Euro consumer groups: We think Android tracking is illegal
Pops open can of GDPR beef: Thanks to 'dark patterns' and 'nudging', no doesn't mean no
Seven European consumer organisations have filed a blockbuster complaint arguing that Google's location tracking in Android lacks a valid legal basis in the European Union.
At the heart of the complaint is that the user control of location tracking falls far short of what's required by the union's General Data Protection Regulation (GDPR) – the consent controls are both deceptive and ineffective.
"There is no real option to turn off Location History once it has been enabled; users can only pause it after the Google account has been created," stated the complaint (PDF) led by the Norwegian Consumer Council. "Users who attempt to 'pause' location history receive vague warnings that this will limit some functionalities."
GDPR requires that informed consent must be given without coercion or deception, and that no means no. However, according to the complaint, the design of the application leaves users with little choice but to turn everything on using behavioural deception: "design patterns and biased notices, de facto forcing [the user] to give such consent in the end."
Earlier this year the Norwegian Consumer Council published a report on such techniques, called Deceived By Design (PDF).
It examined the notices given by Microsoft, Facebook and Google for "nudges", steering the user to a particular goal, and the data they provided to steer them. This laid the groundwork for today's complaint.
Web and app activity can only be "paused" too, and it's also accompanied by a scary warning that functionality will be inhibited if the user exercises their right to turn off tracking.
The complaint has been made by consumer organisations in Norway, Poland, the Netherlands, Czech Republic, Greece, Slovenia and Sweden.
As the consumer groups explained, the legal basis for data collection has to be clear, and it argued that Google is anything but.
"It is unclear which legal basis Google invokes for personalised advertising (behavioural targeting). Information about which legal basis is used for which purposes, as required by Articles 13 and 14 of the GDPR, is in our opinion not sufficiently specific and clear. This information is not given to the data subject during the Google account setting process neither [sic]."
For example, the complaint has also taken issue with the clarity of the enrolment process. The example of saving the user's Maps history is offered, but then Google has also said it's for personalising advertising.
"At least some of the examples listed by Google should constitute separate individual purposes in themselves. Nevertheless, the user has no freedom but to consent to all of them if she wishes to switch on the feature. For example, if she effectively wants Google to save a map of where she's been, she must also accept the use of her location data for other purposes, including advertising."
Another example is when the user wants to group photos by location. They "can only receive this feature by opting in to full scale location tracking of all their movements by Google and allowing the use of their location data for advertising purposes. The user is presented with a bundled 'take it or leave it' option where there is no real choice. The scenario is similar if the user wants to use Google Assistant."
Google now mingles everything you've bought with everywhere you've beenREAD MORE
The complaint also tickles the fuse of a long-ticking time bomb buried in GDPR that has not yet detonated.
The complaint added that, according to Recital 43 of the GDPR, consent is not presumed to be valid if there is an asymmetric power relationship between the data subject and controller. The same recital stated that "consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations".
The consumer groups have argued that with Google's dominance of smartphones (>85 per cent market share) there is a "clear imbalance between the data subject and the controller". This echoes similar arguments about Facebook, positing that the entire business model lacks a valid legal basis for data collection.
Google is likely to fight this hard, as it threatens the breakup of a $100bn+ business, but the complaint has been adopted by the formal representative of consumer organisations in the EU, BEUC, so it will need to take it seriously.
At the very least, Google may find a serious makeover of the permission screens through Android is required.
"We're constantly working to improve our controls, and we'll be reading this report closely to see if there are things we can take on board," Google told Reuters. ®
Ironically, nudging and "dark patterns" of design were once enthusiastically endorsed by governments, legitimising the techniques of manipulation. The establishment of a "Behavioural Science Unit" at No.10 in 2010 was imitated by Obama's administration after his 2012 re-election success was attributed to "nudge". So who can blame Google? Like a kind government, it only wants what's best for us.
Sponsored: Becoming a Pragmatic Security Leader