Google is sharing users' personal data between its services without acquiring specific consent to do so, thus flagrantly breaching fundamental principles of European data protection law, one of its smaller rivals has claimed.
In a new complaint submitted to the Irish data regulator, which oversees Google's European business, Johnny Ryan, chief policy officer of the niche web browser Brave, accused the US tech company of operating an "internal data-free-for-all".
The complaint alleges that Google is taking users' consent for certain uses of their personal data – for instance location tracking or YouTube history – and applying it to a range of other services that are completely invisible to them, a practice that is illegal under the General Data Protection Regulation.
In one example cited, Google’s privacy policy states that “Location History saves where you go with your devices. This data is saved even when you aren’t using a specific Google service, such as Google Maps or Search . . . This data may be saved and used in any Google service where you are signed in [and] . . . helps Google give you more personalised experiences . . . both on and off Google.”
The notice appears to seek the user’s consent to process their location data, according to the complaint, but also indicates that such data may be used for various unknown purposes that could have nothing to do with location. It also suggests “extensive or minor data sharing with an unknowable number of Google’s business partners”, the complaint claims.
The submission to the regulator also includes a document titled “Inside the Black Box”, which itemises evidence of Google’s “hundreds of publicly available processing purposes”, according to Mr Ryan, which range from advertising to analytics.
“These repeated allegations from a commercial competitor don’t stand up to serious scrutiny,” said a Google spokesperson. “Twenty million users visit their Google accounts each day to make choices about how Google processes their data. Our privacy policy and the explanations we provide users are clear about how data is stored and the choices users have.”
Mr Ryan gathered the details from at least 100 different public documents issued by Google itself, including individual user disclosures, guidelines for developers, customers and partners, and evidence submitted to lawmakers in the US Congress.
“We believe it is the first time that such an examination of Google processing purposes has been undertaken in this way. The results show that Google has no legal basis for many of the things it does with users’ data. They also show that Google infringes the GDPR on multiple fronts,” Mr Ryan said.
Data privacy lawyer Ravi Naik of AWO Legal, who filed the complaint on Mr Ryan's behalf, points to one of the most egregious examples in Google's privacy policy, in which it says that data collected in existing services will "help us develop new ones".
“The consequences of that are, how can I exercise my right to object or to erasure? I do not know what data is going in to develop new services, and I cannot object to my data being used when I have no idea what they are building,” he said.
The Irish regulator already has at least two open investigations into Google’s data collection practices, specifically looking at location data and advertisement targeting. GDPR allows regulators to impose fines of up to 4 per cent of a company’s global turnover for the most serious breaches.
"A lack of transparency and clarity around what individuals are told is an issue that Google has had previously. [French regulator] CNIL has enforced against Google in this area previously, so there will be heightened sensitivity amongst regulators," said Richard Cumbley, a senior partner and data privacy expert at law firm Linklaters who is not involved with the case.
“The potential consequences are significant . . . I can easily see a situation where the hidden processing is something that Google is directly liable to compensate individuals for, on top of a [GDPR] fine.”
According to Mr Naik and Mr Ryan, Google’s treatment of data is also an antitrust violation, and the complaint has been marked to European antitrust authorities including the European Commission’s Margrethe Vestager, and British, German, French and Irish competition regulators.
“Google’s “privacy policy tying” allows it to cross-use the mass of data which it has acquired . . . between diverse markets,” their letter said. – Copyright The Financial Times Limited 2020