyle told the BBC.
The search giant has responded: “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding. Authorised buyers using our systems are subject to stringent policies and standards.”
It would not be the first time that Google has been fined by a European data regulator.
The company was fined 50 million euros ($55m; £44m) by the French data regulator CNIL in January, a decision that the company is appealing.
CNIL said it had levied the record fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
What is Google Ad Exchange?
Google allows companies to target people with adverts on websites across the internet including news websites and blogs.
When a person visits such a site, the advert they see will often be personalised based on data Google has about them.
What is GDPR
GDPR is a piece of EU legislation that aims to create identical data privacy laws across all EU countries.
The regulation, which came into effect during 2018, compels companies to obtain active user consent to collect data among other rules.
Firms must also report any data breaches to authorities within 72 hours.
Why is the Irish authority taking the lead in this investigation?
Under the GDPR, one national data protection authority leads inquiries before presenting a draft decision to other European data regulators. In the UK that is the Information Commissioner’s Office.
The decision for how the data of European citizens is managed is taken in by Google in Ireland, and not in another EU state.
As well as Google, the Irish regulator also has responsibility for a range of other companies including Facebook, Apple, Microsoft and Airbnb.
What could happen to Google?
The Ireland Data Protection Commission can issue fines of up to 4% of a company’s global turnover.
They regulator could also enforce “corrective measures” where it instructs Google to make changes to how it works.
When are findings expected?
Previous investigations by the Irish DPC have reached a draft decision in about seven to eight months, though this Google investigation could take longer.