Google has once again become embroiled in a legal dispute with the European Union (EU) after lawmakers from the Irish Data Protection Commission (DPC) opened a privacy investigation against the firm on 4 February. According to the Commission, Google goes about processing data for location tracking in a manner that stands in breach of Europe’s tight privacy regulations.
“The issues raised within the concerns relate to the legality of Google’s processing of location data and the transparency surrounding that processing,” the DPC wrote in a statement. It went on to affirm that it had “commenced an own-volition Statutory Inquiry,” with respect to Google Ireland.
The DPC added that the aim of the investigation is to “establish whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency.”
Location tracking takes centre stage
At its core, the DPC’s privacy investigation centres around the manner in which companies make use of data for location tracking. This comes amid rising concern about location settings being used to track the whereabouts of users around the world.
In response to both the concerns and to the privacy investigation itself, Google told TechCrunch that people “should be able to understand and control how companies like Google use location data to provide services to them.” The tech giant state further that they intend to “cooperate fully with the office of the DPC in its inquiry, and continue to work closely with regulators and consumer associations across Europe.” Google added that they had already rolled out a number of “product changes to improve the level of user transparency and control over location data.”
Along with the privacy investigation into Google, the DPC also launched another investigation concurrently, this time into Match Group. It alleged that Match Group’s flagship dating app, Tinder, is responsible for the “ongoing processing of users’ personal data,” including data that is used for location tracking.
The Irish data watchdog could force both Google and Match Group to pay heavy fines of up to 4% of their annual turnover, should they the privacy investigation find them to be in breach of General Data Protection Regulation (GDPR) guidelines with respect to their location tracking practices.
A privacy investigation long overdue
In spite of its privacy investigation aimed at Google, the DPC has nevertheless faced extended criticism for the length of time that it has taken to respond to the issue in line with GDPR guidelines on location tracking. Since the law came into force in May 2018, for example, the DPC has not yet enforced its guidelines to date.
However, the DPC’s slow movement has not come from a lack of cases. Complaints around Google and its use of location tracking date all the way back to November 2018 — half a year after the GDPR came into effect in the first place. Facing new restrictions on how corporations use the personal data of their customers, clients, and employees; tech giants such as Google have since been forced into a messy period of adjustment and possibility of coming under privacy investigation.
According to the European Consumer Organization (BEUC), regulatory urgency on the issue of location tracking is necessary because of Google’s capacity to monitor peoples’ whereabouts, such as “bars, shops, places of worship grant companies.” They warn that this would be giving Google the power to “draw conclusions about our personality, religion or sexual orientation, which can be deeply personal traits.”
“It is good that the Irish data protection commission has eventually decided to go forward with this investigation into Google’s massive location data collection,” BEUC adds.
Reports have surfaced that point to a backlog in the number of cases being dealt with by the DPC, and that neither the DPC nor Ireland’s legal system more broadly is adequately prepared to manage the volume of appeals on their hands.
This, especially in relation to a concern as heavy as location tracking, presents itself as a matter of grave concern. The DPC is the EU’s lead regulator when it comes to upholding the GDPR and other European privacy laws. This, in effect, leaves the DPC as the de facto body in charge of overseeing big tech in Europe — a responsibility that arises, in part, from Dublin being the home of the European headquarters of several big tech firms, companies including Google, Facebook, LinkedIn, and Microsoft.
The propensity for Google and other big tech firms to become entangled in new GDPR regulation leaves an important job for regulatory bodies, such as the DPR. With Google having already been embroiled in a similar privacy investigation last year (involving France’s privacy watchdog CIPL), it would seem very possible that big tech will be in hot water with the EU for a while to come, and that recent developments are only an indication of things to come.