Google's lead data regulator in Europe has finally opened a formal investigation into the tech giant's processing of location data, more than a year after receiving a series of complaints from consumer rights groups across Europe.
The Irish Data Protection Commission (DPC) announced the probe today, writing in a statement: "The issues raised within the concerns relate to the legality of Google’s processing of location data and the transparency surrounding that processing."
"As such, the DPC has commenced an own-volition Statutory Inquiry, with respect to Google Ireland Limited, pursuant to Section 110 of the Data Protection 2018 and in accordance with the co-operation mechanism outlined under Article 60 of the GDPR. The Inquiry will set out to establish whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency," its notice added.
We've reached out to Google for comment. Update: The company has now sent this statement, attributed to a spokesperson: “People should be able to understand and control how companies like Google use location data to provide services to them. We will cooperate fully with the office of the Data Protection Commission in its inquiry, and continue to work closely with regulators and consumer associations across Europe. In the last year, we have made a number of product changes to improve the level of user transparency and control over location data.”
BEUC, an umbrella group for European consumer rights groups, said the complaints about "deceptive" location tracking were filed back in November 2018—several months after the General Data Protection Regulation (GDPR) came into force in May 2018.
It said the rights groups are concerned about how Google gathers information about the places people visit which it says could grant private companies (including Google) the "power to draw conclusions about our personality, religion or sexual orientation, which can be deeply personal traits."
The complaints argue that consent to "share" users' location data is not valid under EU law because it is not freely given -- an express stipulation of consent as a legal basis for processing personal data under the GDPR -- arguing that consumers are rather being tricked into accepting "privacy-intrusive settings".
It's not clear why it's taken the DPC so long to process the complaints and determine it needs to formally investigate. (We've asked for comment and will update with any response.)
BEUC certainly sounds unimpressed, saying it's glad the regulator "eventually" took the step to look into Google's "massive location data collection".
"European consumers have been victim of these practices for far too long," its press release adds. "BEUC expects the DPC to investigate Google’s practices at the time of our complaints, and not just from today. It is also important that the procedural rights of consumers who complained many months ago, and that of our members representing them, are respected."
Commenting further in a statement, Monique Goyens, BEUC's director general, also said: "Consumers should not be under commercial surveillance. They need authorities to defend them and to sanction those who break the law. Considering the scale of the problem, which affects millions of European consumers, this investigation should be a priority for the Irish data protection authority. As more than 14 months have passed since consumer groups first filed complaints about Google’s malpractice, it would be unacceptable for consumers who trust authorities if there were further delays. The credibility of the enforcement of the GDPR is at stake here."
The Irish DPC has also been facing growing criticism over the length of time it's taking to reach decisions on extant GDPR investigations. A total of zero decisions on big tech cases have been issued by the regulator some 20 months after GDPR came into force in May 2018.
As the lead European regulator for multiple tech giants -- as a consequence of a GDPR mechanism which funnels cross-border complaints via a lead regulator, combined with the fact so many tech firms choose to site their regional HQ in Ireland (with the added carrot of attractive business rates) -- the DPC does have a major backlog of complex cross-border cases.
However, there is growing political and public pressure for enforcement action to demonstrate that the GDPR is functioning as intended.
Even as further questions have been raised about how Ireland's legal system will be able to manage so many cases.
Simplest way to show that Ireland will be unable to enforce #GDPR: They don't even have enough judges for appeals of 4k* cases/year..🤨
🇮🇪 Ireland (4,9 M) has 176 judges (1 per 28k)
🇦🇹 Austria (8,5 Mio) has 1700 judges (1 per 5k)
🇩🇪 Germany (83 Mio) has 21339 judges (1 per 3,8k) pic.twitter.com/h9oj5VjOsu
— Max Schrems 🇪🇺🇦🇹 (@maxschrems) February 2, 2020
Google has felt the sting of GDPR enforcement elsewhere in the region; just over a year ago the French data watchdog, the CNIL, fined the company $57 million for transparency and consent failures attached to the onboarding process for its Android mobile operating system.
But immediately following that decision Google switched the legal location of its international business to Ireland, meaning any GDPR complaints are now funnelled through the DPC.