As soon as the European General Data Protection Regulation (GDPR) went into effect in May 2018, it was only a matter of time before tech giants like Google would start to receive complaints about potential GDPR violations. And now just six months later, Google is facing its first challenge under Europe’s strict new data protection regulations. A group of seven European Union member state countries – Czech Republic, Greece, Norway, the Netherlands, Poland, Slovenia and Sweden – are now asking European privacy regulators to take action against Google for its “deceptive practices” related to location tracking.
Google’s problems with location tracking
According to the European Consumer Organization (BEUC), which is representing the interests of consumer groups in these seven nations after their complaints against Google were submitted to the relevant national data protection authorities, Google has been playing fast and loose with the way that it collects and uses location data, and it’s time to assess penalties against the Silicon Valley search giant. In a prepared statement, the Director General of the BEUC noted that, “Google lacks a valid legal ground for processing the (location) data in question” and that “consent is not freely given” by Google users.
The problem at the heart of the matter is the “Location History” functionality found on any Google Android phone. When users toggle “Location History” on, Google can easily track their location in order to deliver specific services. For example, it’s a lot harder to deliver Google Maps information that is relevant if “Location History” is turned off. However, in the interests of personal privacy, some users might wish to turn “Location History” off.
Is Google guilty of GDPR violations?
And it’s here that Google appears to have created a legal headache for itself in terms of potential GDPR violations. As the BEUC has noted, simply toggling “Location History” off doesn’t mean that Google stops tracking you. Instead, in order to really stop Google from tracking you, you also need to turn off a second type of functionality called “Web and App Activity,” otherwise Google will continue to use your GPS location data in various ways. The fact that toggling something “off” doesn’t actually turn something “off” is what is so deceptive, according to the BEUC.
Google, however, defends this practice by saying that the setting of “Location History” is turned off by default, and that users must give their consent for it to be turned on. Moreover, Google says that you can edit, delete or pause your “Location History” at any time, and that it specifically makes clear that disabling “Location History” does not turn off all location tracking. All of these steps are in accordance with industry best practices, and would not run afoul of the European GDPR and its rules for European data subjects.
Where things get a bit more controversial, though, is how Google continues to track your location even when you have turned off “Location History.” Google says it is only using this data processing in order to offer “necessary” services. This, too, is covered under the description of what constitutes potential GDPR violations, which says that companies are not committing any GDPR violations as long as data being collected is “necessary” for an app to work. Google says it uses this location data to improve your Google experience.
Potential penalties and fines for GDPR violations
So what happens next? In a worst-case scenario, Google could be facing massive fines from European privacy regulators for these GDPR violations. Google, in short, would be expected to mitigate the damage. According to the terms of the GDPR, total fines can reach 4 percent of global turnover in certain cases. Based on Google’s worldwide annual revenue numbers from 2017, that figure could be a staggering $4 billion.
Given the potential size of that fine for GDPR violations, it’s clear that Google will do everything it can to show that it has done nothing wrong when it makes its case to the data protection authorities. And, in fact, Google has been preparing for the GDPR for nearly 18 months, so a lot of thinking has theoretically gone into making its products and services complaint with all regulations.
However, the BEUC doesn’t appear ready to back down after it filed complaints. And some of the language used by the BEUC is clearly designed to portray Google in the worst possible way. For example, the BEUC, in laying out its case, says that “Google’s data hunger is notorious,” as it goes about finding ways to track users and monetize personal data. Moreover, the BEUC notes that, “Google didn’t respect fundamental GDPR principles.”
But not all privacy analysts think that the Google case is as simple as it might sound on the surface. For example, Amit Ashbel, security evangelist for data protection and compliance provider Cognigo, says that, “As far as I know, Google does disable tracking by default, and it seems that this is an attempt to catch them on something that is very minor. The problem is so much wider distributed that there is no need to look so hard to find a GDPR regulation breach. Most organizations today are in breach of GDPR regulations by just not knowing where 80% of their data is, and thus not managing, protecting or being able to report on it.”
The legal issues involved in the GDPR case
At this point, it’s up to the courts to decide the case. This will be the first-ever challenge in court of GDPR violations, and how this high-profile case against Google goes could tell us a lot about future cases. If consumer organizations across Europe see that they are being listened to, it’s easy to see how they could become emboldened to file additional complaints about GDPR violations against any tech company – not just Google, but also the likes of Facebook.
The courts will need to determine a number of factors, such as whether or not Google engaged in “deceptive practices” by requiring users to toggle two buttons instead of one in order to turn off location tracking. And the courts will also need to determine if the data collected under “Web and App Activity” is truly necessary for the functioning of apps and services, or whether this data was somehow monetized.
Certainly, the big tech giants of Silicon Valley will be keeping a close eye on this situation with the European supervisory authorities. Until now, they have largely been able to avoid any penalties or fines simply by promising a program of comprehensive self-regulation. However, as this new case over location tracking shows, companies like Google and Facebook simply have not been doing enough to build privacy and security into every product and service they offer.