Google location scandal the first big test of GDPR
14 August 2018 | 0
Right now I’m imagining EU tech czar Margrethe Vestager is sitting in her office composing two letters to an imaginary successor to be read in sequence. The first letter, designed to deflect blame and responsibility in the event of a crisis, reads simply: “Blame everything on me”. In the event of another crisis, the second, shorter, piece of advice reads thus: “Write two letters”.
It’s an old joke and has had a revolving cast through the years from the Joseph Stalin and Nikita Khrushchev, to sports coaches and even the cast of animated series Futurama. Blaming one’s predecessor is a sound political tactic that has worked well for Irish politics since the crash of the late noughties. The power of being able to draw a timeline, mark the mid-point and put ‘your fault’ to the left and ‘my fault’ to the right is a perfect unity of set-up and pay-off just waiting for a context and a problem to drop it into.
Today that context is the General Data Protection Regulation (GDPR) and the problem is Google.
According to a report by the Associated Press backed up by researchers from Princeton University the search giant has contrived a system of enabled-by-default features that continue to gather location data on users, even if they have specified not to do so in their device settings.
The problem breaks down as follows: Google can track location data through many vectors, either in real time through Google Maps or intermittently in the case of searches where only a snapshot of where the user is becomes relevant for delivering localised content and advertising. However, while common sense would say this kind of material should be 1) disabled by default 2) made easy to switch off and 3) not stored in line with the principles of GDPR.
Google will argue that everything is in the fine print and every method of gathering information can be paused or turned off completely the reality is that such granular control of down to the leve of individual apps favours the developer more than the consumer and, in any case, such features should be only be enabled with the consent of the user. Ticking ‘location services off’ should mean just that, not the triggering of app-specific levels of disclosure and storage.
A few weeks ago I interviewed Europe-v-Facebook founder and privacy activist Max Schrems who said that tech companies will likely do the maths on problematic features when it comes to GDPR sanctions to see which are profitable to keep that they can afford to pay ongoing fines to keep them running or at least eat a one-time cost as an experiment in testing the EU’s mettle. Here is a perfect example of a tech company doing something in plain(ish) sight that contravenes the principles of GDPR and put it at risk of a fine of €20 million.
A good exmaple of this dates back to 2010 when it was found that cars used to create Google Street View maps were tapping unsecured domestic Wi-Fi networks resulting in the collection of user names, passwords, e-mails and photos of German citizens. For what was atthe time considered one of the biggest breaches of personal data ever the company was fined €150,000. Google apologised and attributed the error to an individual engineer.
This is not 2010. This is the era of Big Data, ad targeting, government surveillance, facial recognition technology, the right to be forgotten and the right to see/delete any information you may have created that benefits a company. Europe is the only market where Google is likely to be punished for this transgression that affects every iOS and Android-based device on the planet. Anything less than the full force of regulation will be seen as a sign of weakness that will embolden Facebook/Amazon/Google/Twitter etc to continue with their lax attitude to data protection, knowing that meagre fines and a promise ‘to do better’ will suffice.
Here’s hoping Ms Vestager won’t need those letters, yet.