Google’s lead data regulator in Europe has finally opened a proper investigation into the tech giant’s processing of location data — quite a year after receiving a series of complaints from consumer rights groups across Europe.
The Irish Data Protection Commission (DPC) announced the probe today, writing during a statement that: “The issues raised within the concerns relate to the legality of Google’s processing of location data and therefore the transparency surrounding that processing.”
“As such the DPC has commenced an own-volition Statutory Inquiry, with reference to Google Ireland Limited, pursuant to Section 110 of the info Protection 2018 and in accordance with the co-operation mechanism outlined under Article 60 of the GDPR. The Inquiry will began to determine whether Google features a valid legal basis for processing the situation data of its users and whether it meets its obligations as a knowledge controller with reference to transparency,” its notice added.
We’ve reached bent Google for comment.
BEUC, an umbrella group for European consumer rights groups, said the complaints about ‘deceptive’ location tracking were filed back in November 2018 — several months after the overall Data Protection Regulation (GDPR) came into force, in May 2018.
It said the rights groups are concerned about how Google gathers information about the places people visit which it says could grant private companies (including Google) the “power to draw conclusions about our personality, religion or sexual orientation, which may be deeply personal traits”.
The complaints argue that consent to “share” users’ location data isn't valid under EU law because it's not freely given — an express stipulation of consent as a legal basis for processing personal data under the GDPR — arguing that buyers are rather being tricked into accepting “privacy-intrusive settings”.
It’s not clear why it’s taken the DPC goodbye to process the complaints and determine it must formally investigate. (We’ve asked for comment and can update with any response.)
BEUC certainly sounds unimpressed — saying it’s glad the regulator “eventually” took the step to seem into Google’s “massive location data collection”.
“European consumers are victim of those practices for much too long,” its handout adds. “BEUC expects the DPC to research Google’s practices at the time of our complaints, and not just from today. it's also important that the procedural rights of consumers who complained many months ago, which of our members representing them, are respected.”
Commenting further during a statement, Monique Goyens, BEUC’s director general, also said: “Consumers shouldn't be under commercial surveillance. they have authorities to defend them and to sanction those that break the law. Considering the size of the matter , which affects many European consumers, this investigation should be a priority for Irish data protection authority. As quite 14 months have passed since consumer groups first filed complaints about Google’s malpractice, it might be unacceptable for consumers who trust authorities if there have been further delays. The credibility of the enforcement of the GDPR is at stake here.”
The Irish DPC has also been facing growing criticism over the length of your time it’s taking to succeed in decisions on extant GDPR investigations.
A total of zero decisions on big tech cases are issued by the regulator — some 20 months after GDPR came into force in May 2018.
As lead European regulator for multiple tech giants — as a consequence of a GDPR mechanism which funnels cross border complaints via a lead regulator, combined with the very fact numerous tech firms prefer to site their regional HQ in Ireland (with the added carrot of attractive business rates) — the DPC does have a serious backlog of complex cross-border cases.
However there's growing political and public pressure for enforcement action to demonstrate that the GDPR is functioning as intended.
Even as further questions are raised about how Ireland’s system are going to be ready to manage numerous cases.
Google has felt the sting of GDPR enforcement elsewhere within the region; just over a year ago the French data watchdog, the CNIL, fined the corporate $57 million — for transparency and consent failures attached to the onboarding process for its Android mobile OS .
But immediately following that call Google switched the legal location of its international business to eire — meaning any GDPR complaints are now funnelled through the DPC.