Google Faces European Consumer Group Complaints Alleging GDPR Violations for Improper Collection of Location Tracking Data

On Tuesday, November 27th, consumer groups filed complaints with the data protection authorities in seven European countries, accusing Google of improperly collecting location tracking data in violation of the new General Data Protection Regulation (“GDPR”). The complaints, filed in the Czech Republic, Greece, Netherlands, Norway, Poland, Slovenia, and Sweden, cite to a study by the Norwegian Consumer Council, which reviews the various methods used to track consumers’ location when they use Google services on their smart phones.

Consumer groups claim that Google has been using a variety of techniques to “push or trick” users into allowing themselves to be tracked when they use Google services. These techniques include “withholding or hiding information, deceptive design practices, and bundling of services.” Complainants specifically allege that tracking is accomplished through the “Location History” and “Web & App Activity” features built into Google accounts, and these issues are particularly pronounced on mobile devices that use the Android platform.

The complainants go on to allege that Google does not have a valid legal basis for processing users’ location data and is processing personal information in violation of GDPR. Assuming Google will attempt to rely on consumer consent, complainants argue consent from Google users is inadequate because users are not given sufficient information to make informed choices, default settings are hidden, and users are repeatedly nudged to turn on features that track location.

In response to a request for comment, a Google spokesperson said: “Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps improve services like predicted traffic on your commute.

“If you pause it, we make clear that—depending on your individual phone and app settings—we might still collect and use location data to improve your Google experience.”

These recent complaints are significant for several reasons. First, GDPR only recently took effect on May 25, 2018. Enforcement to date has been limited and there is little legal precedent that can be relied on to ascertain a potential outcome for these complaints. It is difficult to predict how the data protection authorities in these seven countries will respond.

Second, penalties for violations of GDPR are prohibitive. Current regulations provide for fines of up to 4% of global annual revenue, so Google, and its parent company Alphabet, could face fines in the billions of dollars.

Third, Google is facing lawsuits in United States federal court over the same location tracking data. The plaintiffs in those suits allege Google continued to track users’ locations through their phone, even after location tracking features were disabled. Google has filed a motion to dismiss, which will be heard in January 2019. It is unclear what impact, if any, these new complaints in the European Union will have on ongoing US litigation, and vice versa.

What’s ‘Hot’ in GDPR this Week

Here’s a quick Friday afternoon post on five noteworthy developments the first week after GDPR go-live:

  • Surprising no one, Google figured out a way to monetize the GDPR through compliant ads https://tinyurl.com/y9xzxrhs
  • And just as unsurprisingly, Max Schrems figured out a way to monetize Google (and others) by suing for billions under the GDPR https://tinyurl.com/yazdrbg4
  • Japan took one step closer to getting an adequacy decision, we all knew this would progress post-GDPR what’s surprising is how fast (keep an eye on the PPC rulemaking) https://tinyurl.com/JapanEUadequacy.
  • Both the US Department of Commerce and the US Chamber of Commerce are picking fights with the European Commission over GDPR’s extra-territoriality and un-intended consequences, among other things https://tinyurl.com/yb7kw8xl and https://tinyurl.com/y8vxqeg4
  • But one US Senator apparently thinks Commerce and the Chamber are getting it wrong and introduced a resolution to prove it https://tinyurl.com/y9xawr9c

GDPR Go-Live: The End of the Beginning

Today is May 25th. Unless you’ve been living in a cave without a hotspot for the last year, you know that means today is the go-live date for Europe’s new General Data Protection Regulation or “GDPR.” With its controversial extraterritorial reach, the GDPR has been causing much commotion around the world and along with that commotion, a whole lot of breathless hyperbole in the popular and professional trade media.

We haven’t done much writing on any of it in this space because, well, we’ve been busy doing GDPR preparedness work for our clients. And lots of it! (Article 28 anyone?) But the occasion of the go-live date has given us a brief respite, so here’s a quick run down on what’s going to happen now that the law is finally in effect, and what to do if you’ve, well, done nothing so far.

What’s going to happen on May 26th?

We can say for certain that the sun is going to rise, the earth is going to rotate on its axis and life will go on. There’s been so much myth and hype about the GDPR it seems worth pointing all that out. More importantly, it’s also worth pointing out you’re not going to wake up tomorrow morning with the equivalent of a subpoena from an EU member-state data protection regulator in your mailbox. To date, more than half the EU member states had not adopted the GDPR into law (which doesn’t affect its validity, but does raise questions about enforcement), and in a recent survey of most of the relevant regulators, about two-thirds said they won’t be ready to start enforcement activities any time soon. Among those regulators who do feel ready, most have stated publicly that there will be few fines in 2018 unless something is very wrong.

So come dawn tomorrow, things will feel an awfully lot like any other Saturday. If your company’s been doing its GDPR homework for the last years/months that will be especially true. If not, then keep reading….

We haven’t done anything to prepare. Now what?

You have some work to do and soon. That said, we’re calling for clients newly discovering GDPR to act with thoughtful urgency, not panic.

The first thing you’ll need to do is determine whether you’re subject to the GDPR. There are two ways than can happen: direct and indirect. If it meets the requirements for being a data “controller” or “joint controller” that is “established” in the EU, your company is directly covered. If it does not meet those requirements, but does meet the requirements of a data “processor,” your company will be indirectly covered.

How Do We Know If We’re A “Controller” Who’s “Established” In the EU?

The language of the GDPR can make this a difficult question to answer, particularly with regard to the “established” element. There are, however, a few obvious tests. For instance, if you answer “yes” to any of the following questions you are likely directly covered:

  • do you have a physical presence in the EU?
  • do you have employees or paid contractors in the EU?
  • do you sell products that are designed to meet EU market requirements (220 volt products are a simple example)
  • are any of your sales and marketing activities purposefully directed at the EU market? Some examples of being purposefully directed include if you:
    • have distributors/resellers in the EU
    • accept Euros or member state currency
    • translated your website, brochures, product manuals or other collateral or documentation into member state languages
  • do you monitor the behavior of customers based in the EU?
    Some examples of what it means to “monitor behavior” include:

    • use of technologies to track EU website users
    • using predictive analytics to anticipate buying patterns
    • operating affinity or loyalty programs in the EU

It Looks Like We Are a Controller Established in the EU. Are we in Trouble?

Based on what the regulators are saying about enforcement, as long as well-planned steps are taken to immediately start a compliance program, your company will probably be ok in the very near-term. Below is a brief, simplified list of what you’ll need to accomplish for GDPR compliance:

  • identify and assess risks by personal data types
  • identify who you share personal data with and where it’s stored
  • determine which of the six GDPR-permitted reasons you are relying on to possess personal data
  • update public privacy policies and internal adverse event policies and procedures, especially regarding response and notification
  • be able to respond to requests from people whose personal data you hold (such as providing copies or erasing their data)
  • review/amend your vendor agreements and remediate any gaps between existing terms and those GDPR requires

We are not Directly Covered. How do we Determine if we are Indirectly Covered?

This analysis is a bit easier than the direct coverage analysis, but there are still many variations and nuances. The easiest way to determine whether your company is indirectly covered is if you collect (via the phone, internet etc.) personal data (which, be forewarned, is very broadly defined under the GDPR) from your customers’ employees, clients, etc. You will also be indirectly covered as a processor if all of the following are true:

  • your customers collect, for themselves or for their own upstream customers, personal data from employees, consumers or others in the EU,

then

  • send all or part of that personal data (again, broadly defined) to your company no matter where it’s located including in the United States,

and

  • you “process” it on behalf of that customer, noting that “processing” is also very broadly defined to include recording, organizing, structuring, storing, transmitting, adapting and the like.

We Are Indirectly Covered, What Do We Need To Do?

As with companies who newly discover they are directly covered, if you’re indirectly covered it’s time for thoughtful urgency, but not panic. As an indirectly covered entity, your company’s GDPR obligations will come in the form of so-called “flow-downs” from the obligations that directly covered entities have with respect to their vendors, agents, and sometimes even their affiliates, known under GDPR as “processors.”

Directly covered entities do have a small degree of latitude in determining which obligations to flow-down and how to do so, based on the nature and types of work you do for them. At a minimum, however, a directly covered entity will require you to enter into a written contract, or if you already have one, add an addendum, under which the directly covered entity “instructs” you in what elements of their personal data you can process and the scope of your authorization to so.

You also should expect directly covered entities to impose most of the following obligations on you (at least some of which you may be able to satisfy if you are ISO 27001 certified or receive unqualified SOC 2, Type 2 reports):

  • restrict you from subcontracting without their consent
  • require you to obtain confidentiality commitments from employees who are directly involved with the “processing” for that covered entity
  • implement data security safeguards to protect their personal data (which may include encryption)
  • assist them in meeting their own GDPR obligations to provide data subjects with access to their data and the right to have it deleted

Some processors choose to be proactive and send their own form of Data Protection Agreement or GDPR policy statement to their customers. This can be a viable strategy, but should be assessed on a case-by-case basis.