GDPR violations: France fines Google €50mn over ‘forced consent of data collection' -- 7 EU countries accuse Google over location tracking

[Delicieuxz]

Article 1: France hits Google with record €50mn fine over ‘forced consent’ data collection

Quote

 

The French Data protection agency CNIL released a statement Monday stating that the staggering €50 million ($56.8mn) fine was motivated by complaints about the company’s illegal practices in the collection and use of personal data. At present, there is no reliable information available on how long the company saves user data, nor if they allow it to be used by other sites.

 

Around 10,000 people signed the initial petition to initiate an investigation, which was filed by France’s Quadrature du Net group and None Of Your Business, an NGO which advocates for consumer privacy.

 

The investigation turned up two infractions to the EU’s General Data Protection Regulation (GDPR) which was approved in 2016. They found that the company doesn’t provide easy access to information it collects from users and that the information they do provide is often incomprehensible. This creates a situation where people are not able to manage how their information is being used, especially in relation to targeted ads.

 

Users’ “consent” is currently set as the global default setting, which fails to meet the regulator’s requirement that companies obtain “specific” consent. They also say that the pop-ups currently used by the company to ask for consent on Android software seem to threaten that services will not be available if the users don’t accept the terms.

 

 

"Forced consent" also describes vast amounts of data that Microsoft harvests from people who use Windows 10 Home and Pro, without there being any option to turn that data-harvesting off. I have somewhat wondered how GDPR could be reconciled that behaviour of Microsoft's, but I realize that data privacy protection agencies, just like the public, are still extremely naive and not in tune with what the data-harvesting business is, how it's done, and what its aims are. I hope that we will see that naivety disappear over the course of more investigations. They are presently reacting to the tip of the iceberg as though it's the whole picture.

 

The GDPR violation for which France is fining Google looks to me like it is the same one that people recently found Bethesda to be in violation of, but for which no investigations have been reported:

 

 

It's possible that nobody reported Bethesda, or maybe Bethesda fixed the violation. Or, maybe Bethesda is too small a target with there being larger investigations going on right now.

 

 

Article 2: Seven consumer groups across Europe file complaints against Google for breach of GDPR

Quote

 

Location data can reveal a lot about people, including religious beliefs (going to places of worship), political leanings (going to demonstrations), health conditions (regular hospital visits) and sexual orientation (visiting certain bars). The report shows that Google collects users’ location data notably through the features ‘location history’ and ’web & app activity’, which are integrated into all Google user accounts. The company uses various tricks and practices to ensure users have these features enabled and does not give them straightforward information about what this effectively entails.

 

These unfair practices leave consumers in the dark about the use of their personal data. Additionally they do not give consumers a real choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising.

 

These practices are not compliant with the GDPR, as Google lacks a valid legal ground for processing the data in question. In particular, the report shows that users’ consent provided under these circumstances is not freely given. Also, the company cannot invoke a ‘legitimate interest’ to collect and process location data, due to the significant and intrusive impact that this tracking has on the rights and freedoms of the individual.3

 

...

 

“Google’s data hunger is notorious but the scale with which it deceives its users to track and monetise their every move is breathtaking. Google is not respecting fundamental GDPR principles, such as the obligation to use data in a lawful, fair and transparent manner.

 

“Thanks to the GDPR, users should be in control of their personal data. Google’s deceptive practices are in breach of the spirit and the letter of this regulation. We need strong, coherent, enforcement of the rules. We can’t have companies pretending to comply but de facto circumventing the law.

 

 

It looks like GDPR might have some meaningful bite to it after all. It's not yet proven to be enough, though. These accusations against Google again beg the question, 'When will GDPR be applied to Microsoft, which is guilty of the same?'

 

A person should always have the easily-implemented choice to not be tracked by software when the tracking isn't essential to the function of the software requested by the person using the software. And when a person chooses to not be tracked by any software, they should literally not be tracked by the software. Otherwise, the choice to not be tracked is a lie.

 

 

For people in Europe, GDPR violations can be reported by contacting your country's respective Data Protection Authority.

 

What should I do if I think that my personal data protection rights haven’t been respected?

List of EU Data Protection Authorities

[GoodBytes]

Sadly, it is nothing more than pocket lint for Google, and may consider it as a simple fee to continue business.

Something skipped, is the fact that that the investigation pointed to, is how much Google buries its privacy policy and uses heavy vagueness to basically have carte blanche on personal data.

Quote

The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service. Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.

 

Source: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

[mxk]

This will barely dent Google, sadly.

[Delicieuxz]

29 minutes ago, GoodBytes said:

Sadly it is nothing more than pocket lint for Google, and may consider it as a simple fee to continue business.

 

I agree. However, GDPR fines come in tiers and can go up to 4% of a company's annual revenue - which would be a huge smack to Google. Google's Q1 2018 revenue was $31.5 billion, which would mean that a 4% of annual-turnover fine might amount to $5.04 billion USD. Also, I wonder whether a 4% of annual-turnover fine can be issued from each individual GDPR country that the violation occurs in.

 

It could be that Google and other companies are being fined lightly while GDPR is new and for first-time offences, and that fines will ramp up if the violations are not addressed.

 

https://eugdpr.org/the-regulation/

Quote

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.

 

[RejZoR]

50 million is a piss against a hurricane. They'll gladly violate it again if they know this will bring them long term profit 10x times the fine if not more. Hit them with those 4% and they'll never ever even think about dicking around with privacy laws.

[Tech_Dreamer]

oh yeah, this changes everything .

[Taf the Ghost]

1 hour ago, RejZoR said:

50 million is a piss against a hurricane. They'll gladly violate it again if they know this will bring them long term profit 10x times the fine if not more. Hit them with those 4% and they'll never ever even think about dicking around with privacy laws.

Sadly, they'll just hire better lawyers.

[Amazonsucks]

13 hours ago, Taf the Ghost said:

Sadly, they'll just hire better lawyers.

Hopefully Googles stock can do an Apple soon.

[Tenelia]

 

21 hours ago, Delicieuxz said:

It looks like GDPR might have some meaningful bite to it after all. It's not yet proven to be enough, though. These accusations against Google again beg the question, 'When will GDPR be applied to Microsoft, which is guilty of the same?'

 

This isn't an issue purely about ethics though. I remember someone put up a piece of news about intelligence agencies sharing such info amongst themselves, so I doubt a company would actually be charged if it's working closely with national intelligence agencies. The value of what they provide would far outstrip what they need concerning intelligence work versus any political fallout.

[yian88]

GDPR is fucking retarded and im sick of signing 100 consent papers everywhere i go now, like it wasnt bad enough, go to hell EU.

[peanuts104]

Personally, I view this as another way for the government to tax large companies.  That's why they've only really gone after Google and Facebook.  

[Sakkura]

18 hours ago, peanuts104 said:

Personally, I view this as another way for the government to tax large companies.  That's why they've only really gone after Google and Facebook.  

Nah, plenty of GDPR fines have been applied to small companies. You just only hear about the big ones.

[EarthWormJM2]

On 1/22/2019 at 10:28 AM, Delicieuxz said:

They also say that the pop-ups currently used by the company to ask for consent on Android software seem to threaten that services will not be available if the users don’t accept the terms.

... well duh. If the app cannot track you how can it give you services that requires it to track you? "hey I want to see accurate traffic and travel times but I don't want the device to know where I'm at or where I'm going" ..smh.

 

If you don't want it to track you, that's perfectly fine, you just need to know that having it not track you will cause the app to not function properly (which by "threatening" you is laying it out pretty clear what will happen (I mean isn't having more information for the end user what they want?)). Clearly these government officials are about as informed on how technology works as my 85 yr old grandfather...

[LAwLz]

3 hours ago, EarthWormJM2 said:

... well duh. If the app cannot track you how can it give you services that requires it to track you? "hey I want to see accurate traffic and travel times but I don't want the device to know where I'm at or where I'm going" ..smh.

 

If you don't want it to track you, that's perfectly fine, you just need to know that having it not track you will cause the app to not function properly (which by "threatening" you is laying it out pretty clear what will happen (I mean isn't having more information for the end user what they want?)). Clearly these government officials are about as informed on how technology works as my 85 yr old grandfather...

It sounds like you have not researched GDPR that much. What do you think it says exactly?

Because it has specific clauses for things like what you're describing (data collection which is necessary for the core functionality of a program).

 

It is actually pretty well written, and not something written by 85 year old grandads who doesn't understand technology.

[EarthWormJM2]

16 hours ago, LAwLz said:

It sounds like you have not researched GDPR that much. What do you think it says exactly?

Because it has specific clauses for things like what you're describing (data collection which is necessary for the core functionality of a program).

 

It is actually pretty well written, and not something written by 85 year old grandads who doesn't understand technology.

My comment was in response to that specific quote that the OP quoted from the article. Not the entire GDPR, that's why I only quoted that one part. I know some of it is well written, but when comments like the one I quoted come out, It makes me think that whoever said that does not understand how technology works. I still stand by my statement as I am all but certain that there is a good portion of older government officials who enforce the GDPR that don't understand technology fully. Look at the US government with the facebook and google questions, look at Australia with forcing tech companies to give keys to encrypted data. A lot of government officials making laws don't understand all this tech stuff, and I think its safe to say that out of all the officials dealing with the GDPR, not all of them fully understand how technology works.