Is Google Violating GDPR by Tracking EU Users?

by Chris Brook on Wednesday December 5, 2018

Contact Us
Free Demo
Chat

Consumer groups in Europe argue Google doesn't have a valid legal basis for processing users’ location data and is processing personal information that violates the EU's General Data Protection Regulation.

Google is in hot water with a handful of consumer advocacy groups in European countries over charges the company is improperly collecting location tracking data.

The European Consumer Organisation (BEUC), a European consumer interest group, levied a complaint against the search engine giant last week that Google’s "deceptive practices" are a violation of the General Data Protection Regulation (GDPR) rules.

Consumer groups in seven countries, Norway, Greece, the Netherlands, Norway, Poland, Slovenia, and Sweden, filed complaints via the BEUC on November 27.

Datatilsynet, the national data protection authority for Norway, included a thorough 16-page walkthrough of how Google processes location data in its complaint, stressing that there's a lack of valid consent and a lack of a valid legal basis around how it’s done.

For their argument the groups are relying on the fact that GDPR defines consent as "any freely given, specific, informed and unambiguous indication” by a “statement” or by “clear affirmative action” from the data subject.

In the eyes of the complainants, Google is biased towards the benefits of leaving Location History - a Google Account–level setting that saves where users go with their devices - on, something that consumer groups say is spurring users to give their consent to turn and leave it on,” we consider that the consent obtained for the purposes of Location History is not ‘specific’, nor ‘informed’, contrary to what is required by the GDPR."

When a new user signs up for a Google account, the company has a special section users have to click through to learn about how Google will process their data. The European consumer organizations claim that section fails to meet GDPR standards.

"The relevant information regarding what Location History actually entails is hidden behind extra clicks and submenus, and the information about what the data is used for is ambiguous and unclear," Norway's Data Protection Authority complaint reads.

The complaint recalls recent lawsuits filed against Google in the U.S.

One suit, filed over the summer, argued the company violated federal law outlined by the Federal Trade Commission, in addition to the California Invasion of Privacy Act, by tracking users even after they had turned off the Location History setting.

That suit was triggered after an investigation by the Associated Press, corroborated by computer science researchers at Princeton, found that Google was storing location data, even if a device was explicitly told not to.

Google was forced to fix a description of Location History on its site following the report, amending the words "With Location History off, the places you go are no longer stored," to “This setting does not affect other location services on your device” and “some location data may be saved as part of your activity on other services, like Search and Maps.”

The complaints last week were prompted after Forbrukerrådet, the Consumer Council of Norway, released a report, "Every step you take," that looked at how pervasive Google's tracking is.

“In our opinion, the scale in which Google tracks the location of its users breaches the GDPR. Users have not given free, specific, informed and unambiguous consent to the collection and use of location data, particularly considering the scale of tracking going on,” Gro Mette Moen, a senior adviser with Forbrukerrådet, said last week.

Tags: Data Privacy, GDPR

Recommended Resources


  • Understand technologies that enable compliance
  • Common pitfalls and challenges to be aware of
  • How to build a sustainable GDPR compliance program
  • The people, process, and technology impacts of GDPR
  • The top challenges to GDPR compliance
  • How to address them and improve your GDPR position

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.