Google faces another GDPR probe – this time in the land of meatballs and flat-pack furniture
Gimme, gimme, gimme your data after midnight... Swedish watchdogs cry, Mamma Mia! over location slurping
Google's slurping of people's location data and web browsing histories is being probed by Swedish privacy watchdog.
The Swedish Data Protection Authority (Datainspektionen) announced the investigation earlier this week, just as the search engine giant was handed a €50m penalty from the French data watchdog.
The probe is the result of a complaint submitted in November by the Swedish Consumer Association (Sveriges Konsumenter) that is based on a report from the Norwegian Consumer Council (Forbrukerrådet) about Google's use of dark patterns – which are user interface design choices that attempt to trick users into doing things they may not want to do.
That report criticised the "overwhelming amount of granular choices" on Google's privacy dashboard, and the pop-ups trying to dissuade users from turning off (or, as Google says, "pausing") location data.
Google is already facing lawsuits in the US over admissions that when users "paused" location history, it still gathered up that information – unless they had also turned off "web and app activity".
The complaint to the Swedish authority said Google used "deceptive design, misleading information and repeated pushing to manipulate users into allowing constant tracking of their movements", the Datainspektionen said.
"In essence, the complainant holds that the processing of location data in this way is unlawful and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR."
Google responds to location-stalking outcry by… tweaking words on its BS support pageREAD MORE
In order to assess this, the Datainspektionen fired off a series of questions to the search giant, and asked it to provide information and documentation by 1 February.
The questions include: the purpose and legal basis Google is relying on to process location data; when and what information data subjects were given on the processing; and whether any of the data processed is special category data, which is granted greater protections under GDPR.
The authority also asked whether the "design patterns" it is alleged to have used for obtaining the legal basis for location data processing is accurate for Swedish data subjects.
Google must also outline how many Swedish data subjects it obtained location data on between 25 May and 27 November 2018, and how many data points are gathered, on average, on an individual, broken down on an hour-by-hour basis for a 24-hour period.
Perhaps foreseeing the mess of data it could end up being served, the authority notes that this must be "presented in a structured and clear manner".
Other documentation Google is told to hand over include privacy policies that were in place at the time, records of data processing activities for location data collected on Swedes and relevant data impact assessments.
We've asked Google for comment. ®
Sponsored: Becoming a Pragmatic Security Leader