Google risks mega-fine in EU over location 'stalking'
First big test for GDPR looms
Special Report Privacy campaigners say Google's obsessive collection of location markers violates Europe's privacy laws - potentially exposing the Californian giant to punitive fines.
Several privacy watchers agree that as it stands, users are misled, and can't give informed consent. That exposes the company to financial penalty under GDPR rules: which could be 2 per cent or 4 per cent of turnover.
"Burying its stalking settings, while distracting users with a deliberately crippled 'Location history' button, isn't just deceitful - it's unlawful," campaigner Phil Booth opined. "Without proper consent or legitimate purpose, Google is breaching the GDPR rights of every EU citizen it has been tracking.
"Under GDPR, such location data - associated with a Google account - is clearly personal data, breach of which could expose Google to a giant fine. The question is, will regulators act on this globalised prowling?"
Even before GDPR, the EU's privacy "wise men" - the Article 29 Working Group, now the European Data Protection Board - regarded location data as particularly sensitive.
AP's investigation this week described how Google continues to collect an individual's location markers, even when users believe they've disabled the data collection. That's not news to Register readers, as we have regularly pointed this out - but it has shocked the rest of the media and the public. Google has a strong historic interest in location data, being dubbed an "obsessive stalker".
AP found that:
- Location tracking continues when the user thinks they have disabled it. That's because:
- User settings governing location markers are in different places
- Location tracking can be "Paused", but not permanently disabled
- Location tracking continues in Maps, Search and other Google applications regardless of the "Location History" setting.
- Warnings provided to both iOS and Android users are misleading
While other companies collect location data, and Apple certainly does, it only uses it for internal purposes, and that doesn't entail "sharing" - whereas Google is creating a highly personal virtual profile of you accessible to advertisers. And that is where Google is vulnerable under the GDPR, Serena Tierney, a partner at VWV law firm and a data protection and privacy specialist, told us.
Google and the spirit of the GDPR
For Tierney, Google is actually vulnerable on two areas, based on the user information AP cited.
Firstly, the GDPR requires data collection to be for "specified, explicit and legitimate purposes".
"If Google is operating as AP describes, that isn't specified and explicit," Tierney said.
Secondly, there's what the GDPR calls the "data minimisation principle": that the personal data collected must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".
Serena Tierney
The legitimate purpose of the data collection must be clear. Is it only used for Google's own internal machine learning algorithms, say, or is it part of a personal profile sold to advertisers, Tierney asked.
"It's part of a wider public debate. Is this part of the social contract between society generally (including me) and search engines (including Google) that in return for getting free search, for example, we expect our personal data to be used for personal advertising, with no way for us to opt out?"
For example, she said, a parking app that obtains location data for the purposes of corroborating which car park you're using shouldn't then share that data with the nearest chip shop.
"Google would argue that they're getting our consent to do so - I would say they're not."
The first test
Rafe Laguna, of open source infrastructure provider Open-Xchange thinks that location markers could provide the first litmus test for the effectiveness of the new privacy rules.
“The Google location scandal could be the first real test of GDPR," he told us. "The regulation states that user consent must be clear, distinguishable and written in plain language."
Laguna added: "We will likely see European Data Protection Authorities take a stance on this issue over the coming months."
Google and Facebook vie to provide advertisers with ever more detailed profiles. Google boasted about the value of your location to advertisers earlier this year.
Google was defiant in a canned statement sent to The Register this week that "Location History" is "entirely opt in", adding that: "We make sure Location History users know that when they disable the product, we continue to use location to improve the Google experience when they do things like perform a Google search or use Google for driving directions."
As we noted here earlier this year, the extent of Google's mobile data collection is only apparent if you configure a new Android device with a fresh "burner" Google account. Then it's apparent how inadequate the user controls are. Location isn't the only thing that's "Paused". Google even continues to record your browsing history when you put the browser into "Incognito Mode".
We contacted the office of Giovanni Buttarelli, the European Data Protection Supervisor, for a statement, but had not received a response at press time. ®