As the linked article (and the API docs linked from that article) indicates, it contains a Google user ID, which is unique to a user. That by itself already makes it PII.
Furthermore, you probably know the IP of the user you're serving a page to, that combined with this data also makes it PII..
It's not about wether you can determine the person's name, mail address or whatever, it's wether this combination of data is or can be unique to a single person.
The type of personalized ads you describe only trigger if the user has clicked on the "allow personalized ads" button. If they did not only non-personalized things happen this is things what the website is about and course location (city or zipcode) (the latter is not personalized information as they lawyers explained to me because "it can't identify a person").
That may be true, but allowing personalised ads is something completely different from 'share my personal information with thousands of unnamed third parties', which is what this is about.
"Allow personalized ads" is on by default, which is iffy under the GDPR. Especially considering that, when it's enabled, they match you to your Google account even if your current browser isn't signed in to the Google account.
No it is not! Google requires each individual website to gather consent affirmative for personalized ads before Google will provide personalized ads. There was big issue over if Google would effectively force everyone to use it's solution as it would be the only way Google could be 100% sure the publisher isn't cheating. In the end Google allowed publishers to use whatever method they want.
But in practice, doesn't “affirmative consent” means clicking the big yellow “OK” button below a paragraph of vague weasel words instead of the little white “Configure privacy options” link, or in the case of website operators like Oath, not going three pages deep?
The phrase "personally identifying information" does not occur anywhere in the text of GDPR. The term used throughout is "personal data", which is defined differently.
>It's not about wether you can determine the person's name, mail address or whatever, it's wether this combination of data is or can be unique to a single person.
Uniqueness is irrelevant unless there is sufficient identifying data to associate that data with an identifiable natural person. Unless you have some means of ultimately figuring out "this data belongs to Joe Bloggs of 123 Any Street", then it isn't personal data.
Art. 4 (1):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Pseudonymous data falls within the scope of GDPR if other information could be used to associate that data with an identifiable natural person. Truly anonymous data is exempt - you might know a lot about person X, but that's only personal data if you can figure out that Person X is actually Joe Bloggs. It really isn't clear to me that Google are in breach in this instance; it's highly plausible that they are, Brave's allegations certainly warrant investigation, but the law is relatively complex and it's also somewhat plausible that Google are sailing very close to the wind while just barely remaining in compliance.
> Unless you have some means of ultimately figuring out "this data belongs to Joe Bloggs of 123 Any Street", then it isn't personal data.
That's not exactly accurate.
I like the ICO's literature on this[1] because they put a little more colour on what it means to be "indirectly" identifiable, and they are pretty clear:
• You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
• It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
• That additional information may be information you already hold, or it may be information that you need to obtain from another source.
That's the case here: An ISP such as Vodafone knows the IP addresses of their broadband users, and perhaps even some of their cookies -- they have this other piece of data that makes what Google is providing personal data. To my knowledge Google isn't attempting to even argue otherwise, instead they have taken the position that the person has consented (using various consent managers or click-to-accept dialog boxes), so therefore it's pseudonymous, which makes your next paragraph a little more important:
> Pseudonymous data falls within the scope of GDPR if other information could be used to associate that data with an identifiable natural person. Truly anonymous data is exempt...
This is incorrect. Again from the ICO:
• Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
• Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.
Very clear: All it takes is for the data to relate to a person.
> It really isn't clear to me that Google are in breach in this instance
It's not clear to me either, or (to my knowledge) to the Irish DPC at this stage, but part of their responsibility is to figure it out. They have released very little information so far[2] so there's little point armchair-lawyering on what their position or defence would be.
If it's not exposed to the internet no problem.
Not true unfortunately under the GDPR nor it's predecessor, if the notes are publicly available:
Bodil Lindquist v Åklagarkammaren (2003)
Mrs. Lindquist (whose purposes were mostly charitable and religious) published on a private home page personal data about her colleagues, including telephone numbers and information about a coworker’s injured foot and medical leave. This case raised the question if a private home page accessible to only those who have the address is permitted under one of the exclusions (household activity). The European Court of Justice ruled that it is not.
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Not true unfortunately under the GDPR nor it's predecessor, if the notes are publicly available:
Bodil Lindquist v Åklagarkammaren (2003)
Mrs. Lindquist (whose purposes were mostly charitable and religious) published on a private home page personal data about her colleagues, including telephone numbers and information about a coworker’s injured foot and medical leave. This case raised the question if a private home page accessible to only those who have the address is permitted under one of the exclusions (household activity). The European Court of Justice ruled that it is not.
A "private home page accessible to only those who have the address" is a public page.
That's not a private note, and I'd be livid if somebody was posting my contact and medical details online. I see no problem with this ruling, nor do I see it as evidence contrary to the idea that one may keep private notes.
In response to a comment about keeping notes, which any reasonable person would interpret as meaning private notes.
What got my goat, though, wasn't the mere, if silly, clarification that notes are only protected if they're private. It's the phrasing of the quote to suggest that somehow these notes should have been considered private because the publisher didn't intend on anyone reading them (despite publishing them such that they could).
What court wording are you referencing? The judgment says "private home page which is none the less accessible to anyone who knows its address", a very different turn of phrase.
I meant do you have a source for the court notes where they said that. It doesn't sound like a quote to me, it sounds like a precis.
In fact it sounds like a precis of the quote I provided, but I could also imagine the defendant's lawyer saying it in the more loaded way presented here.
Furthermore, you probably know the IP of the user you're serving a page to, that combined with this data also makes it PII..
It's not about wether you can determine the person's name, mail address or whatever, it's wether this combination of data is or can be unique to a single person.