Seven EU countries file GDPR complaints against Google
Wed 28 Nov 2018
Netherlands, Poland, Czech Republic, Greece, Slovenia, Sweden, and Norway allege Google’s location tracking violates GDPR
Consumer groups in Europe have asked privacy regulators to take action against tech-titan Google for deceptively tracking the movements of millions of Europeans, Reuters reports.
In total seven consumer groups have filed complaints. Speaking on behalf of the countries’ consumer groups, the European Consumer Organisation (BEUC) claimed Google’s practices lack ‘valid legal ground for processing the data in question’.
BEUC alleges that Google uses “deceptive” methods – but exactly what practices is it referring to?
The allegations are based on the findings of a 44-page report published by Norway’s Consumer Council, which identified two problematic privacy settings – Location History and Web & App Activity – that serve as a gateway for location tracking.
“Through a variety of dark patterns, Google is getting a blanket permission constantly to collect the exact location of the user, including the latitude (e.g. floor of the building) and mode of transportation, both outside and inside, to serve targeted advertising,” reads the report.
On the basis of the report, BEUC has accused Google of falling foul of GDPR requirements by not being transparent about the functionality of these settings.
Location History collects data from GPS, WIFI, and Bluetooth to track a user’s location even when they are not outside, and has to be activated.
Google says the feature provides better results and recommendations on Google products, such as restaurants to visit or traffic predictions for daily commutes. Crucially, the information is also used for marketing purposes.
The report criticises Google for only revealing the attractive features of Location History when it invites users to activate it, which occurs at various touchpoints throughout the user journey – for instance when users fire up a Google app for the first time.
“Unless the user clicks the inconspicuous arrow on the right, they will not be informed that this information is also used for marketing purposes,” reads the report.
Web & App Activity
The second setting the report targets is Web & App Activity, which collects user data such as search history, Chrome browsing history, and activity from sites and apps that use Google services.
The setting can provide Google with users’ location data. As it is enabled by default, even users who disable Location History may still find that their locations are being tracked.
Google encourages users to enable the setting, saying it provides ‘better search results, suggestions and personalisation across Google Services.’
However, data from Web & App Activity is also used to provide personalised advertising. The report criticises Google for only revealing this in ‘certain circumstances’.
“In some contexts, such as when setting up a Google account, the use of this data for advertising is not mentioned, even after clicking ‘learn more’. In a few limited contexts, such as when the setting has been actively turned off, and the user attempts to enable it again, Google informs the user about the advertising purposes,” reads the report.
Prospects for penalties
On the basis of the report’s findings Netherlands, Poland, Czech Republic, Greece, Slovenia, Sweden, and Norway have filed complaints to their national data protection authorities.
The penalty for GDPR infringement can amount to 4 percent of a firm’s annual turnover. If found guilty, this means Google could be looking at an eye-watering €20 million fine.
Google released the following statement in response to the Reuters report:
“Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps improve services like predicted traffic on your commute. If you pause it, we make clear that — depending on your individual phone and app settings — we might still collect and use location data to improve your Google experience.”